parlov-analysis 0.6.0

Analysis engine trait and signal detection for parlov.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

//! `ExistenceAnalyzer` — delegates classification to the scoring pipeline in `classifier`.

use parlov_core::{DifferentialSet, OracleClass, OracleResult, OracleVerdict, ProbeExchange, Vector};

use crate::signals;
use crate::{Analyzer, SampleDecision};

use super::classifier::classify;

/// Analyzes a `DifferentialSet` for existence oracle signals via status-code differential.
///
/// Requires three samples when a differential is detected to confirm stability before
/// classifying. Short-circuits on same-status pairs (`NotPresent`) after the first sample.
/// Runs ALL signal extractors unconditionally and delegates scoring to `classifier::classify`.
pub struct ExistenceAnalyzer;

impl Analyzer for ExistenceAnalyzer {
    fn evaluate(&self, data: &DifferentialSet) -> SampleDecision {
        let b0 = data.baseline[0].response.status;
        let p0 = data.probe[0].response.status;

        if b0 == p0 {
            return SampleDecision::Complete(Box::new(build_result(data)));
        }

        if data.baseline.len() < 3 {
            return SampleDecision::NeedMore;
        }

        let stable = is_consistent(&data.baseline) && is_consistent(&data.probe);
        if stable {
            if is_relevant_differential(data) {
                SampleDecision::Complete(Box::new(build_result(data)))
            } else {
                SampleDecision::Complete(Box::new(not_fired_result(data)))
            }
        } else {
            SampleDecision::Complete(Box::new(unstable_result(data)))
        }
    }

    fn oracle_class(&self) -> OracleClass {
        OracleClass::Existence
    }
}

/// Builds the full `OracleResult` from a stable `DifferentialSet`.
fn build_result(data: &DifferentialSet) -> OracleResult {
    let b0 = data.baseline[0].response.status;
    let p0 = data.probe[0].response.status;

    let signals = extract_all_signals(data);
    classify(b0, p0, signals, &data.technique)
}

/// Runs all signal extractors unconditionally on every `DifferentialSet`.
fn extract_all_signals(data: &DifferentialSet) -> Vec<parlov_core::Signal> {
    let mut out = Vec::new();
    out.extend(signals::status_code::extract(data));
    out.extend(signals::header::extract(data));
    out.extend(signals::metadata::extract(data));
    out.extend(signals::body::extract(data));
    out
}

/// Returns `true` when every exchange in `exchanges` shares the same status as the first.
fn is_consistent(exchanges: &[ProbeExchange]) -> bool {
    exchanges
        .iter()
        .all(|e| e.response.status == exchanges[0].response.status)
}

fn unstable_result(data: &DifferentialSet) -> OracleResult {
    let baseline_stable = is_consistent(&data.baseline);
    let probe_stable = is_consistent(&data.probe);

    let which = match (baseline_stable, probe_stable) {
        (false, false) => "baseline and probe sides",
        (false, true) => "baseline side",
        (true, false) => "probe side",
        (true, true) => unreachable!("unstable_result called when both sides are stable"),
    };

    OracleResult {
        class: OracleClass::Existence,
        verdict: OracleVerdict::NotPresent,
        severity: None,
        confidence: 0,
        impact_class: None,
        reasons: vec![],
        signals: vec![parlov_core::Signal {
            kind: parlov_core::SignalKind::StatusCodeDiff,
            evidence: format!("unstable: {which}"),
            rfc_basis: None,
        }],
        technique_id: Some(data.technique.id.to_string()),
        vector: Some(data.technique.vector),
        normative_strength: Some(data.technique.strength),
        label: None,
        leaks: None,
        rfc_basis: None,
    }
}

/// Returns `true` when the differential is relevant to the technique that generated it.
///
/// Some vectors — particularly `RedirectDiff` — manipulate URLs in ways that can trigger
/// unexpected server-side behavior unrelated to redirect logic (e.g., `200 vs 412`). When
/// neither side of the differential is a 3xx, the technique did not fire and the result
/// must be dismissed rather than scored against the general pattern table.
fn is_relevant_differential(data: &DifferentialSet) -> bool {
    let b0 = data.baseline[0].response.status;
    let p0 = data.probe[0].response.status;

    match data.technique.vector {
        Vector::RedirectDiff => b0.is_redirection() || p0.is_redirection(),
        // Other vectors use the b0 == p0 short-circuit for "technique didn't fire."
        Vector::StatusCodeDiff
        | Vector::CacheProbing
        | Vector::ErrorMessageGranularity => true,
    }
}

/// Produces a `NotPresent` result annotating that the technique did not fire.
///
/// Used when `is_relevant_differential` returns `false` — the differential exists but is
/// a side effect of probe construction, not the expected signal. The signal evidence records
/// the dismissal reason so reporting surfaces it rather than silently dropping the result.
fn not_fired_result(data: &DifferentialSet) -> OracleResult {
    OracleResult {
        class: OracleClass::Existence,
        verdict: OracleVerdict::NotPresent,
        severity: None,
        confidence: 0,
        impact_class: None,
        reasons: vec![],
        signals: vec![parlov_core::Signal {
            kind: parlov_core::SignalKind::StatusCodeDiff,
            evidence: "technique did not fire: no 3xx status in differential".to_owned(),
            rfc_basis: None,
        }],
        technique_id: Some(data.technique.id.to_string()),
        vector: Some(data.technique.vector),
        normative_strength: Some(data.technique.strength),
        label: None,
        leaks: None,
        rfc_basis: None,
    }
}

#[cfg(test)]
#[path = "analyzer_tests.rs"]
mod tests;