pompelmi 0.19.0 → 0.21.0

package/dist/types/engines/dynamic-taint.d.ts

@@ -0,0 +1,102 @@
+/**
+ * Dynamic Taint Analysis Engine
+ *
+ * Advanced taint tracking implementation for comprehensive data flow analysis
+ * with support for memory tainting, register tracking, and vulnerability detection.
+ */
+import type { TaintSource, TaintLabel, TaintedMemory, TaintedRegister, TaintConfig, TaintAnalysisResult, TaintCapableEngine } from '../types/taint-tracking';
+/**
+ * Advanced dynamic taint analysis engine with comprehensive tracking capabilities
+ */
+export declare class DynamicTaintEngine implements TaintCapableEngine {
+    private config;
+    private memoryState;
+    private registerState;
+    private taintLabels;
+    private propagationRules;
+    private analysisSession;
+    private hipaa;
+    private analysisStartTime;
+    private instructionCount;
+    constructor(config?: Partial<TaintConfig>);
+    private createDefaultConfig;
+    private createHipaaUtilities;
+    private createDefaultRules;
+    /**
+     * Configure taint tracking settings
+     */
+    configureTaint(config: TaintConfig): Promise<void>;
+    /**
+     * Perform comprehensive taint analysis on binary data
+     */
+    performTaintAnalysis(data: Uint8Array): Promise<TaintAnalysisResult>;
+    /**
+     * Get current taint state for debugging and analysis
+     */
+    getTaintState(): Promise<{
+        memory: TaintedMemory[];
+        registers: TaintedRegister[];
+    }>;
+    /**
+     * Add a custom taint source at a specific location
+     */
+    addTaintSource(address: string, source: TaintSource, label?: Partial<TaintLabel>): Promise<void>;
+    /**
+     * Check if a memory location is currently tainted
+     */
+    isTainted(address: string): Promise<boolean>;
+    /**
+     * Identify entry points and potential taint sources through static analysis
+     */
+    private identifyEntryPoints;
+    /**
+     * Initialize taint sources based on identified entry points
+     */
+    private initializeTaintSources;
+    /**
+     * Perform taint propagation analysis through simulated execution
+     */
+    private performTaintPropagation;
+    /**
+     * Generate simulated instructions for demonstration
+     * In practice, this would come from a real dynamic analysis engine
+     */
+    private generateSimulatedInstructions;
+    /**
+     * Process a single instruction for taint propagation
+     */
+    private processInstruction;
+    /**
+     * Find the best matching propagation rule for an instruction
+     */
+    private findMatchingRule;
+    /**
+     * Get taint information from source operands
+     */
+    private getSourceTaints;
+    /**
+     * Get taint labels associated with an operand
+     */
+    private getTaintsForOperand;
+    /**
+     * Propagate taint from sources to destinations
+     */
+    private propagateTaint;
+    /**
+     * Create a taint flow when reaching a sink
+     */
+    private createTaintFlow;
+    /**
+     * Analyze flows for security vulnerabilities
+     */
+    private analyzeVulnerabilities;
+    private getTotalSources;
+    private getTotalSinks;
+    private isFlowSanitized;
+    private isAddressInRange;
+    private isRegister;
+    private determineSinkType;
+    private calculateSeverity;
+    private getCWEForSink;
+    private getSuggestedMitigations;
+}

