ai_root_shield 0.4.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +52 -4
- data/README.md +191 -14
- data/bindings/python/README.md +304 -0
- data/bindings/python/ai_root_shield.py +438 -0
- data/bindings/python/setup.py +65 -0
- data/examples/device_logs/android_safetynet_device.json +148 -0
- data/examples/device_logs/ios_jailbroken_device.json +172 -0
- data/exe/ai_root_shield +220 -7
- data/lib/ai_root_shield/ci_cd/security_test_module.rb +743 -0
- data/lib/ai_root_shield/dashboard/web_dashboard.rb +441 -0
- data/lib/ai_root_shield/enterprise/alert_system.rb +601 -0
- data/lib/ai_root_shield/enterprise/hybrid_detection_engine.rb +650 -0
- data/lib/ai_root_shield/enterprise/performance_optimizer.rb +613 -0
- data/lib/ai_root_shield/enterprise/policy_manager.rb +637 -0
- data/lib/ai_root_shield/integrations/siem_connector.rb +695 -0
- data/lib/ai_root_shield/platform/android_security_module.rb +263 -0
- data/lib/ai_root_shield/platform/hardware_security_analyzer.rb +452 -0
- data/lib/ai_root_shield/platform/ios_security_module.rb +513 -0
- data/lib/ai_root_shield/platform/unified_report_generator.rb +613 -0
- data/lib/ai_root_shield/version.rb +1 -1
- data/lib/ai_root_shield.rb +152 -1
- data/security_test_artifacts/security_report.json +124 -0
- data/security_test_artifacts/security_results.sarif +16 -0
- data/security_test_artifacts/security_tests.xml +3 -0
- metadata +20 -1
|
@@ -0,0 +1,452 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'json'
|
|
4
|
+
require 'digest'
|
|
5
|
+
|
|
6
|
+
module AiRootShield
|
|
7
|
+
module Platform
|
|
8
|
+
# Cross-platform hardware security analyzer for TEE/SE and biometric consistency
|
|
9
|
+
class HardwareSecurityAnalyzer
|
|
10
|
+
# Hardware security levels
|
|
11
|
+
SECURITY_LEVELS = {
|
|
12
|
+
none: 0,
|
|
13
|
+
software: 1,
|
|
14
|
+
trusted_environment: 2,
|
|
15
|
+
secure_element: 3,
|
|
16
|
+
strongbox: 4
|
|
17
|
+
}.freeze
|
|
18
|
+
|
|
19
|
+
# Biometric authentication types
|
|
20
|
+
BIOMETRIC_TYPES = {
|
|
21
|
+
fingerprint: 'fingerprint',
|
|
22
|
+
face: 'face',
|
|
23
|
+
iris: 'iris',
|
|
24
|
+
voice: 'voice',
|
|
25
|
+
palm: 'palm'
|
|
26
|
+
}.freeze
|
|
27
|
+
|
|
28
|
+
def initialize
|
|
29
|
+
@hardware_cache = {}
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
# Comprehensive hardware security analysis
|
|
33
|
+
def analyze_hardware_security(device_logs, platform)
|
|
34
|
+
results = {
|
|
35
|
+
platform: platform,
|
|
36
|
+
tee_analysis: analyze_trusted_execution_environment(device_logs, platform),
|
|
37
|
+
secure_element_analysis: analyze_secure_element(device_logs, platform),
|
|
38
|
+
biometric_analysis: analyze_biometric_consistency(device_logs, platform),
|
|
39
|
+
hardware_attestation: analyze_hardware_attestation(device_logs, platform),
|
|
40
|
+
crypto_capabilities: analyze_crypto_capabilities(device_logs, platform),
|
|
41
|
+
tamper_detection: analyze_tamper_detection(device_logs, platform),
|
|
42
|
+
risk_factors: [],
|
|
43
|
+
security_score: 0
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
