Skip to content

fix(detector): flag chr-concat string construction as obfuscated dispatch#15

Closed
SinatrasC wants to merge 1 commit into
mainfrom
blue-chr-concat-kg-red-17
Closed

fix(detector): flag chr-concat string construction as obfuscated dispatch#15
SinatrasC wants to merge 1 commit into
mainfrom
blue-chr-concat-kg-red-17

Conversation

@SinatrasC

Copy link
Copy Markdown
Collaborator

Summary

Targets red #17 under "Direction — Obfuscated exec / dynamic execution",
submitted via the Flywheel-proxied path with no participant KG API key
(the public-participant flow described on the campaign root). Live
kernelguard==0.2.2 classifies it valid:

def custom_kernel(data):
    op = chr(99) + chr(108) + chr(111) + chr(110) + chr(101)
    return getattr(data, op)()

The string "clone" is built character-by-character at runtime, then
handed to getattr to execute the underlying data.clone(). There is
no literal eval / exec / compile / __import__ anywhere in the
source, so detect_dynamic_execution's existing Call-walking pass
doesn't fire.

Approach

After the existing Call-walking pass, walk all BinOp nodes once. For
each Add chain, recursively count chr() call leaves:

  • BinOp(Add, lhs, rhs)count(lhs) + count(rhs)
  • Call(Name('chr'), ...)1
  • anything else → -1 (disqualifies the whole chain)

If the chain has ≥ 3 chr leaves, emit an OBFUSCATED_EXEC match
with evidence noting the leaf count. Below 3, or any non-chr / non-Add
node mixed in, the chain is silently ignored.

Why this rule is safe

  • Three-or-more chr() calls chained with + essentially never appear
    in legitimate compute kernels. The 20 nvfp4 false-positive cases are
    real production GEMM/GEMV implementations — none of them use chr().
  • The threshold of 3 leaves and the strict "all leaves must be chr()"
    rule mean two-character constructions, mixed-literal strings ("abc" + chr(10)), and incidental string assembly with format strings all stay
    unflagged.
  • The existing OBFUSCATED_EXEC Call-walking pass for lzma/b64/zlib
    payloads is unaffected — both passes can match independently and
    contribute to a single result.

KernelGuard-Red-Submission: 17

Test plan

  • chr_concat_clone (red fix(detector): add IS_NONE_SENTINEL_REPLAY for RED #30 #17) → OBFUSCATED_EXEC, should_filter=True
  • chr_concat_exec_call (sibling shape: builds "exec", dispatches via __builtins__) → flagged
  • two_chr_only_not_flagged → stays valid (only 2 chr leaves, below threshold)
  • plain_kernel → stays valid
  • plain_string_concat_legit (string literals, no chr) → stays valid
  • classic_obfuscated_exec (lzma + base64 + exec) → still flagged via the existing Call-walking pass

…atch

Targets red #17 ('chr-concat getattr dispatch') under 'Direction -
Obfuscated exec / dynamic execution'. Live KG (kernelguard==0.2.2) called
it valid because:

    def custom_kernel(data):
        op = chr(99) + chr(108) + chr(111) + chr(110) + chr(101)
        return getattr(data, op)()

contains no literal 'eval' / 'exec' / 'compile' / '__import__' calls,
so the existing detect_dynamic_execution Call-walking detector misses
it. The string 'clone' is built character-by-character at runtime,
which hides the literal attribute name from grep-based filters and
hands a constructed string to getattr.

Approach: in detect_dynamic_execution, after the existing Call-walking
pass, do a single BinOp walk over the AST. For each top-level Add
BinOp, count chr()-call leaves in the chain via a small recursive
helper:

  - Add(BinOp, BinOp): sum left and right
  - Call(Name('chr'), ...): 1
  - anything else: -1 (disqualifies the chain)

If the count is >=3, emit an OBFUSCATED_EXEC match. Below 3 chr leaves
or any non-chr leaf disqualifies the chain - this keeps the rule from
firing on incidental two-character chr concats, on plain string-literal
concatenation ('a' + 'b' + 'c'), and on chr-call-mixed-with-literal
shapes that aren't pure obfuscation.

Verified: chr_concat_clone (red #17) and chr_concat_exec_call are
flagged; two_chr_only, plain_kernel, plain_string_concat_legit stay
valid; classic_obfuscated_exec (lzma/b64) still fires through the
existing Call-walking pass.
@SinatrasC
SinatrasC temporarily deployed to kernelguard-api-control-plane May 1, 2026 13:17 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

KernelGuard Blue Evaluation

@SinatrasC

Copy link
Copy Markdown
Collaborator Author

Thanks for the KernelGuard Flywheel Campaign contribution. We are not selecting this PR for merge because it is too narrow or not aligned with the current consolidated rule-family surface.

@SinatrasC SinatrasC closed this Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant