cynapse 0.1.0

Real-time, memory-resident binary integrity verification for Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264

//! # Cynapse — Binary Memory Integrity Monitor
//!
//! **Real-time, memory-resident binary integrity verification for Rust applications.**
//!
//! Cynapse continuously validates executable memory segments to detect runtime injection,
//! tampering, or in-memory patching — providing a self-defending layer for secure,
//! high-assurance software.
//!
//! ## Overview
//!
//! Modern attacks often target live memory: code injection, API hooking, shellcode placement,
//! or silent function patching. **Cynapse** is designed to **detect and mitigate in-memory
//! tampering** at runtime.
//!
//! It works by:
//! 1. Mapping executable memory regions of your process
//! 2. Computing a Merkle-tree-based checksum baseline
//! 3. Continuously verifying page integrity while your application runs
//! 4. Executing callbacks (alert, self-heal, or terminate) when tampering is detected
//!
//! ## Quick Start
//!
//! ```rust,no_run
//! use cynapse::Monitor;
//! use std::time::Duration;
//!
//! let mut monitor = Monitor::new()
//!     .with_interval(Duration::from_secs(3))
//!     .on_tamper(|segment, diff| {
//!         eprintln!("[ALERT] Tampering detected in {:?}", segment);
//!     });
//!
//! monitor.start();
//!
//! // Your application logic continues...
//! loop {
//!     std::thread::sleep(Duration::from_secs(1));
//! }
//! ```
//!
//! ## Advanced Configuration
//!
//! ```rust,no_run
//! use cynapse::{Monitor, TamperResponse, WhitelistPolicy};
//! use std::time::Duration;
//!
//! let monitor = Monitor::builder()
//!     .interval(Duration::from_secs(2))
//!     .enable_merkle_trees(true)
//!     .adaptive_sampling(true)
//!     .whitelist_jit_regions(WhitelistPolicy::ByPattern(vec![".jit".to_string()]))
//!     .enable_forensics(true)
//!     .build()
//!     .expect("Failed to initialize monitor");
//!
//! monitor.start();
//! ```
//!
//! ## Security Model
//!
//! Cynapse detects and mitigates:
//! - Code injection and patching
//! - DLL/SO injection
//! - ROP chains and shellcode execution
//! - Inline API hooking (depending on page granularity)
//!
//! It explicitly allows:
//! - JIT compilation (when whitelisted)
//! - Self-modifying code (when whitelisted)
//!
//! ## Platform Support
//!
//! - **Linux**: Via `/proc/self/maps` and direct memory reading
//! - **Windows**: Via `VirtualQuery` and memory APIs
//! - **macOS**: Via Mach kernel APIs
//!
//! ## Safety
//!
//! This crate contains minimal `unsafe` code, isolated to platform-specific memory reading.
//! All unsafe blocks are documented with safety invariants and have been validated with Miri.

#![warn(missing_docs)]
#![warn(clippy::all)]
#![allow(dead_code)] // Remove after full implementation

use std::time::Duration;
use thiserror::Error;

// Core modules
pub mod core;
pub use core::{monitor::Monitor, monitor::MonitorBuilder};

// Platform abstraction
mod platform;

// Optional modules
#[cfg(feature = "remote-attestation")]
pub mod attestation;

pub mod utils;

// Re-exports
pub use core::{
    forensics::ForensicSnapshot,
    hasher::{HashAlgorithm, MerkleTree},
    mapper::{MemorySegment, SegmentPermissions},
    monitor::MonitorHandle,
};

/// Errors that can occur during monitor operations
#[derive(Error, Debug)]
pub enum Error {
    /// Failed to initialize the monitor
    #[error("Monitor initialization failed: {0}")]
    InitializationFailed(String),

    /// Failed to map memory segments
    #[error("Memory mapping failed: {0}")]
    MappingFailed(String),

    /// Failed to compute hash
    #[error("Hashing failed: {0}")]
    HashingFailed(String),

    /// Tampering detected
    #[error("Tampering detected in segment: {0}")]
    TamperingDetected(String),

    /// Platform-specific error
    #[error("Platform error: {0}")]
    PlatformError(String),

    /// I/O error
    #[error("I/O error: {0}")]
    IoError(#[from] std::io::Error),

    /// Configuration error
    #[error("Configuration error: {0}")]
    ConfigurationError(String),

    /// Monitor already running
    #[error("Monitor is already running")]
    AlreadyRunning,

    /// Monitor not running
    #[error("Monitor is not running")]
    NotRunning,
}

/// Result type for cynapse operations
pub type Result<T> = std::result::Result<T, Error>;

/// Configuration for the integrity monitor
#[derive(Debug, Clone)]
pub struct MonitorConfig {
    /// Verification interval (how often to check for tampering)
    pub interval: Duration,

    /// Enable Merkle tree optimization for faster verification
    pub use_merkle: bool,

    /// Hash algorithm to use
    pub hash_algorithm: HashAlgorithm,

    /// Enable adaptive sampling (adjust interval based on risk)
    pub adaptive: bool,

    /// JIT region whitelist policy
    pub whitelist_policy: WhitelistPolicy,

    /// Enable forensic snapshots on tampering detection
    pub enable_forensics: bool,

    /// Maximum snapshot size in bytes
    pub max_snapshot_size: usize,

    /// Tamper response strategy
    pub response: TamperResponse,
}

impl Default for MonitorConfig {
    fn default() -> Self {
        Self {
            interval: Duration::from_secs(3),
            use_merkle: true,
            hash_algorithm: HashAlgorithm::Blake3,
            adaptive: false,
            whitelist_policy: WhitelistPolicy::None,
            enable_forensics: false,
            max_snapshot_size: 10 * 1024 * 1024, // 10 MB
            response: TamperResponse::Alert,
        }
    }
}

/// Policy for whitelisting legitimate self-modifying code
#[derive(Debug, Clone)]
pub enum WhitelistPolicy {
    /// No whitelisting
    None,

    /// Whitelist segments matching specific patterns (e.g., ".jit", ".v8")
    ByPattern(Vec<String>),

    /// Whitelist specific address ranges
    ByAddressRange(Vec<(usize, usize)>),

    /// Custom whitelist function
    Custom,
}

/// Response action when tampering is detected
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum TamperResponse {
    /// Log the event and continue
    Log,

    /// Alert (log + invoke callbacks) and continue
    Alert,

    /// Attempt to restore from baseline
    Restore,

    /// Terminate the process immediately
    Terminate,
}

/// Information about detected tampering
#[derive(Debug, Clone)]
pub struct TamperInfo {
    /// The affected memory segment
    pub segment: MemorySegment,

    /// Byte positions that differ from baseline
    pub differences: Vec<u8>,

    /// Original hash
    pub original_hash: Vec<u8>,

    /// Current hash
    pub current_hash: Vec<u8>,

    /// Timestamp of detection
    pub timestamp: std::time::SystemTime,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_default_config() {
        let config = MonitorConfig::default();
        assert_eq!(config.interval, Duration::from_secs(3));
        assert!(config.use_merkle);
        assert_eq!(config.response, TamperResponse::Alert);
    }

    #[test]
    fn test_tamper_response_variants() {
        assert_eq!(TamperResponse::Log, TamperResponse::Log);
        assert_ne!(TamperResponse::Log, TamperResponse::Alert);
    }
}