package/dist/types/engines/hybrid-orchestrator.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Hybrid Analysis Orchestrator
+ *
+ * Advanced orchestration framework for coordinating multiple analysis engines
+ * including Binary Ninja, Ghidra, dynamic taint tracking, and custom engines.
+ */
+import type { AnalysisEngine, AnalysisPhase, EngineCapability, HybridConfig, HybridAnalysisResult, HybridOrchestrator } from '../types/taint-tracking';
+/**
+ * Main hybrid orchestration engine
+ */
+export declare class HybridAnalysisOrchestrator implements HybridOrchestrator {
+    private config;
+    private engines;
+    private correlator;
+    private activeSessions;
+    /**
+     * Configure the orchestrator
+     */
+    configure(config: HybridConfig): Promise<void>;
+    /**
+     * Register an analysis engine with the orchestrator
+     */
+    registerEngine(engine: AnalysisEngine, instance: any, capabilities: EngineCapability): Promise<void>;
+    /**
+     * Execute comprehensive hybrid analysis
+     */
+    analyze(data: Uint8Array): Promise<HybridAnalysisResult>;
+    /**
+     * Get available engines and their capabilities
+     */
+    getAvailableEngines(): Promise<EngineCapability[]>;
+    /**
+     * Cancel ongoing analysis
+     */
+    cancelAnalysis(sessionId: string): Promise<boolean>;
+    /**
+     * Get analysis progress
+     */
+    getProgress(sessionId: string): Promise<{
+        phase: AnalysisPhase;
+        completedTasks: number;
+        totalTasks: number;
+        estimatedTimeRemaining: number;
+    }>;
+    /**
+     * Generate analysis tasks based on orchestration strategy
+     */
+    private generateAnalysisTasks;
+    /**
+     * Execute tasks with proper scheduling and dependency management
+     */
+    private executeTasks;
+    /**
+     * Execute a single analysis task
+     */
+    private executeTask;
+    private calculateTaskDependencies;
+    private calculateTaskPriority;
+    private estimateTaskDuration;
+    private calculateResultConfidence;
+    private findTaskEngine;
+    private determineCurrentPhase;
+    private generateHybridResult;
+    private generateRecommendations;
+}

package/dist/types/engines/hybrid-taint-integration.d.ts

@@ -0,0 +1,129 @@
+/**
+ * Hybrid Taint Analysis Integration
+ *
+ * Complete integration package for dynamic taint tracking and hybrid orchestration
+ * with existing Pompelmi decompilation engines and HIPAA compliance.
+ */
+import type { TaintConfig, TaintAnalysisResult, HybridConfig, HybridAnalysisResult, AnalysisEngine } from '../types/taint-tracking';
+import type { TaintPolicy } from './taint-policies';
+import type { DecompilationScanner, DecompilationResult } from '../types/decompilation';
+/**
+ * Enhanced analysis result combining all engines
+ */
+export interface EnhancedAnalysisResult {
+    /** Analysis session ID */
+    sessionId: string;
+    /** Overall success status */
+    success: boolean;
+    /** Total analysis time */
+    totalTime: number;
+    /** Static analysis results */
+    static?: {
+        binaryNinja?: DecompilationResult;
+        ghidra?: DecompilationResult;
+    };
+    /** Dynamic taint analysis results */
+    taint?: TaintAnalysisResult;
+    /** Hybrid orchestration results */
+    hybrid?: HybridAnalysisResult;
+    /** Policy used for analysis */
+    policy?: TaintPolicy;
+    /** Security assessment */
+    security: {
+        riskScore: number;
+        vulnerabilities: Array<{
+            type: string;
+            severity: 'low' | 'medium' | 'high' | 'critical';
+            confidence: number;
+            description: string;
+            evidence: any;
+            mitigations: string[];
+        }>;
+        recommendations: string[];
+    };
+    /** Compliance assessment */
+    compliance?: {
+        hipaaCompliant: boolean;
+        issues: Array<{
+            type: string;
+            severity: 'info' | 'warning' | 'critical';
+            description: string;
+            remediation: string;
+        }>;
+        auditTrail: any[];
+    };
+    /** Performance metrics */
+    performance: {
+        enginesUsed: AnalysisEngine[];
+        totalInstructions: number;
+        memoryPeak: number;
+        cpuTime: number;
+    };
+}
+/**
+ * Main integration class for hybrid taint analysis
+ */
+export declare class HybridTaintAnalyzer {
+    private orchestrator;
+    private policyManager;
+    private taintEngine;
+    private registeredEngines;
+    constructor();
+    /**
+     * Initialize the analyzer with registered engines
+     */
+    initialize(engines: {
+        binaryNinja?: DecompilationScanner;
+        ghidra?: DecompilationScanner;
+    }): Promise<void>;
+    /**
+     * Perform comprehensive analysis using specified policy
+     */
+    analyze(data: Uint8Array, policyName?: string, options?: {
+        enabledEngines?: AnalysisEngine[];
+        customConfig?: Partial<HybridConfig>;
+        includeCompliance?: boolean;
+    }): Promise<EnhancedAnalysisResult>;
+    /**
+     * Get available analysis policies
+     */
+    getAvailablePolicies(): TaintPolicy[];
+    /**
+     * Get policies by use case
+     */
+    getPoliciesByUseCase(useCase: 'malware' | 'vulnerability' | 'compliance' | 'forensics' | 'general'): TaintPolicy[];
+    /**
+     * Register a custom analysis policy
+     */
+    registerPolicy(policy: TaintPolicy): void;
+    /**
+     * Perform quick taint analysis without full orchestration
+     */
+    quickTaintAnalysis(data: Uint8Array, config?: Partial<TaintConfig>): Promise<TaintAnalysisResult>;
+    /**
+     * Check if data contains taint at specific location
+     */
+    checkTaint(address: string): Promise<boolean>;
+    /**
+     * Add custom taint source for analysis
+     */
+    addTaintSource(address: string, source: string, metadata?: any): Promise<void>;
+    private registerEngine;
+    private createEngineCapabilities;
+    private createHybridConfig;
+    private mergeConfigs;
+    private processResults;
+    private extractStaticResults;
+    private calculateSecurityAssessment;
+    private calculateComplianceAssessment;
+    private calculatePerformanceMetrics;
+    private generateSecurityRecommendations;
+    private generateAuditTrail;
+    private getDefaultTaintConfig;
+    private generateSessionId;
+    private createFailureResult;
+}
+export declare function analyzeWithTaint(data: Uint8Array, engines: {
+    binaryNinja?: DecompilationScanner;
+    ghidra?: DecompilationScanner;
+}, policy?: string): Promise<EnhancedAnalysisResult>;