calculate_hardware_security_score(results)
|
|
47
|
+
results
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
private
|
|
51
|
+
|
|
52
|
+
# Analyze Trusted Execution Environment (TEE)
|
|
53
|
+
def analyze_trusted_execution_environment(device_logs, platform)
|
|
54
|
+
tee_data = device_logs.dig('hardware_security', 'tee') || {}
|
|
55
|
+
|
|
56
|
+
case platform.downcase
|
|
57
|
+
when 'android'
|
|
58
|
+
analyze_android_tee(tee_data)
|
|
59
|
+
when 'ios'
|
|
60
|
+
analyze_ios_secure_enclave(tee_data)
|
|
61
|
+
else
|
|
62
|
+
analyze_generic_tee(tee_data)
|
|
63
|
+
end
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
# Analyze Android TEE (TrustZone)
|
|
67
|
+
def analyze_android_tee(tee_data)
|
|
68
|
+
{
|
|
69
|
+
available: tee_data['available'] || false,
|
|
70
|
+
implementation: tee_data['implementation'] || 'unknown',
|
|
71
|
+
version: tee_data['version'],
|
|
72
|
+
secure_storage: tee_data['secureStorage'] || false,
|
|
73
|
+
key_attestation: tee_data['keyAttestation'] || false,
|
|
74
|
+
biometric_support: tee_data['biometricSupport'] || false,
|
|
75
|
+
strongbox_available: tee_data['strongboxAvailable'] || false,
|
|
76
|
+
hardware_keystore_level: determine_keystore_level(tee_data),
|
|
77
|
+
attestation_keys: tee_data['attestationKeys'] || [],
|
|
78
|
+
secure_boot_verified: tee_data['secureBootVerified'] || false
|
|
79
|
+
}
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
# Analyze iOS Secure Enclave
|
|
83
|
+
def analyze_ios_secure_enclave(tee_data)
|
|
84
|
+
{
|
|
85
|
+
available: tee_data['secureEnclaveAvailable'] || false,
|
|
86
|
+
processor_type: tee_data['processorType'] || 'unknown',
|
|
87
|
+
secure_boot_chain: tee_data['secureBootChain'] || false,
|
|
88
|
+
uid_available: tee_data['uidAvailable'] || false,
|
|
89
|
+
gid_available: tee_data['gidAvailable'] || false,
|
|
90
|
+
biometric_keys_protected: tee_data['biometricKeysProtected'] || false,
|
|
91
|
+
keychain_hardware_protection: tee_data['keychainHardwareProtection'] || false,
|
|
92
|
+
sep_firmware_version: tee_data['sepFirmwareVersion'],
|
|
93
|
+
secure_neural_engine: tee_data['secureNeuralEngine'] || false
|
|
94
|
+
}
|
|
95
|
+
end
|
|
96
|
+
|
|
97
|
+
# Analyze generic TEE implementation
|
|
98
|
+
def analyze_generic_tee(tee_data)
|
|
99
|
+
{
|
|
100
|
+
available: tee_data['available'] || false,
|
|
101
|
+
implementation: tee_data['implementation'] || 'unknown',
|
|
102
|
+
security_level: tee_data['securityLevel'] || 'software',
|
|
103
|
+
secure_storage: tee_data['secureStorage'] || false,
|
|
104
|
+
crypto_operations: tee_data['cryptoOperations'] || false
|
|
105
|
+
}
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
# Analyze Secure Element capabilities
|
|
109
|
+
def analyze_secure_element(device_logs, platform)
|
|
110
|
+
se_data = device_logs.dig('hardware_security', 'secure_element') || {}
|
|
111
|
+
|
|
112
|
+
{
|
|
113
|
+
available: se_data['available'] || false,
|
|
114
|
+
type: se_data['type'] || 'none',
|
|
115
|
+
applets_installed: se_data['appletsInstalled'] || [],
|
|
116
|
+
