Crate cynapse

Crate cynapse 

Source
Expand description

§Cynapse — Binary Memory Integrity Monitor

Real-time, memory-resident binary integrity verification for Rust applications.

Cynapse continuously validates executable memory segments to detect runtime injection, tampering, or in-memory patching — providing a self-defending layer for secure, high-assurance software.

§Overview

Modern attacks often target live memory: code injection, API hooking, shellcode placement, or silent function patching. Cynapse is designed to detect and mitigate in-memory tampering at runtime.

It works by:

  1. Mapping executable memory regions of your process
  2. Computing a Merkle-tree-based checksum baseline
  3. Continuously verifying page integrity while your application runs
  4. Executing callbacks (alert, self-heal, or terminate) when tampering is detected

§Quick Start

use cynapse::Monitor;
use std::time::Duration;

let mut monitor = Monitor::new()
    .with_interval(Duration::from_secs(3))
    .on_tamper(|segment, diff| {
        eprintln!("[ALERT] Tampering detected in {:?}", segment);
    });

monitor.start();

// Your application logic continues...
loop {
    std::thread::sleep(Duration::from_secs(1));
}

§Advanced Configuration

use cynapse::{Monitor, TamperResponse, WhitelistPolicy};
use std::time::Duration;

let monitor = Monitor::builder()
    .interval(Duration::from_secs(2))
    .enable_merkle_trees(true)
    .adaptive_sampling(true)
    .whitelist_jit_regions(WhitelistPolicy::ByPattern(vec![".jit".to_string()]))
    .enable_forensics(true)
    .build()
    .expect("Failed to initialize monitor");

monitor.start();

§Security Model

Cynapse detects and mitigates:

  • Code injection and patching
  • DLL/SO injection
  • ROP chains and shellcode execution
  • Inline API hooking (depending on page granularity)

It explicitly allows:

  • JIT compilation (when whitelisted)
  • Self-modifying code (when whitelisted)

§Platform Support

  • Linux: Via /proc/self/maps and direct memory reading
  • Windows: Via VirtualQuery and memory APIs
  • macOS: Via Mach kernel APIs

§Safety

This crate contains minimal unsafe code, isolated to platform-specific memory reading. All unsafe blocks are documented with safety invariants and have been validated with Miri.

Re-exports§

pub use core::monitor::Monitor;
pub use core::monitor::MonitorBuilder;
pub use core::forensics::ForensicSnapshot;
pub use core::hasher::HashAlgorithm;
pub use core::hasher::MerkleTree;
pub use core::mapper::MemorySegment;
pub use core::mapper::SegmentPermissions;
pub use core::monitor::MonitorHandle;

Modules§

core
Core functionality for memory integrity monitoring
utils
Utility modules for cynapse

Structs§

MonitorConfig
Configuration for the integrity monitor
TamperInfo
Information about detected tampering

Enums§

Error
Errors that can occur during monitor operations
TamperResponse
Response action when tampering is detected
WhitelistPolicy
Policy for whitelisting legitimate self-modifying code

Type Aliases§

Result
Result type for cynapse operations