package/dist/types/engines/taint-policies.d.ts

@@ -0,0 +1,84 @@
+/**
+ * Taint Analysis Policy Configuration
+ *
+ * Predefined and configurable taint analysis policies for different
+ * analysis scenarios including malware analysis, vulnerability assessment,
+ * and compliance auditing.
+ */
+import type { TaintConfig, OrchestrationStrategy, HybridConfig, AnalysisEngine } from '../types/taint-tracking';
+/**
+ * Policy template for different analysis scenarios
+ */
+export interface TaintPolicy {
+    /** Policy identifier */
+    name: string;
+    /** Policy description */
+    description: string;
+    /** Target use case */
+    useCase: 'malware' | 'vulnerability' | 'compliance' | 'forensics' | 'general';
+    /** Taint tracking configuration */
+    taintConfig: TaintConfig;
+    /** Hybrid orchestration strategy */
+    orchestrationStrategy: OrchestrationStrategy;
+    /** Additional metadata */
+    metadata: {
+        version: string;
+        author: string;
+        created: string;
+        tags: string[];
+        riskLevel: 'low' | 'medium' | 'high' | 'critical';
+    };
+}
+/**
+ * Predefined taint policies for common analysis scenarios
+ */
+export declare class TaintPolicyManager {
+    private policies;
+    private customRules;
+    constructor();
+    /**
+     * Get a policy by name
+     */
+    getPolicy(name: string): TaintPolicy | null;
+    /**
+     * Get all available policies
+     */
+    getAllPolicies(): TaintPolicy[];
+    /**
+     * Get policies by use case
+     */
+    getPoliciesByUseCase(useCase: TaintPolicy['useCase']): TaintPolicy[];
+    /**
+     * Register a custom policy
+     */
+    registerPolicy(policy: TaintPolicy): void;
+    /**
+     * Create a hybrid configuration from a policy
+     */
+    createHybridConfig(policyName: string, engineOverrides?: {
+        [engine in AnalysisEngine]?: {
+            enabled: boolean;
+            config?: any;
+        };
+    }): HybridConfig;
+    /**
+     * Initialize predefined policies
+     */
+    private initializePredefinedPolicies;
+    /**
+     * Create orchestration strategies for different policies
+     */
+    private createMalwareStrategy;
+    private createVulnerabilityStrategy;
+    private createComplianceStrategy;
+    private createForensicsStrategy;
+    private createFastScreeningStrategy;
+    /**
+     * Generate custom taint propagation rules for different use cases
+     */
+    private getMalwareAnalysisRules;
+    private getVulnerabilityAssessmentRules;
+    private getComplianceAuditRules;
+    private getForensicsAnalysisRules;
+    private getFastScreeningRules;
+}

