@blamejs/exceptd-skills 0.9.1

package/data/zeroday-lessons.json

@@ -0,0 +1,377 @@
+{
+  "_meta": {
+    "schema_version": "1.0.0",
+    "last_updated": "2026-05-01",
+    "purpose": "Zero-day learning loop output. Each entry maps a CVE to: attack vector, defense chain analysis, framework coverage, new control requirements generated, and exposure scoring.",
+    "note": "Never delete entries. Closed gaps are marked status: closed. History is data.",
+    "tlp": "CLEAR",
+    "source_confidence": {
+      "scheme": "Admiralty (A-F + 1-6)",
+      "default": "B2",
+      "note": "B = usually reliable; 2 = probably true. Per-entry overrides via entry-level source_confidence field. Public-record catalogs (NVD, ATLAS, CWE, RFC, framework publishers) get A1 (completely reliable, confirmed). Project-curated catalogs (zeroday-lessons, exploit-availability) default to B2 with source citations."
+    },
+    "freshness_policy": {
+      "default_review_cadence_days": 90,
+      "stale_after_days": 180,
+      "rebuild_after_days": 365,
+      "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
+    }
+  },
+  "CVE-2026-31431": {
+    "name": "Copy Fail",
+    "lesson_date": "2026-05-01",
+    "attack_vector": {
+      "description": "Page-cache copy-on-write (CoW) primitive abuse in Linux kernel. Unprivileged local user writes to a read-only page via the CoW path, corrupting kernel memory and escalating to root.",
+      "privileges_required": "unprivileged local user or container process",
+      "complexity": "deterministic, no race condition",
+      "ai_factor": "Discovered by AI system in approximately 1 hour — human researchers did not find this in 9 years of kernel exposure"
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "seccomp profile blocking userfaultfd + user namespace restrictions + kernel hardening",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "reduces attack surface but does not eliminate it; full patch is required"
+      },
+      "detection": {
+        "what_would_have_worked": "auditd rule on userfaultfd syscall + monitoring for unexpected UID 0 processes",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "detection without prevention; exploitation has already occurred when detection fires"
+      },
+      "response": {
+        "what_would_have_worked": "automated process kill on privilege escalation pattern detection",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "reduces blast radius post-exploitation; does not prevent it"
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day SLA is exploitation window for CISA KEV + deterministic public PoC"
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; typical 30-day interpretation is unsafe"
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "1-month critical patch window is exploitation acceptance"
+      },
+      "ASD-ISM-1623": {
+        "covered": true,
+        "adequate": "closest",
+        "gap": "48h is better but still too long for 732-byte public exploit + CISA KEV"
+      },
+      "ANY-FRAMEWORK": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires live kernel patching as a capability or auditd exploitation detection"
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "For any CVE listed in CISA KEV: deploy verified mitigation (patch, live patch, or documented compensating controls) within 4 hours of KEV listing or patch availability, whichever is later.",
+        "evidence": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "PCI-DSS-4.0-6.3.3"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-002",
+        "name": "LIVE-PATCH-CAPABILITY",
+        "description": "For any system that processes production workloads and cannot tolerate unplanned reboots: live kernel patching capability (kpatch, livepatch, kGraft, or equivalent) must be deployed and tested quarterly.",
+        "evidence": "CVE-2026-31431 — reboot required for full patch on systems that must maintain uptime",
+        "gap_closes": [
+          "ALL-FRAMEWORKS-PATCH-SLA"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-003",
+        "name": "KERNEL-EXPLOITATION-DETECTION",
+        "description": "Deploy auditd or eBPF-based monitoring rules for kernel privilege escalation indicators. Alert within 60 seconds of detection.",
+        "evidence": "No detection rules required by any framework; Copy Fail class exploits are detectable via userfaultfd audit",
+        "gap_closes": [
+          "ALL-FRAMEWORKS-DETECTION-GAPS"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Industry patch deployment lag data: ~80% of organizations lag CISA KEV remediation beyond 72h in first week",
+      "theater_pattern": "patch_management"
+    }
+  },
+  "CVE-2025-53773": {
+    "name": "GitHub Copilot Prompt Injection RCE",
+    "lesson_date": "2026-05-01",
+    "attack_vector": {
+      "description": "Adversarial instructions embedded in GitHub PR description field. When developer interacts with the PR via GitHub Copilot, the instructions execute in the developer's session context.",
+      "privileges_required": "ability to create or modify a PR description (any external contributor)",
+      "complexity": "low — craft adversarial text in PR description",
+      "ai_factor": "The vulnerability IS in an AI tool. AI tooling enables the attack surface."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Treat all content ingested by AI tools as untrusted. Apply adversarial instruction classifiers before including in model context.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "No framework requires AI tool input sanitization"
+      },
+      "detection": {
+        "what_would_have_worked": "Log all AI agent tool calls with the prompt content that triggered them. Alert on AI actions that don't match user-stated intent.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "No framework requires AI action audit trails distinct from service account audit trails"
+      },
+      "response": {
+        "what_would_have_worked": "Per-invocation AI authorization scope — AI cannot take actions outside a declared scope regardless of injected instructions",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "No framework control for per-invocation AI authorization"
+      }
+    },
+    "framework_coverage": {
+      "ALL-MAJOR-FRAMEWORKS": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework has a control category for prompt injection as RCE vector. CVSS 9.6 with zero framework coverage."