nfc_secure_element: se_data['nfcSecureElement'] || false,
|
|
117
|
+
embedded_secure_element: se_data['embeddedSecureElement'] || false,
|
|
118
|
+
sim_secure_element: se_data['simSecureElement'] || false,
|
|
119
|
+
payment_capabilities: analyze_payment_capabilities(se_data),
|
|
120
|
+
certification_level: se_data['certificationLevel'] || 'none',
|
|
121
|
+
tamper_resistance: se_data['tamperResistance'] || false
|
|
122
|
+
}
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
# Analyze biometric consistency and security
|
|
126
|
+
def analyze_biometric_consistency(device_logs, platform)
|
|
127
|
+
biometric_data = device_logs.dig('hardware_security', 'biometrics') || {}
|
|
128
|
+
|
|
129
|
+
{
|
|
130
|
+
available_types: determine_available_biometrics(biometric_data, platform),
|
|
131
|
+
enrollment_consistency: check_enrollment_consistency(biometric_data),
|
|
132
|
+
template_security: analyze_template_security(biometric_data, platform),
|
|
133
|
+
liveness_detection: analyze_liveness_detection(biometric_data),
|
|
134
|
+
anti_spoofing: analyze_anti_spoofing(biometric_data),
|
|
135
|
+
hardware_integration: analyze_biometric_hardware_integration(biometric_data, platform),
|
|
136
|
+
privacy_protection: analyze_biometric_privacy(biometric_data),
|
|
137
|
+
performance_metrics: analyze_biometric_performance(biometric_data)
|
|
138
|
+
}
|
|
139
|
+
end
|
|
140
|
+
|
|
141
|
+
# Analyze hardware attestation capabilities
|
|
142
|
+
def analyze_hardware_attestation(device_logs, platform)
|
|
143
|
+
attestation_data = device_logs.dig('hardware_security', 'attestation') || {}
|
|
144
|
+
|
|
145
|
+
case platform.downcase
|
|
146
|
+
when 'android'
|
|
147
|
+
analyze_android_attestation(attestation_data)
|
|
148
|
+
when 'ios'
|
|
149
|
+
analyze_ios_attestation(attestation_data)
|
|
150
|
+
else
|
|
151
|
+
analyze_generic_attestation(attestation_data)
|
|
152
|
+
end
|
|
153
|
+
end
|
|
154
|
+
|
|
155
|
+
# Analyze Android hardware attestation
|
|
156
|
+
def analyze_android_attestation(attestation_data)
|
|
157
|
+
{
|
|
158
|
+
key_attestation_supported: attestation_data['keyAttestationSupported'] || false,
|
|
159
|
+
attestation_security_level: attestation_data['attestationSecurityLevel'] || 'software',
|
|
160
|
+
device_id_attestation: attestation_data['deviceIdAttestation'] || false,
|
|
161
|
+
verified_boot_key: attestation_data['verifiedBootKey'],
|
|
162
|
+
verified_boot_hash: attestation_data['verifiedBootHash'],
|
|
163
|
+
attestation_certificate_chain: attestation_data['attestationCertificateChain'] || [],
|
|
164
|
+
root_of_trust: analyze_root_of_trust(attestation_data['rootOfTrust'] || {})
|
|
165
|
+
}
|
|
166
|
+
end
|
|
167
|
+
|
|
168
|
+
# Analyze iOS device attestation
|
|
169
|
+
def analyze_ios_attestation(attestation_data)
|
|
170
|
+
{
|
|
171
|
+
device_check_supported: attestation_data['deviceCheckSupported'] || false,
|
|
172
|
+
app_attest_supported: attestation_data['appAttestSupported'] || false,
|
|
173
|
+
attestation_key_available: attestation_data['attestationKeyAvailable'] || false,