package/dist/types/hipaa-compliance.d.ts

@@ -0,0 +1,110 @@
+/**
+ * HIPAA Compliance Module for Pompelmi
+ *
+ * This module provides comprehensive HIPAA compliance features for healthcare environments
+ * where Pompelmi is used to analyze potentially compromised systems containing PHI.
+ *
+ * Key protections:
+ * - Data sanitization and redaction
+ * - Secure temporary file handling
+ * - Audit logging
+ * - Memory protection
+ * - Error message sanitization
+ */
+export interface HipaaConfig {
+    enabled: boolean;
+    auditLogPath?: string;
+    encryptTempFiles?: boolean;
+    sanitizeErrors?: boolean;
+    sanitizeFilenames?: boolean;
+    memoryProtection?: boolean;
+    requireSecureTransport?: boolean;
+}
+export interface AuditEvent {
+    timestamp: string;
+    eventType: 'file_scan' | 'temp_file_created' | 'temp_file_deleted' | 'error_occurred' | 'phi_detected' | 'security_violation';
+    sessionId: string;
+    userId?: string;
+    details: {
+        action: string;
+        fileHash?: string;
+        fileSizeBytes?: number;
+        success: boolean;
+        sanitizedError?: string;
+        metadata?: Record<string, unknown>;
+    };
+}
+declare class HipaaComplianceManager {
+    private config;
+    private sessionId;
+    private auditEvents;
+    constructor(config: HipaaConfig);
+    /**
+     * Sanitize filename to prevent PHI leakage in logs
+     */
+    sanitizeFilename(filename?: string): string;
+    /**
+     * Sanitize error messages to prevent PHI exposure
+     */
+    sanitizeError(error: Error | string): string;
+    /**
+     * Create secure temporary file path with encryption if enabled
+     */
+    createSecureTempPath(prefix?: string): string;
+    /**
+     * Get or create secure temporary directory with restricted permissions
+     */
+    private getSecureTempDir;
+    /**
+     * Secure file cleanup with multiple overwrite passes
+     */
+    secureFileCleanup(filePath: string): Promise<void>;
+    /**
+     * Calculate secure file hash for audit purposes
+     */
+    calculateFileHash(data: Uint8Array): string;
+    /**
+     * Log audit event
+     */
+    auditLog(eventType: AuditEvent['eventType'], details: Partial<AuditEvent['details']>): void;
+    /**
+     * Write audit event to file
+     */
+    private writeAuditLog;
+    /**
+     * Generate cryptographically secure session ID
+     */
+    private generateSessionId;
+    /**
+     * Get current audit events for this session
+     */
+    getAuditEvents(): AuditEvent[];
+    /**
+     * Clear sensitive data from memory
+     */
+    clearSensitiveData(): void;
+    /**
+     * Validate transport security
+     */
+    validateTransportSecurity(url?: string): boolean;
+}
+/**
+ * Initialize HIPAA compliance
+ */
+export declare function initializeHipaaCompliance(config: HipaaConfig): HipaaComplianceManager;
+/**
+ * Get current HIPAA compliance manager
+ */
+export declare function getHipaaManager(): HipaaComplianceManager | null;
+/**
+ * HIPAA-compliant error wrapper
+ */
+export declare function createHipaaError(error: Error | string, context?: string): Error;
+/**
+ * HIPAA-compliant temporary file utilities
+ */
+export declare const HipaaTemp: {
+    createPath: (prefix?: string) => string;
+    cleanup: (filePath: string) => Promise<void>;
+};
+export { HipaaComplianceManager };

