@elizaos/skills 2.0.0-alpha.3

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.py

@@ -0,0 +1,252 @@
+"""
+Vulnerable Python code sample for constant-time analysis testing.
+
+This file demonstrates common timing side-channel vulnerabilities in Python:
+- Variable-time division operations
+- Timing-unsafe string comparisons
+- Variable-latency math operations
+- Predictable randomness
+- Table lookups indexed by secrets
+- Variable-length encoding functions
+- Bit shift operations
+
+DO NOT USE THIS CODE IN PRODUCTION - it is intentionally vulnerable.
+"""
+
+import base64
+import json
+import math
+import random
+import struct
+
+
+def vulnerable_mod_reduce(value: int, modulus: int) -> int:
+    """
+    Vulnerable modular reduction using division.
+    Division has data-dependent timing on most platforms.
+    """
+    # VULNERABLE: Division has variable-time execution
+    quotient = value // modulus
+    # VULNERABLE: Modulo has variable-time execution
+    remainder = value % modulus
+
+    # Use quotient to prevent dead code elimination
+    if quotient < 0:
+        raise ValueError("Unexpected negative quotient")
+
+    return remainder
+
+
+def vulnerable_token_compare(provided: str, expected: str) -> bool:
+    """
+    Vulnerable token comparison using early-exit equality.
+    This leaks timing information about how many characters match.
+    """
+    # VULNERABLE: == on strings may early-exit
+    return provided == expected
+
+
+def vulnerable_string_search(haystack: str, needle: str) -> bool:
+    """
+    Vulnerable string search using find.
+    find() has early-terminating behavior.
+    """
+    # VULNERABLE: find has early-terminating behavior
+    return haystack.find(needle) != -1
+
+
+def vulnerable_string_startswith(text: str, prefix: str) -> bool:
+    """
+    Vulnerable string prefix check using startswith.
+    startswith() has early-terminating behavior.
+    """
+    # VULNERABLE: startswith has early-terminating behavior
+    return text.startswith(prefix)
+
+
+def vulnerable_sqrt(value: float) -> float:
+    """
+    Vulnerable square root calculation.
+    math.sqrt() has variable latency based on operand values.
+    """
+    # VULNERABLE: math.sqrt has variable latency
+    return math.sqrt(value)
+
+
+def vulnerable_pow(base: float, exponent: float) -> float:
+    """
+    Vulnerable power calculation.
+    math.pow() has variable latency based on operand values.
+    """
+    # VULNERABLE: math.pow has variable latency
+    return math.pow(base, exponent)
+
+
+def vulnerable_random_token(length: int) -> str:
+    """
+    Vulnerable random number generation.
+    random module is predictable and not cryptographically secure.
+    """
+    chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+    token = ""
+
+    for _ in range(length):
+        # VULNERABLE: random.choice is predictable
+        token += random.choice(chars)
+
+    return token
+
+
+def vulnerable_random_int(min_val: int, max_val: int) -> int:
+    """
+    Vulnerable random integer generation.
+    random.randint() is predictable.
+    """
+    # VULNERABLE: random.randint is predictable
+    return random.randint(min_val, max_val)
+
+
+def vulnerable_decompose(r: int, gamma2: int) -> tuple[int, int]:
+    """
+    Vulnerable ML-DSA-like decompose function with division.
+    Demonstrates the KyberSlash-style vulnerability.
+    """
+    # VULNERABLE: Division has variable-time execution
+    r1 = (r + 127) // (2 * gamma2)
+
+    # VULNERABLE: Modulo has variable-time execution
+    r0 = r % (2 * gamma2)
+
+    # Centering
+    if r0 > gamma2:
+        r0 -= 2 * gamma2
+        r1 += 1
+
+    return r1, r0
+
+
+def vulnerable_table_lookup(secret_index: int, table: list) -> int:
+    """
+    Vulnerable table lookup using secret as index.
+    This leaks timing through cache behavior.
+    """
+    # VULNERABLE: Array access indexed by secret leaks cache timing
+    return table[secret_index]
+
+
+def vulnerable_sbox_lookup(secret_byte: int) -> int:
+    """
+    Vulnerable S-box lookup (common in AES implementations).