|
|
174
|
+
device_identity_verified: attestation_data['deviceIdentityVerified'] || false,
|
|
175
|
+
secure_boot_measurements: attestation_data['secureBootMeasurements'] || [],
|
|
176
|
+
system_integrity_protection: attestation_data['systemIntegrityProtection'] || false
|
|
177
|
+
}
|
|
178
|
+
end
|
|
179
|
+
|
|
180
|
+
# Analyze cryptographic capabilities
|
|
181
|
+
def analyze_crypto_capabilities(device_logs, platform)
|
|
182
|
+
crypto_data = device_logs.dig('hardware_security', 'crypto') || {}
|
|
183
|
+
|
|
184
|
+
{
|
|
185
|
+
hardware_rng: crypto_data['hardwareRng'] || false,
|
|
186
|
+
aes_hardware_acceleration: crypto_data['aesHardwareAcceleration'] || false,
|
|
187
|
+
ecc_support: crypto_data['eccSupport'] || false,
|
|
188
|
+
rsa_support: crypto_data['rsaSupport'] || false,
|
|
189
|
+
key_derivation_hardware: crypto_data['keyDerivationHardware'] || false,
|
|
190
|
+
secure_key_storage: crypto_data['secureKeyStorage'] || false,
|
|
191
|
+
crypto_coprocessor: crypto_data['cryptoCoprocessor'] || false,
|
|
192
|
+
quantum_resistance: crypto_data['quantumResistance'] || false,
|
|
193
|
+
supported_algorithms: crypto_data['supportedAlgorithms'] || []
|
|
194
|
+
}
|
|
195
|
+
end
|
|
196
|
+
|
|
197
|
+
# Analyze tamper detection capabilities
|
|
198
|
+
def analyze_tamper_detection(device_logs, platform)
|
|
199
|
+
tamper_data = device_logs.dig('hardware_security', 'tamper_detection') || {}
|
|
200
|
+
|
|
201
|
+
{
|
|
202
|
+
physical_tamper_detection: tamper_data['physicalTamperDetection'] || false,
|
|
203
|
+
voltage_attack_protection: tamper_data['voltageAttackProtection'] || false,
|
|
204
|
+
frequency_attack_protection: tamper_data['frequencyAttackProtection'] || false,
|
|
205
|
+
temperature_monitoring: tamper_data['temperatureMonitoring'] || false,
|
|
206
|
+
case_opening_detection: tamper_data['caseOpeningDetection'] || false,
|
|
207
|
+
debug_interface_protection: tamper_data['debugInterfaceProtection'] || false,
|
|
208
|
+
side_channel_protection: tamper_data['sideChannelProtection'] || false,
|
|
209
|
+
fault_injection_protection: tamper_data['faultInjectionProtection'] || false
|
|
210
|
+
}
|
|
211
|
+
end
|
|
212
|
+
|
|
213
|
+
# Determine Android keystore security level
|
|
214
|
+
def determine_keystore_level(tee_data)
|
|
215
|
+
if tee_data['strongboxAvailable']
|
|
216
|
+
SECURITY_LEVELS[:strongbox]
|
|
217
|
+
elsif tee_data['available'] && tee_data['keyAttestation']
|
|
218
|
+
SECURITY_LEVELS[:trusted_environment]
|
|
219
|
+
elsif tee_data['secureStorage']
|
|
220
|
+
SECURITY_LEVELS[:software]
|
|
221
|
+
else
|
|
222
|
+
SECURITY_LEVELS[:none]
|
|
223
|
+
end
|
|
224
|
+
end
|
|
225
|
+
|
|
226
|
+
# Analyze payment capabilities of secure element
|
|
227
|
+
def analyze_payment_capabilities(se_data)
|
|
228
|
+
payment_data = se_data['payment'] || {}
|
|
229
|
+
|
|
230
|
+
{
|
|
231
|
+
contactless_payment: payment_data['contactlessPayment'] || false,
|
|
232
|
+
emv_support: payment_data['emvSupport'] || false,
|
|
233
|
+
tokenization_support: payment_data['tokenizationSupport'] || false,
