Skip to content

feat(semantickernel): add interactive trainer, verify_all.sh, and submission audit#47

Open
JDP-Security wants to merge 2 commits into
GenAI-Security-Project:mainfrom
JDP-Security:semantic-kernel-orchestration-vulns
Open

feat(semantickernel): add interactive trainer, verify_all.sh, and submission audit#47
JDP-Security wants to merge 2 commits into
GenAI-Security-Project:mainfrom
JDP-Security:semantic-kernel-orchestration-vulns

Conversation

@JDP-Security

Copy link
Copy Markdown

Summary

Adds the complete Semantic Kernel v1.48.0 Orchestration Trust Gap vulnerability lab (CVE-2026-25592 / CWE-1039 / CVSS 10.0), based on the JDP-2026-001 white paper disclosure. This lab demonstrates the architectural "Trust Gap" where LLM output is treated as trusted system commands, and the six documented evasion vectors that bypass the official patch.

What's Included

Exploitation Toolkit (exploitation/semantickernel/)

  • interactive_trainer.py — Menu-driven CLI that walks through all 6 Type Confusion vectors and 4 AutoInvoke scenarios with real-time telemetry
  • verify_all.sh — Fully automated double-pass verification (unhardened vs. hardened states) with out-of-band filesystem validation
  • submission_audit.md — Complete vulnerability posture report with TOCTOU analysis, execution matrix, and architecture diagram
  • semantickernel_type_confusion/attack.py — 6 exploit payloads (JSON Array, Object Reflection, Base64, URL Encoding, Unicode Homoglyph, Hybrid Canonicalization)
  • semantickernel_autoinvoke/attack.py — 4 CWE-1039 AutoInvoke scenarios including Shell Blinding bypass

Sandbox Target (sandboxes/agentic_local_semantickernel/)

  • app/Program.cs — Vulnerable Semantic Kernel v1.48.0 API server with dual-mode operation (unhardened / hardened ToString() filter)
  • Makefilemake build, make run, make run-hardened, make attack lifecycle commands
  • Containerfile — Multi-stage .NET 8.0 build for reproducible containerized testing

Documentation

  • Comprehensive READMEs at root, exploitation, sandbox, and submodule levels
  • Updated tutorials/semantickernel_orchestration_security_tutorial.md
  • Removed legacy execution_playbook.md and redundant subdirectory READMEs

Research Reference

This lab validates the findings from JDP-2026-001: The Orchestration Trust Gap — Remediation Evasions in Microsoft Semantic Kernel and Agent Framework 1.0

Key findings demonstrated:

  1. TOCTOU vulnerability in IFunctionInvocationFilter — filter checks BEFORE decoding, sink decodes AFTER
  2. Type Confusion — filter validates string types, sink accepts object (JSON arrays, anonymous objects)
  3. Shell Blinding (commit fa2d52f6) is cosmetic only — commands execute silently in background
  4. All 6 evasion vectors successfully bypass the CVE-2026-25592 patch on v1.48.0

Testing

cd exploitation/semantickernel
./verify_all.sh

Runs full double-pass against the sandbox and validates OOB filesystem artifacts.

test added 2 commits July 7, 2026 09:34
Two vulnerability classes:
1. 6 CVE-2026-25592 bypass vectors (type confusion)
2. AutoInvokeKernelFunctions privilege escalation (CWE-1039) with Shell Blinding (fa2d52f6) and Opt-In Sandboxing (PR #13683) demonstrations.

Includes vulnerable sandbox, attack scripts, tutorial, and mitigations.

Based on JDP-2026-001 :  https://jdp-security.github.io/security-research-papers/2026-04-28-semantic-kernel-disclosure.html -research by Jeff Ponte.
…mission audit

- Add interactive_trainer.py with 6 Type Confusion + AutoInvoke lessons
- Add verify_all.sh double-pass automated verification suite
- Add submission_audit.md with full TOCTOU analysis and sandbox architecture
- Rewrite READMEs (root, exploitation, sandbox) with comprehensive docs
- Remove legacy execution_playbook.md and redundant subdirectory READMEs
- Update sandbox README with research paper URL and dual-mode operation
- Update root README and sandboxes/README.md with semantickernel entries
- Clean up duplicate attack.py in sandbox/exploitation directory
- Add .gitignore for runtime data artifacts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant