feat(semantickernel): add interactive trainer, verify_all.sh, and submission audit#47
Open
JDP-Security wants to merge 2 commits into
Conversation
added 2 commits
July 7, 2026 09:34
Two vulnerability classes: 1. 6 CVE-2026-25592 bypass vectors (type confusion) 2. AutoInvokeKernelFunctions privilege escalation (CWE-1039) with Shell Blinding (fa2d52f6) and Opt-In Sandboxing (PR #13683) demonstrations. Includes vulnerable sandbox, attack scripts, tutorial, and mitigations. Based on JDP-2026-001 : https://jdp-security.github.io/security-research-papers/2026-04-28-semantic-kernel-disclosure.html -research by Jeff Ponte.
…mission audit - Add interactive_trainer.py with 6 Type Confusion + AutoInvoke lessons - Add verify_all.sh double-pass automated verification suite - Add submission_audit.md with full TOCTOU analysis and sandbox architecture - Rewrite READMEs (root, exploitation, sandbox) with comprehensive docs - Remove legacy execution_playbook.md and redundant subdirectory READMEs - Update sandbox README with research paper URL and dual-mode operation - Update root README and sandboxes/README.md with semantickernel entries - Clean up duplicate attack.py in sandbox/exploitation directory - Add .gitignore for runtime data artifacts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the complete Semantic Kernel v1.48.0 Orchestration Trust Gap vulnerability lab (CVE-2026-25592 / CWE-1039 / CVSS 10.0), based on the JDP-2026-001 white paper disclosure. This lab demonstrates the architectural "Trust Gap" where LLM output is treated as trusted system commands, and the six documented evasion vectors that bypass the official patch.
What's Included
Exploitation Toolkit (
exploitation/semantickernel/)interactive_trainer.py— Menu-driven CLI that walks through all 6 Type Confusion vectors and 4 AutoInvoke scenarios with real-time telemetryverify_all.sh— Fully automated double-pass verification (unhardened vs. hardened states) with out-of-band filesystem validationsubmission_audit.md— Complete vulnerability posture report with TOCTOU analysis, execution matrix, and architecture diagramsemantickernel_type_confusion/attack.py— 6 exploit payloads (JSON Array, Object Reflection, Base64, URL Encoding, Unicode Homoglyph, Hybrid Canonicalization)semantickernel_autoinvoke/attack.py— 4 CWE-1039 AutoInvoke scenarios including Shell Blinding bypassSandbox Target (
sandboxes/agentic_local_semantickernel/)app/Program.cs— Vulnerable Semantic Kernel v1.48.0 API server with dual-mode operation (unhardened / hardenedToString()filter)Makefile—make build,make run,make run-hardened,make attacklifecycle commandsContainerfile— Multi-stage .NET 8.0 build for reproducible containerized testingDocumentation
tutorials/semantickernel_orchestration_security_tutorial.mdexecution_playbook.mdand redundant subdirectory READMEsResearch Reference
This lab validates the findings from JDP-2026-001: The Orchestration Trust Gap — Remediation Evasions in Microsoft Semantic Kernel and Agent Framework 1.0
Key findings demonstrated:
IFunctionInvocationFilter— filter checks BEFORE decoding, sink decodes AFTERstringtypes, sink acceptsobject(JSON arrays, anonymous objects)fa2d52f6) is cosmetic only — commands execute silently in backgroundTesting
cd exploitation/semantickernel ./verify_all.shRuns full double-pass against the sandbox and validates OOB filesystem artifacts.