|
|
234
|
+
payment_applets: payment_data['paymentApplets'] || [],
|
|
235
|
+
certification_schemes: payment_data['certificationSchemes'] || []
|
|
236
|
+
}
|
|
237
|
+
end
|
|
238
|
+
|
|
239
|
+
# Determine available biometric types
|
|
240
|
+
def determine_available_biometrics(biometric_data, platform)
|
|
241
|
+
available = []
|
|
242
|
+
|
|
243
|
+
BIOMETRIC_TYPES.each do |type, key|
|
|
244
|
+
if biometric_data["#{key}Available"] || biometric_data["#{key}_available"]
|
|
245
|
+
available << {
|
|
246
|
+
type: type,
|
|
247
|
+
enrolled: biometric_data["#{key}Enrolled"] || biometric_data["#{key}_enrolled"] || false,
|
|
248
|
+
hardware_level: biometric_data["#{key}HardwareLevel"] || 'software'
|
|
249
|
+
}
|
|
250
|
+
end
|
|
251
|
+
end
|
|
252
|
+
|
|
253
|
+
available
|
|
254
|
+
end
|
|
255
|
+
|
|
256
|
+
# Check biometric enrollment consistency
|
|
257
|
+
def check_enrollment_consistency(biometric_data)
|
|
258
|
+
consistency_data = biometric_data['consistency'] || {}
|
|
259
|
+
|
|
260
|
+
{
|
|
261
|
+
enrollment_changes_detected: consistency_data['enrollmentChangesDetected'] || false,
|
|
262
|
+
template_modifications: consistency_data['templateModifications'] || false,
|
|
263
|
+
unusual_enrollment_patterns: consistency_data['unusualEnrollmentPatterns'] || false,
|
|
264
|
+
multiple_user_detection: consistency_data['multipleUserDetection'] || false,
|
|
265
|
+
enrollment_timestamp_anomalies: consistency_data['enrollmentTimestampAnomalies'] || false
|
|
266
|
+
}
|
|
267
|
+
end
|
|
268
|
+
|
|
269
|
+
# Analyze biometric template security
|
|
270
|
+
def analyze_template_security(biometric_data, platform)
|
|
271
|
+
template_data = biometric_data['template_security'] || {}
|
|
272
|
+
|
|
273
|
+
{
|
|
274
|
+
hardware_protected: template_data['hardwareProtected'] || false,
|
|
275
|
+
encrypted_storage: template_data['encryptedStorage'] || false,
|
|
276
|
+
template_isolation: template_data['templateIsolation'] || false,
|
|
277
|
+
secure_matching: template_data['secureMatching'] || false,
|
|
278
|
+
template_diversity: template_data['templateDiversity'] || 'unknown',
|
|
279
|
+
revocation_support: template_data['revocationSupport'] || false
|
|
280
|
+
}
|
|
281
|
+
end
|
|
282
|
+
|
|
283
|
+
# Analyze liveness detection capabilities
|
|
284
|
+
def analyze_liveness_detection(biometric_data)
|
|
285
|
+
liveness_data = biometric_data['liveness_detection'] || {}
|
|
286
|
+
|
|
287
|
+
{
|
|
288
|
+
active_liveness: liveness_data['activeLiveness'] || false,
|
|
289
|
+
passive_liveness: liveness_data['passiveLiveness'] || false,
|
|
290
|
+
challenge_response: liveness_data['challengeResponse'] || false,
|
|
291
|
+
motion_detection: liveness_data['motionDetection'] || false,
|
|
292
|
+
depth_sensing: liveness_data['depthSensing'] || false,
|
|
293
|
+
infrared_detection: liveness_data['infraredDetection'] || false
|
|
294
|
+
}
|
|
295
|
+
end
|
|
296
|
+
|
|
297
|
+
# Analyze anti-spoofing measures
|
|
298
|
+
def analyze_anti_spoofing(biometric_data)
|
|
299
|
+