+      },
+      "NIST-800-53-AC-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Service account is properly authorized per AC-2; prompt injection bypasses AC-2 entirely"
+      },
+      "MITRE-ATLAS-v5.1.0": {
+        "covered": true,
+        "adequate": "reference only",
+        "gap": "ATLAS documents the technique (AML.T0051/T0054) but no framework has implemented controls based on ATLAS"
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-004",
+        "name": "AI-TOOL-ACTION-AUTHORIZATION",
+        "description": "AI coding assistants must have explicitly scoped permissions. Any action taken by an AI tool requires explicit user approval unless within a pre-approved action allowlist. Implied authorization from context is insufficient.",
+        "evidence": "CVE-2025-53773 — AI tool took RCE action using developer's authorization without explicit approval",
+        "gap_closes": [
+          "ALL-AI-PIPELINE-INTEGRITY",
+          "NIST-800-53-AC-2"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-005",
+        "name": "AI-TOOL-INPUT-SANITIZATION",
+        "description": "Content ingested by AI tools from external sources (PR descriptions, code comments, documentation, web pages, emails) must be treated as potentially adversarial. Apply adversarial instruction classifiers before including in model context.",
+        "evidence": "CVE-2025-53773 — adversarial instructions in PR description were included in model context without sanitization",
+        "gap_closes": [
+          "ISO-27001-2022-A.8.28"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 95,
+      "basis": "No framework requires AI tool input sanitization. Any organization using AI coding assistants with tool use capability is exposed unless specifically implementing this control.",
+      "theater_pattern": "access_control_ai"
+    }
+  },
+  "CVE-2026-43284": {
+    "name": "Dirty Frag (ESP/IPsec component)",
+    "lesson_date": "2026-05-11",
+    "attack_vector": {
+      "description": "Page-cache write primitive in the Linux kernel ESP/IPsec subsystem. Chained with CVE-2026-43500 (RxRPC component) to achieve local privilege escalation. Notably: the exploit runs through the IPsec subsystem, meaning IPsec-based network controls are NOT compensating controls for unpatched systems.",
+      "privileges_required": "unprivileged local user or container process",
+      "complexity": "moderate — requires kernel version fingerprinting to select correct gadget chain",
+      "ai_factor": "Not AI-discovered. Human-discovered via subsystem analysis following Copy Fail disclosure."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Kernel patch. seccomp profiles blocking relevant syscalls. Note: IPsec-based network controls are NOT compensating controls — they use the vulnerable subsystem.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Patch is the only reliable prevention. seccomp reduces attack surface but does not eliminate it."
