Skip to content

fix: STPA-Sec round 3 — artifact updates + 3 hardening fixes#81

Merged
avrabe merged 1 commit intomainfrom
fix/stpa-sec-round3-hardening
Apr 14, 2026
Merged

fix: STPA-Sec round 3 — artifact updates + 3 hardening fixes#81
avrabe merged 1 commit intomainfrom
fix/stpa-sec-round3-hardening

Conversation

@avrabe
Copy link
Copy Markdown
Contributor

@avrabe avrabe commented Apr 14, 2026

Summary

STPA-Sec cross-reference audit: mapped all 35 hazards and 33 system constraints against actual code state. Updated artifacts to reflect PR #80 fixes, identified 3 new gaps, implemented fixes.

STPA Artifact Updates

  • Documented status of all R1+R2 fixes (14 from PR fix: 14 security hardening fixes from deep audit #80)
  • Added 3 new hazards: H-36 (cache flooding), H-37 (PATH injection), H-38 (MCUboot partial-image)
  • Added 3 new system constraints: SC-34, SC-35, SC-36
  • Added 3 new attack scenarios: AS-34, AS-35, AS-36

Code Fixes

  • SC-34 / H-36: MemoryProofCache now enforces max_entries (default 10,000) with oldest-entry eviction. Prevents cache flooding DoS (AS-34)
  • SC-35 / H-37: BuildEnvironment::capture() resolves and logs absolute tool paths. Supports WSC_<TOOL>_PATH override env vars for operators to pin trusted binaries (AS-35)
  • SC-36 / H-38: MCUboot parser rejects images where trailing content exceeds 8KB (MAX_TLV_OVERHEAD), preventing partial-image signature attacks where ih_img_size is set smaller than actual payload (AS-36)

Test plan

  • cargo build — clean
  • cargo test — 766 passed, 0 failed
  • CI pipeline

🤖 Generated with Claude Code

@avrabe @claude
fix: STPA-Sec round 3 — update artifacts + 3 hardening fixes
64f0bdc 
STPA artifact updates:
- Document R1+R2 fix status (14 fixes from PR #80)
- Add 3 new hazards: H-36 (cache flooding), H-37 (PATH injection),
  H-38 (MCUboot partial-image)
- Add 3 new system constraints: SC-34 (cache bound), SC-35 (build env
  path logging), SC-36 (MCUboot size validation)
- Add 3 new attack scenarios: AS-34, AS-35, AS-36

Code fixes:
- SC-34: MemoryProofCache now enforces max_entries (default 10,000)
  with oldest-entry eviction when at capacity
- SC-35: BuildEnvironment::capture() resolves and logs absolute paths
  of tool binaries, supports WSC_<TOOL>_PATH override env vars
- SC-36: MCUboot parser rejects images where trailing content exceeds
  8KB (MAX_TLV_OVERHEAD), preventing partial-image signature attacks

All 766 tests passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 14, 2026

Codecov Report

❌ Patch coverage is 47.14286% with 37 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/lib/src/signature/keyless/proof_cache.rs 26.66% 22 Missing ⚠️
src/lib/src/format/mcuboot.rs 25.00% 9 Missing ⚠️
src/lib/src/build_env.rs 78.57% 6 Missing ⚠️

📢 Thoughts on this report? Let us know!

@avrabe avrabe merged commit 8c22eed into main Apr 14, 2026
12 of 17 checks passed
@avrabe avrabe deleted the fix/stpa-sec-round3-hardening branch April 14, 2026 05:29
@avrabe avrabe mentioned this pull request Apr 14, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avrabe