+    Cache timing varies based on which cache line is accessed.
+    """
+    # Standard AES S-box (first 16 values as example)
+    sbox = [
+        0x63,
+        0x7C,
+        0x77,
+        0x7B,
+        0xF2,
+        0x6B,
+        0x6F,
+        0xC5,
+        0x30,
+        0x01,
+        0x67,
+        0x2B,
+        0xFE,
+        0xD7,
+        0xAB,
+        0x76,
+    ]
+    # VULNERABLE: Table lookup indexed by secret byte
+    return sbox[secret_byte % len(sbox)]
+
+
+def vulnerable_bit_shift(secret: int, shift_amount: int) -> int:
+    """
+    Vulnerable bit shift where shift amount depends on secret.
+    """
+    # VULNERABLE: Left shift amount derived from secret
+    result = 1 << shift_amount
+    # VULNERABLE: Right shift
+    result2 = secret >> (shift_amount % 8)
+    return result + result2
+
+
+def vulnerable_encode_secret(secret: bytes) -> str:
+    """
+    Vulnerable encoding of secret data.
+    Variable-length output leaks information about input.
+    """
+    # VULNERABLE: Base64 output length depends on input
+    encoded = base64.b64encode(secret).decode()
+    return encoded
+
+
+def vulnerable_json_encode(secret_data: dict) -> str:
+    """
+    Vulnerable JSON encoding of secret data.
+    Output length and encoding time varies with input.
+    """
+    # VULNERABLE: JSON encoding produces variable-length output
+    return json.dumps(secret_data)
+
+
+def vulnerable_struct_pack(secret_value: int) -> bytes:
+    """
+    Vulnerable struct packing.
+    """
+    # VULNERABLE: struct.pack timing may vary
+    return struct.pack(">I", secret_value)
+
+
+def vulnerable_int_to_bytes(secret: int) -> bytes:
+    """
+    Vulnerable integer to bytes conversion.
+    Output length reveals information about the integer size.
+    """
+    # VULNERABLE: to_bytes output length may leak integer magnitude
+    byte_length = (secret.bit_length() + 7) // 8 or 1
+    return secret.to_bytes(byte_length, "big")
+
+
+def run_tests() -> None:
+    """Test harness to prevent dead code elimination."""
+    print("Running vulnerable operations for testing...")
+
+    result1 = vulnerable_mod_reduce(12345, 97)
+    print(f"Mod reduce: {result1}")
+
+    result2 = vulnerable_token_compare("secret123", "secret123")
+    print(f"Token compare: {result2}")
+
+    result3 = vulnerable_sqrt(144)
+    print(f"Sqrt: {result3}")
+
+    result4 = vulnerable_pow(2, 10)
+    print(f"Pow: {result4}")
+
+    result5 = vulnerable_random_token(16)
+    print(f"Token: {result5}")
+
+    result6 = vulnerable_decompose(1000, 261888)
+    print(f"Decompose: r1={result6[0]}, r0={result6[1]}")
+
+    result7 = vulnerable_table_lookup(5, [1, 2, 3, 4, 5, 6, 7, 8])
+    print(f"Table lookup: {result7}")
+
+    result8 = vulnerable_sbox_lookup(10)
+    print(f"S-box lookup: {result8}")
+
+    result9 = vulnerable_bit_shift(0xDEADBEEF, 4)
+    print(f"Bit shift: {result9}")
+
+    result10 = vulnerable_encode_secret(b"secret")
+    print(f"Encoded: {result10}")
+
+    result11 = vulnerable_json_encode({"key": "value"})
+    print(f"JSON: {result11}")
+
+
+if __name__ == "__main__":
+    run_tests()

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.rb

@@ -0,0 +1,188 @@
+# Vulnerable Ruby code sample for constant-time analysis testing.
+#
+# This file demonstrates common timing side-channel vulnerabilities in Ruby:
+# - Variable-time division operations
+# - Timing-unsafe string comparisons
+# - Variable-latency math operations
+# - Predictable randomness
+# - Table lookups indexed by secrets
+# - Variable-length encoding functions
+# - Bit shift operations
+#
+# DO NOT USE THIS CODE IN PRODUCTION - it is intentionally vulnerable.