+      },
+      "detection": {
+        "what_would_have_worked": "auditd rules on privilege escalation patterns + monitoring for unexpected UID 0 processes",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Post-exploitation detection only; kernel is already compromised when detected"
+      },
+      "response": {
+        "what_would_have_worked": "Network isolation of unpatched hosts from internal trust zones. Immediate kernel patch deployment.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Network isolation reduces blast radius post-exploitation"
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Patch SLA does not account for public PoC + suspected active exploitation"
+      },
+      "NIST-800-53-SC-8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "IPsec compliance via SC-8 is not a compensating control — exploit runs through IPsec implementation"
+      },
+      "NIST-800-53-SC-28": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Same — kernel crypto subsystem compliance claims are invalidated when the subsystem has unpatched LPE"
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; same patch SLA problem as CVE-2026-31431"
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-008",
+        "name": "CRYPTO-SUBSYSTEM-CVE-DISCLOSURE",
+        "description": "When a CVE affects a kernel cryptographic subsystem (IPsec, RxRPC, etc.), any compliance controls that rely on that subsystem must be documented as 'not a compensating control' until the CVE is patched. Risk assessments must note this explicitly.",
+        "evidence": "CVE-2026-43284 — IPsec-based SC-8 and SC-28 compliance is invalidated by this vulnerability",
+        "gap_closes": [
+          "NIST-800-53-SC-8",
+          "NIST-800-53-SC-28"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 65,
+      "basis": "Organizations using IPsec for network compliance controls may incorrectly claim IPsec as a compensating control while the kernel IPsec implementation is exploitable",
+      "theater_pattern": "patch_management"
+    }
+  },
+  "CVE-2026-43500": {
+    "name": "Dirty Frag (RxRPC component)",
+    "lesson_date": "2026-05-11",
+    "attack_vector": {
+      "description": "Page-cache write primitive in the Linux kernel RxRPC subsystem. Used as chain component with CVE-2026-43284 (ESP/IPsec component). The chain enables local privilege escalation on kernel 5.0+ systems with either IPsec or RxRPC support.",
+      "privileges_required": "unprivileged local user or container process",
+      "complexity": "moderate — requires chaining with CVE-2026-43284 and subsystem fingerprinting",
+      "ai_factor": "Not AI-discovered."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Kernel patch for both CVE-2026-43284 and CVE-2026-43500. Disabling RxRPC module if not required.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "RxRPC is not commonly required; disabling is a viable compensating control for many organizations"
+      },
+      "detection": {
+        "what_would_have_worked": "auditd rules on privilege escalation + RxRPC socket creation monitoring for unusual processes",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Post-exploitation detection. RxRPC socket creation from unexpected processes is a pre-exploitation indicator."
+      },
+      "response": {
+        "what_would_have_worked": "Disabling RxRPC kernel module as immediate compensating control where not operationally required",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Effective compensating control for the majority of systems that don't use RxRPC"
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Same patch SLA problem as other kernel LPEs with public PoC"
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": "partial",
+        "gap": "CM-7 least functionality could require disabling RxRPC, but this is rarely implemented for kernel subsystems"
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Same timescale problem as CVE-2026-31431 and CVE-2026-43284"
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-009",
+        "name": "KERNEL-MODULE-INVENTORY-AND-DISABLE",
+        "description": "Maintain an inventory of loaded kernel modules. For modules not required for business function (RxRPC, unused crypto modules), disable via modprobe blacklist as a least-functionality control. Review quarterly.",
+        "evidence": "CVE-2026-43500 — RxRPC is rarely required; disabling eliminates one chain component",
+        "gap_closes": [
+          "NIST-800-53-CM-7"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Most organizations do not inventory or disable unused kernel modules. RxRPC is rarely used but rarely disabled.",
+      "theater_pattern": "patch_management"
+    }
+  },
+  "CVE-2026-30615": {
+    "name": "Windsurf MCP Zero-Interaction RCE",
+    "lesson_date": "2026-05-01",
+    "attack_vector": {
+      "description": "Malicious MCP server delivers adversarial tool response. AI assistant follows the instructions without user interaction. Code executes in user context.",
+      "privileges_required": "ability to get a malicious MCP server installed (supply chain, typosquatting, or compromise)",
+      "complexity": "low once installed",
+      "ai_factor": "AI tool is the attack vector. MCP is the supply chain."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SA-12": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply chain protection doesn't contemplate MCP server trust as a category"
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least functionality doesn't address AI tool plugin authorization model"
+      },
+      "ISO-27001-2022-A.8.30": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Outsourced development controls don't cover MCP server supply chain"
+      },
+      "SOC2-CC9": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vendor management doesn't reach developer-installed AI tool plugins"
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-006",
+        "name": "MCP-SERVER-SIGNING",
+        "description": "All MCP servers must have verifiable provenance. AI coding assistants must refuse to load unsigned MCP servers.",
+        "evidence": "CVE-2026-30615 — unsigned MCP server enabled zero-interaction RCE",
+        "gap_closes": [
+          "NIST-800-53-SA-12",
+          "ISO-27001-2022-A.8.30"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-007",
+        "name": "MCP-TOOL-ALLOWLIST",
+        "description": "AI clients must implement explicit tool allowlists. Default deny — only tools in the allowlist may be called.",
+        "evidence": "CVE-2026-30615 — AI client called tools exposed by malicious server without restriction",
+        "gap_closes": [
+          "NIST-800-53-CM-7",
+          "ALL-MCP-TOOL-TRUST"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 90,
+      "basis": "No vendor management or supply chain control covers MCP servers. 150M+ affected downloads suggests extremely broad exposure.",
+      "theater_pattern": "vendor_management_ai"
+    }
+  }
+}

package/keys/public.pem

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAh++7P6Bd/u2vy1xF05jGxrN/VJqtFennBw5JZy8kx6M=
+-----END PUBLIC KEY-----