package/dist/types/presets.d.ts

@@ -1,7 +1,19 @@
-import type { Scanner } from "./types";
-export type PresetName = string;
+import type { Scanner, AnalysisDepth } from "./types";
+export type PresetName = 'basic' | 'advanced' | 'malware-analysis' | 'decompilation-basic' | 'decompilation-deep' | string;
 export interface PresetOptions {
+    yaraRules?: string | string[];
+    yaraTimeout?: number;
+    enableDecompilation?: boolean;
+    decompilationEngine?: 'binaryninja-hlil' | 'ghidra-pcode' | 'both';
+    decompilationDepth?: AnalysisDepth;
+    decompilationTimeout?: number;
+    binaryNinjaPath?: string;
+    pythonPath?: string;
+    ghidraPath?: string;
+    analyzeHeadless?: string;
+    timeout?: number;
     [key: string]: unknown;
 }
 export declare function composeScanners(...scanners: Scanner[]): Scanner;
-export declare function createPresetScanner(_preset: PresetName, _opts?: PresetOptions): Scanner;
+export declare function createPresetScanner(preset: PresetName, opts?: PresetOptions): Scanner;
+export declare const PRESET_CONFIGS: Record<string, PresetOptions>;

package/dist/types/types/decompilation.d.ts

@@ -0,0 +1,96 @@
+/** Decompilation-specific types for Pompelmi */
+export type DecompilationEngine = 'binaryninja-hlil' | 'ghidra-pcode';
+export type AnalysisDepth = 'minimal' | 'basic' | 'deep';
+export interface DecompilationMatch {
+    rule: string;
+    severity?: 'low' | 'medium' | 'high' | 'critical';
+    engine: DecompilationEngine;
+    confidence: number;
+    meta?: {
+        function?: string;
+        address?: string;
+        instruction?: string;
+        pattern?: string;
+        [key: string]: unknown;
+    };
+}
+export interface FunctionAnalysis {
+    name: string;
+    address: string;
+    size: number;
+    complexity?: number;
+    callCount?: number;
+    isObfuscated?: boolean;
+    hasAntiAnalysis?: boolean;
+    suspiciousCalls?: string[];
+}
+export interface DecompilationResult {
+    engine: DecompilationEngine;
+    success: boolean;
+    functions: FunctionAnalysis[];
+    matches: DecompilationMatch[];
+    meta?: {
+        analysisTime?: number;
+        binaryFormat?: string;
+        architecture?: string;
+        [key: string]: unknown;
+    };
+}
+export interface DecompilationScanner {
+    scan(bytes: Uint8Array): Promise<DecompilationMatch[]>;
+    analyze?(bytes: Uint8Array): Promise<DecompilationResult>;
+}
+export interface HLILInstruction {
+    operation: string;
+    address: string;
+    operands?: any[];
+    vars?: string[];
+}
+export interface HLILFunction {
+    name: string;
+    address: string;
+    instructions: HLILInstruction[];
+    basicBlocks?: number;
+    complexity?: number;
+}
+export interface BinaryNinjaOptions {
+    timeout?: number;
+    depth?: AnalysisDepth;
+    enableHeuristics?: boolean;
+    pythonPath?: string;
+    binaryNinjaPath?: string;
+}
+export interface PCodeOperation {
+    opcode: string;
+    address: string;
+    inputs?: string[];
+    output?: string;
+}
+export interface PCodeFunction {
+    name: string;
+    address: string;
+    operations: PCodeOperation[];
+    basicBlocks?: number;
+}
+export interface GhidraOptions {
+    timeout?: number;
+    depth?: AnalysisDepth;
+    enableHeuristics?: boolean;
+    ghidraPath?: string;
+    analyzeHeadless?: string;
+}
+export interface DecompilationOptions {
+    engine: DecompilationEngine;
+    timeout?: number;
+    depth?: AnalysisDepth;
+    enableHeuristics?: boolean;
+    binaryNinja?: BinaryNinjaOptions;
+    ghidra?: GhidraOptions;
+}
+export interface SuspiciousPattern {
+    name: string;
+    description: string;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    pattern: RegExp | string | ((instruction: any) => boolean);
+}
+export declare const SUSPICIOUS_PATTERNS: SuspiciousPattern[];