+
+require 'json'
+require 'base64'
+
+# Vulnerable modular reduction using division.
+# Division has data-dependent timing on most platforms.
+def vulnerable_mod_reduce(value, modulus)
+  # VULNERABLE: Division has variable-time execution
+  quotient = value / modulus
+  # VULNERABLE: Modulo has variable-time execution
+  remainder = value % modulus
+
+  # Use quotient to prevent dead code elimination
+  raise "Unexpected negative quotient" if quotient < 0
+
+  remainder
+end
+
+# Vulnerable token comparison using early-exit equality.
+# This leaks timing information about how many characters match.
+def vulnerable_token_compare(provided, expected)
+  # VULNERABLE: == on strings may early-exit
+  provided == expected
+end
+
+# Vulnerable string search using include?.
+# include?() has early-terminating behavior.
+def vulnerable_string_search(haystack, needle)
+  # VULNERABLE: include? has early-terminating behavior
+  haystack.include?(needle)
+end
+
+# Vulnerable string prefix check using start_with?.
+# start_with?() has early-terminating behavior.
+def vulnerable_string_startswith(text, prefix)
+  # VULNERABLE: start_with? has early-terminating behavior
+  text.start_with?(prefix)
+end
+
+# Vulnerable square root calculation.
+# Math.sqrt() has variable latency based on operand values.
+def vulnerable_sqrt(value)
+  # VULNERABLE: Math.sqrt has variable latency
+  Math.sqrt(value)
+end
+
+# Vulnerable random number generation.
+# rand() is predictable and not cryptographically secure.
+def vulnerable_random_token(length)
+  chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+  token = ""
+
+  length.times do
+    # VULNERABLE: rand is predictable
+    token += chars[rand(chars.length)]
+  end
+
+  token
+end
+
+# Vulnerable random integer generation.
+# rand() is predictable.
+def vulnerable_random_int(min_val, max_val)
+  # VULNERABLE: rand is predictable
+  rand(min_val..max_val)
+end
+
+# Vulnerable ML-DSA-like decompose function with division.
+# Demonstrates the KyberSlash-style vulnerability.
+def vulnerable_decompose(r, gamma2)
+  # VULNERABLE: Division has variable-time execution
+  r1 = (r + 127) / (2 * gamma2)
+
+  # VULNERABLE: Modulo has variable-time execution
+  r0 = r % (2 * gamma2)
+
+  # Centering
+  if r0 > gamma2
+    r0 -= 2 * gamma2
+    r1 += 1
+  end
+
+  [r1, r0]
+end
+
+# Vulnerable regex matching.
+# =~ has variable-time execution.
+def vulnerable_regex_match(text, pattern)
+  # VULNERABLE: =~ has variable-time execution
+  text =~ pattern
+end
+
+# Vulnerable table lookup using secret as index.
+# This leaks timing through cache behavior.
+def vulnerable_table_lookup(secret_index, table)
+  # VULNERABLE: Array access indexed by secret leaks cache timing
+  table[secret_index]
+end
+
+# Vulnerable S-box lookup (common in AES implementations).
+# Cache timing varies based on which cache line is accessed.
+def vulnerable_sbox_lookup(secret_byte)
+  # Standard AES S-box (first 16 values as example)
+  sbox = [
+    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+    0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+  ]
+  # VULNERABLE: Table lookup indexed by secret byte
+  sbox[secret_byte % sbox.length]
+end
+
+# Vulnerable bit shift where shift amount depends on secret.
+def vulnerable_bit_shift(secret, shift_amount)
+  # VULNERABLE: Left shift amount derived from secret
+  result = 1 << shift_amount
+  # VULNERABLE: Right shift
+  result2 = secret >> (shift_amount % 8)
+  result + result2
+end
+
+# Vulnerable encoding of secret data.
+# Variable-length output leaks information about input.
+def vulnerable_encode_secret(secret)
+  # VULNERABLE: Base64 output length depends on input
+  Base64.encode64(secret)
+end
+
+# Vulnerable JSON encoding of secret data.
+# Output length and encoding time varies with input.