spoofing_data = biometric_data['anti_spoofing'] || {}
|
|
300
|
+
|
|
301
|
+
{
|
|
302
|
+
presentation_attack_detection: spoofing_data['presentationAttackDetection'] || false,
|
|
303
|
+
material_detection: spoofing_data['materialDetection'] || false,
|
|
304
|
+
replay_attack_protection: spoofing_data['replayAttackProtection'] || false,
|
|
305
|
+
deepfake_detection: spoofing_data['deepfakeDetection'] || false,
|
|
306
|
+
synthetic_detection: spoofing_data['syntheticDetection'] || false
|
|
307
|
+
}
|
|
308
|
+
end
|
|
309
|
+
|
|
310
|
+
# Analyze biometric hardware integration
|
|
311
|
+
def analyze_biometric_hardware_integration(biometric_data, platform)
|
|
312
|
+
integration_data = biometric_data['hardware_integration'] || {}
|
|
313
|
+
|
|
314
|
+
{
|
|
315
|
+
dedicated_processor: integration_data['dedicatedProcessor'] || false,
|
|
316
|
+
secure_sensor_channel: integration_data['secureSensorChannel'] || false,
|
|
317
|
+
tamper_resistant_sensor: integration_data['tamperResistantSensor'] || false,
|
|
318
|
+
encrypted_communication: integration_data['encryptedCommunication'] || false,
|
|
319
|
+
sensor_authentication: integration_data['sensorAuthentication'] || false
|
|
320
|
+
}
|
|
321
|
+
end
|
|
322
|
+
|
|
323
|
+
# Analyze biometric privacy protection
|
|
324
|
+
def analyze_biometric_privacy(biometric_data)
|
|
325
|
+
privacy_data = biometric_data['privacy'] || {}
|
|
326
|
+
|
|
327
|
+
{
|
|
328
|
+
template_protection: privacy_data['templateProtection'] || false,
|
|
329
|
+
cancelable_biometrics: privacy_data['cancelableBiometrics'] || false,
|
|
330
|
+
privacy_preserving_matching: privacy_data['privacyPreservingMatching'] || false,
|
|
331
|
+
data_minimization: privacy_data['dataMinimization'] || false,
|
|
332
|
+
consent_management: privacy_data['consentManagement'] || false
|
|
333
|
+
}
|
|
334
|
+
end
|
|
335
|
+
|
|
336
|
+
# Analyze biometric performance metrics
|
|
337
|
+
def analyze_biometric_performance(biometric_data)
|
|
338
|
+
performance_data = biometric_data['performance'] || {}
|
|
339
|
+
|
|
340
|
+
{
|
|
341
|
+
false_acceptance_rate: performance_data['falseAcceptanceRate'] || 'unknown',
|
|
342
|
+
false_rejection_rate: performance_data['falseRejectionRate'] || 'unknown',
|
|
343
|
+
matching_speed: performance_data['matchingSpeed'] || 'unknown',
|
|
344
|
+
template_size: performance_data['templateSize'] || 'unknown',
|
|
345
|
+
enrollment_time: performance_data['enrollmentTime'] || 'unknown'
|
|
346
|
+
}
|
|
347
|
+
end
|
|
348
|
+
|
|
349
|
+
# Analyze generic attestation
|
|
350
|
+
def analyze_generic_attestation(attestation_data)
|
|
351
|
+
{
|
|
352
|
+
supported: attestation_data['supported'] || false,
|
|
353
|
+
security_level: attestation_data['securityLevel'] || 'software',
|
|
354
|
+
certificate_chain: attestation_data['certificateChain'] || [],
|
|
355
|
+
device_identity: attestation_data['deviceIdentity'] || false
|
|
356
|
+
}
|
|
357
|
+
end
|
|
358
|
+
|
|
359
|
+
# Analyze root of trust for Android
|
|
360
|
+
def analyze_root_of_trust(root_data)
|
|
361
|
+
{
|
|
