fix(detector): flag chr-concat string construction as obfuscated dispatch#15
Closed
SinatrasC wants to merge 1 commit into
Closed
fix(detector): flag chr-concat string construction as obfuscated dispatch#15SinatrasC wants to merge 1 commit into
SinatrasC wants to merge 1 commit into
Conversation
…atch Targets red #17 ('chr-concat getattr dispatch') under 'Direction - Obfuscated exec / dynamic execution'. Live KG (kernelguard==0.2.2) called it valid because: def custom_kernel(data): op = chr(99) + chr(108) + chr(111) + chr(110) + chr(101) return getattr(data, op)() contains no literal 'eval' / 'exec' / 'compile' / '__import__' calls, so the existing detect_dynamic_execution Call-walking detector misses it. The string 'clone' is built character-by-character at runtime, which hides the literal attribute name from grep-based filters and hands a constructed string to getattr. Approach: in detect_dynamic_execution, after the existing Call-walking pass, do a single BinOp walk over the AST. For each top-level Add BinOp, count chr()-call leaves in the chain via a small recursive helper: - Add(BinOp, BinOp): sum left and right - Call(Name('chr'), ...): 1 - anything else: -1 (disqualifies the chain) If the count is >=3, emit an OBFUSCATED_EXEC match. Below 3 chr leaves or any non-chr leaf disqualifies the chain - this keeps the rule from firing on incidental two-character chr concats, on plain string-literal concatenation ('a' + 'b' + 'c'), and on chr-call-mixed-with-literal shapes that aren't pure obfuscation. Verified: chr_concat_clone (red #17) and chr_concat_exec_call are flagged; two_chr_only, plain_kernel, plain_string_concat_legit stay valid; classic_obfuscated_exec (lzma/b64) still fires through the existing Call-walking pass.
SinatrasC
temporarily deployed
to
kernelguard-api-control-plane
May 1, 2026 13:17 — with
GitHub Actions
Inactive
KernelGuard Blue Evaluation
|
4 tasks
Collaborator
Author
|
Thanks for the KernelGuard Flywheel Campaign contribution. We are not selecting this PR for merge because it is too narrow or not aligned with the current consolidated rule-family surface. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Targets red #17 under "Direction — Obfuscated exec / dynamic execution",
submitted via the Flywheel-proxied path with no participant KG API key
(the public-participant flow described on the campaign root). Live
kernelguard==0.2.2classifies itvalid:The string
"clone"is built character-by-character at runtime, thenhanded to
getattrto execute the underlyingdata.clone(). There isno literal
eval/exec/compile/__import__anywhere in thesource, so
detect_dynamic_execution's existingCall-walking passdoesn't fire.
Approach
After the existing Call-walking pass, walk all
BinOpnodes once. Foreach
Addchain, recursively countchr()call leaves:BinOp(Add, lhs, rhs)→count(lhs) + count(rhs)Call(Name('chr'), ...)→1-1(disqualifies the whole chain)If the chain has ≥ 3 chr leaves, emit an
OBFUSCATED_EXECmatchwith evidence noting the leaf count. Below 3, or any non-chr / non-Add
node mixed in, the chain is silently ignored.
Why this rule is safe
chr()calls chained with+essentially never appearin legitimate compute kernels. The 20 nvfp4 false-positive cases are
real production GEMM/GEMV implementations — none of them use
chr().rule mean two-character constructions, mixed-literal strings (
"abc" + chr(10)), and incidental string assembly with format strings all stayunflagged.
OBFUSCATED_EXECCall-walking pass for lzma/b64/zlibpayloads is unaffected — both passes can match independently and
contribute to a single result.
KernelGuard-Red-Submission: 17
Test plan
chr_concat_clone(red fix(detector): add IS_NONE_SENTINEL_REPLAY for RED #30 #17) →OBFUSCATED_EXEC,should_filter=Truechr_concat_exec_call(sibling shape: builds"exec", dispatches via__builtins__) → flaggedtwo_chr_only_not_flagged→ staysvalid(only 2 chr leaves, below threshold)plain_kernel→ staysvalidplain_string_concat_legit(string literals, no chr) → staysvalidclassic_obfuscated_exec(lzma + base64 + exec) → still flagged via the existing Call-walking pass