+def vulnerable_json_encode(secret_data)
+  # VULNERABLE: JSON encoding produces variable-length output
+  secret_data.to_json
+end
+
+# Vulnerable pack operation.
+def vulnerable_pack_secret(values)
+  # VULNERABLE: pack may leak data length via timing
+  values.pack("C*")
+end
+
+# Test harness to prevent dead code elimination
+def run_tests
+  puts "Running vulnerable operations for testing..."
+
+  result1 = vulnerable_mod_reduce(12345, 97)
+  puts "Mod reduce: #{result1}"
+
+  result2 = vulnerable_token_compare("secret123", "secret123")
+  puts "Token compare: #{result2}"
+
+  result3 = vulnerable_sqrt(144)
+  puts "Sqrt: #{result3}"
+
+  result5 = vulnerable_random_token(16)
+  puts "Token: #{result5}"
+
+  result6 = vulnerable_decompose(1000, 261888)
+  puts "Decompose: r1=#{result6[0]}, r0=#{result6[1]}"
+
+  result7 = vulnerable_table_lookup(5, [1, 2, 3, 4, 5, 6, 7, 8])
+  puts "Table lookup: #{result7}"
+
+  result8 = vulnerable_sbox_lookup(10)
+  puts "S-box lookup: #{result8}"
+
+  result9 = vulnerable_bit_shift(0xDEADBEEF, 4)
+  puts "Bit shift: #{result9}"
+
+  result10 = vulnerable_encode_secret("secret")
+  puts "Encoded: #{result10}"
+
+  result11 = vulnerable_json_encode({ "key" => "value" })
+  puts "JSON: #{result11}"
+end
+
+run_tests if __FILE__ == $PROGRAM_NAME

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.swift

@@ -0,0 +1,199 @@
+/**
+ * Vulnerable Swift code sample for constant-time analysis testing.
+ *
+ * This file demonstrates common timing side-channel vulnerabilities in Swift:
+ * - Variable-time division operations
+ * - Timing-unsafe comparisons
+ * - Variable-latency math operations
+ * - Branching on secret values
+ *
+ * DO NOT USE THIS CODE IN PRODUCTION - it is intentionally vulnerable.
+ */
+
+import Foundation
+
+/**
+ * Vulnerable modular reduction using division.
+ * Division has data-dependent timing on most platforms.
+ */
+func vulnerableModReduce(value: Int32, modulus: Int32) -> Int32 {
+    // VULNERABLE: Division has variable-time execution (SDIV on ARM64, IDIV on x86)
+    let quotient = value / modulus
+    // VULNERABLE: Modulo has variable-time execution
+    let remainder = value % modulus
+
+    // Use quotient to prevent dead code elimination
+    precondition(quotient >= 0, "Unexpected negative quotient")
+
+    return remainder
+}
+
+/**
+ * Vulnerable unsigned division.
+ */
+func vulnerableUnsignedDivide(value: UInt32, divisor: UInt32) -> UInt32 {
+    // VULNERABLE: Unsigned division has variable-time execution (UDIV on ARM64)
+    return value / divisor
+}
+
+/**
+ * Vulnerable 64-bit division.
+ */
+func vulnerableLongDivide(value: Int64, divisor: Int64) -> Int64 {
+    // VULNERABLE: 64-bit division has variable-time execution
+    return value / divisor
+}
+
+/**
+ * Vulnerable floating-point division.
+ */
+func vulnerableFloatDivide(a: Double, b: Double) -> Double {
+    // VULNERABLE: Float division has variable latency (FDIV on ARM64)
+    return a / b
+}
+
+/**
+ * Vulnerable token comparison using == operator.
+ * This may early-exit on mismatch.
+ */
+func vulnerableTokenCompare(provided: [UInt8], expected: [UInt8]) -> Bool {
+    // VULNERABLE: Array == comparison may early-exit
+    return provided == expected
+}
+
+/**
+ * Vulnerable string comparison.
+ */
+func vulnerableStringCompare(provided: String, expected: String) -> Bool {
+    // VULNERABLE: String == comparison has variable timing
+    return provided == expected
+}
+
+/**
+ * Vulnerable square root calculation.
+ * sqrt() has variable latency based on operand values.