362
|
+
verified_boot_key: root_data['verifiedBootKey'],
|
|
363
|
+
device_locked: root_data['deviceLocked'] || false,
|
|
364
|
+
verified_boot_state: root_data['verifiedBootState'] || 'unknown',
|
|
365
|
+
verified_boot_hash: root_data['verifiedBootHash']
|
|
366
|
+
}
|
|
367
|
+
end
|
|
368
|
+
|
|
369
|
+
# Calculate overall hardware security score
|
|
370
|
+
def calculate_hardware_security_score(results)
|
|
371
|
+
score = 0
|
|
372
|
+
risk_factors = []
|
|
373
|
+
|
|
374
|
+
# TEE Analysis
|
|
375
|
+
tee = results[:tee_analysis]
|
|
376
|
+
if tee[:available]
|
|
377
|
+
score += 20
|
|
378
|
+
else
|
|
379
|
+
risk_factors << 'HARDWARE_TEE_UNAVAILABLE'
|
|
380
|
+
end
|
|
381
|
+
|
|
382
|
+
if tee[:secure_storage] || tee[:keychain_hardware_protection]
|
|
383
|
+
score += 15
|
|
384
|
+
else
|
|
385
|
+
risk_factors << 'HARDWARE_SECURE_STORAGE_UNAVAILABLE'
|
|
386
|
+
end
|
|
387
|
+
|
|
388
|
+
# Secure Element Analysis
|
|
389
|
+
se = results[:secure_element_analysis]
|
|
390
|
+
if se[:available]
|
|
391
|
+
score += 15
|
|
392
|
+
else
|
|
393
|
+
risk_factors << 'HARDWARE_SECURE_ELEMENT_UNAVAILABLE'
|
|
394
|
+
end
|
|
395
|
+
|
|
396
|
+
if se[:tamper_resistance]
|
|
397
|
+
score += 10
|
|
398
|
+
else
|
|
399
|
+
risk_factors << 'HARDWARE_TAMPER_RESISTANCE_UNAVAILABLE'
|
|
400
|
+
end
|
|
401
|
+
|
|
402
|
+
# Biometric Analysis
|
|
403
|
+
biometric = results[:biometric_analysis]
|
|
404
|
+
if biometric[:available_types].any?
|
|
405
|
+
score += 10
|
|
406
|
+
|
|
407
|
+
# Check for hardware-level biometrics
|
|
408
|
+
hardware_biometrics = biometric[:available_types].select { |b| b[:hardware_level] != 'software' }
|
|
409
|
+
if hardware_biometrics.any?
|
|
410
|
+
score += 10
|
|
411
|
+
else
|
|
412
|
+
risk_factors << 'HARDWARE_BIOMETRIC_SOFTWARE_ONLY'
|
|
413
|
+
end
|
|
414
|
+
else
|
|
415
|
+
risk_factors << 'HARDWARE_BIOMETRIC_UNAVAILABLE'
|
|
416
|
+
end
|
|
417
|
+
|
|
418
|
+
# Template security
|
|
419
|
+
if biometric[:template_security][:hardware_protected]
|
|
420
|
+
score += 8
|
|
421
|
+
else
|
|
422
|
+
risk_factors << 'HARDWARE_BIOMETRIC_TEMPLATE_NOT_PROTECTED'
|
|
423
|
+
end
|
|
424
|
+
|
|
425
|
+
# Attestation Analysis
|
|
426
|
+
attestation = results[:hardware_attestation]
|
|
427
|
+
if attestation[:key_attestation_supported] || attestation[:device_check_supported]
|
|
428
|
+
score += 12
|
|
429
|
+
else
|
|
430
|
+
risk_factors << 'HARDWARE_ATTESTATION_UNAVAILABLE'
|
|
431
|
+
end
|
|
432
|
+
|
|
433
|
+
# Crypto Capabilities
|
|
434
|
+
crypto = results[:crypto_capabilities]
|
|
435
|
+
if crypto[:hardware_rng]
|
|
436
|
+
score += 5
|
|
437
|
+
else
|
|
438
|
+
risk_factors << 'HARDWARE_RNG_UNAVAILABLE'
|
|
439
|
+
end
|
|
440
|
+
|
|
441
|
+
if crypto[:secure_key_storage]
|
|
442
|
+
score += 5
|
|
443
|
+
else
|
|
444
|
+
risk_factors << 'HARDWARE_SECURE_KEY_STORAGE_UNAVAILABLE'
|
|
445
|
+
end
|
|
446
|
+
|
|
447
|
+
results[:security_score] = [score, 100].min
|
|
448
|
+
results[:risk_factors] = risk_factors
|
|
449
|
+
end
|
|
450
|
+
end
|
|
451
|
+
end
|
|
452
|
+
end
|