secure_resilience 0.1.0

Security resilience helpers for environment checks, integrity signals, and timeout budgeting.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

//! Environment detection signal types for root/jailbreak, emulator, and debugger detection.
//!
//! These are pure data types — the consuming application implements actual detection
//! and constructs signals. This crate evaluates policy responses.

use serde::Serialize;

/// Confidence level of an environment detection signal.
#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize)]
pub enum Confidence {
    /// Low confidence — heuristic or indirect evidence.
    Low,
    /// Medium confidence — multiple indicators.
    Medium,
    /// High confidence — direct evidence.
    High,
}

/// An environment detection signal fed from the mobile application into the RASP engine.
///
/// The consuming application implements platform-specific detection (e.g., checking for
/// `su` binary, Magisk, Frida, emulator properties) and constructs these signals.
#[non_exhaustive]
#[derive(Clone, Debug, PartialEq, Eq, Serialize)]
pub enum EnvironmentSignal {
    /// Root or jailbreak detected (MASWE-0097).
    RootDetected {
        /// Confidence of the detection.
        confidence: Confidence,
        /// Human-readable evidence string (e.g., "su binary found at /system/xbin/su").
        evidence: String,
    },
    /// Emulator or virtualized environment detected (MASWE-0098, MASWE-0099).
    EmulatorDetected {
        /// Confidence of the detection.
        confidence: Confidence,
        /// Human-readable evidence string.
        evidence: String,
    },
    /// Debugger attached to the process (MASWE-0100).
    DebuggerAttached {
        /// Confidence of the detection.
        confidence: Confidence,
        /// Human-readable evidence string.
        evidence: String,
    },
    /// An unknown or custom signal type for extensibility.
    Unknown {
        /// Label identifying this custom signal.
        label: String,
        /// Human-readable evidence string.
        evidence: String,
    },
}

impl EnvironmentSignal {
    /// Returns the confidence level of this signal, or `None` for unknown signals.
    pub fn confidence(&self) -> Option<Confidence> {
        match self {
            Self::RootDetected { confidence, .. }
            | Self::EmulatorDetected { confidence, .. }
            | Self::DebuggerAttached { confidence, .. } => Some(*confidence),
            Self::Unknown { .. } => None,
        }
    }

    /// Returns the evidence string for this signal.
    pub fn evidence(&self) -> &str {
        match self {
            Self::RootDetected { evidence, .. }
            | Self::EmulatorDetected { evidence, .. }
            | Self::DebuggerAttached { evidence, .. }
            | Self::Unknown { evidence, .. } => evidence,
        }
    }

    /// Returns a human-readable category name for this signal.
    pub fn category(&self) -> &str {
        match self {
            Self::RootDetected { .. } => "root_detected",
            Self::EmulatorDetected { .. } => "emulator_detected",
            Self::DebuggerAttached { .. } => "debugger_attached",
            Self::Unknown { label, .. } => label,
        }
    }

    /// Returns the inherent threat weight for this signal type (0–100).
    ///
    /// Debugger signals carry the highest weight because they indicate
    /// active runtime analysis.
    pub(crate) fn base_threat_weight(&self) -> u32 {
        match self {
            Self::DebuggerAttached { .. } => 100,
            Self::RootDetected { .. } => 70,
            Self::EmulatorDetected { .. } => 40,
            Self::Unknown { .. } => 0,
        }
    }
}

/// Aggregate threat level computed from accumulated environment signals.
#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize)]
pub enum ThreatLevel {
    /// No threat detected.
    None,
    /// Low threat — minor or low-confidence signals.
    Low,
    /// Medium threat — multiple low-confidence or single medium-confidence signals.
    Medium,
    /// High threat — high-confidence root or emulator detection.
    High,
    /// Critical threat — debugger attached or combined high-confidence signals.
    Critical,
}

impl ThreatLevel {
    /// Compute threat level from an accumulated threat score.
    pub(crate) fn from_score(score: u32) -> Self {
        match score {
            0 => Self::None,
            1..=30 => Self::Low,
            31..=60 => Self::Medium,
            61..=99 => Self::High,
            _ => Self::Critical,
        }
    }
}