+ */
+func vulnerableSqrt(value: Double) -> Double {
+    // VULNERABLE: sqrt has variable latency (FSQRT on ARM64)
+    return sqrt(value)
+}
+
+/**
+ * Vulnerable power calculation.
+ */
+func vulnerablePow(base: Double, exponent: Double) -> Double {
+    // VULNERABLE: pow has variable latency
+    return pow(base, exponent)
+}
+
+/**
+ * Vulnerable decompose function similar to ML-DSA.
+ * Demonstrates the KyberSlash-style vulnerability.
+ */
+func vulnerableDecompose(r: Int32, gamma2: Int32) -> (Int32, Int32) {
+    // VULNERABLE: Division has variable-time execution
+    var r1 = (r + 127) / (2 * gamma2)
+
+    // VULNERABLE: Modulo has variable-time execution
+    var r0 = r % (2 * gamma2)
+
+    // VULNERABLE: Branch based on computed value
+    if r0 > gamma2 {
+        r0 -= 2 * gamma2
+        r1 += 1
+    }
+
+    return (r1, r0)
+}
+
+/**
+ * Vulnerable table lookup using secret as index.
+ * This leaks timing through cache behavior.
+ */
+func vulnerableTableLookup(secretIndex: Int, table: [Int]) -> Int {
+    // VULNERABLE: Array access indexed by secret leaks cache timing
+    return table[secretIndex]
+}
+
+/**
+ * Vulnerable conditional selection.
+ * Ternary operator compiles to conditional branch.
+ */
+func vulnerableConditionalSelect(secret: Int32, a: Int32, b: Int32) -> Int32 {
+    // VULNERABLE: Ternary compiles to conditional branch
+    return secret != 0 ? a : b
+}
+
+/**
+ * Vulnerable switch on secret value.
+ */
+func vulnerableSwitch(secretValue: Int) -> String {
+    // VULNERABLE: Switch compiles to conditional branches or jump table
+    switch secretValue {
+    case 0:
+        return "zero"
+    case 1:
+        return "one"
+    case 2:
+        return "two"
+    default:
+        return "other"
+    }
+}
+
+/**
+ * Vulnerable optional unwrapping.
+ */
+func vulnerableOptionalUnwrap(maybeSecret: Int?) -> Int {
+    // VULNERABLE: Optional unwrapping introduces branches
+    if let secret = maybeSecret {
+        return secret * 2
+    }
+    return 0
+}
+
+/**
+ * Test harness to prevent dead code elimination.
+ */
+func runTests() {
+    print("Running vulnerable operations for testing...")
+
+    let result1 = vulnerableModReduce(value: 12345, modulus: 97)
+    print("Mod reduce: \(result1)")
+
+    let result2 = vulnerableUnsignedDivide(value: 12345, divisor: 97)
+    print("Unsigned divide: \(result2)")
+
+    let result3 = vulnerableLongDivide(value: 1234567890, divisor: 12345)
+    print("Long divide: \(result3)")
+
+    let result4 = vulnerableFloatDivide(a: 10.0, b: 3.0)
+    print("Float divide: \(result4)")
+
+    let a: [UInt8] = [1, 2, 3]
+    let b: [UInt8] = [1, 2, 3]
+    let result5 = vulnerableTokenCompare(provided: a, expected: b)
+    print("Token compare: \(result5)")
+
+    let result6 = vulnerableSqrt(value: 144.0)
+    print("Sqrt: \(result6)")
+
+    let result7 = vulnerablePow(base: 2.0, exponent: 10.0)
+    print("Pow: \(result7)")
+
+    let (r1, r0) = vulnerableDecompose(r: 1000, gamma2: 261888)
+    print("Decompose: r1=\(r1), r0=\(r0)")
+
+    let table = [1, 2, 3, 4, 5, 6, 7, 8]
+    let result8 = vulnerableTableLookup(secretIndex: 5, table: table)
+    print("Table lookup: \(result8)")
+
+    let result9 = vulnerableConditionalSelect(secret: 1, a: 100, b: 200)
+    print("Conditional select: \(result9)")
+
+    let result10 = vulnerableSwitch(secretValue: 1)
+    print("Switch result: \(result10)")
+}
+
+// Run the tests
+runTests()