name	security-audit
description	Use this skill to perform a security-focused audit of the codebase to identify vulnerabilities, sandbox escapes, and logic flaws.

Security Audit

Overview

Perform a rigorous security assessment of the Epsilon WebAssembly engine. The objective is to identify exploitable vulnerabilities, verify sandbox isolation, and ensure safe host interactions. Do not focus just on local changes, look at the project as a whole.

Procedure

1. Investigation Methodology

Your goal is to find flaws that automated tools or basic reviews miss. Do not restrict yourself to a predefined checklist. Instead, employ a systematic, deep-dive methodology:

Select Entry Points: Begin at the boundaries where untrusted input enters the system or interacts with the host. High-value starting points include the main execution loop (e.g., epsilon/vm.go), host interface boundaries (e.g., wasip1/), or memory indexing operations.
Spawn Specialized Subagents: For complex files or distinct components, spawn focused subagents to audit them in isolation. Instruct these subagents to investigate specific mechanics deeply rather than doing a shallow read.
Trace Execution Paths: Follow the flow of untrusted data (instructions, indices, offsets, file descriptors) from ingestion to execution. Assume the input is malicious.
Audit Specification Deviations: Compare the implementation of complex instructions against the WebAssembly 2.0 formal execution rules. Any optimization that skips or defers a spec-mandated check is a potential vulnerability.

2. Verification & PoC Generation

Never report a bug without actively triggering it locally.

Create a Vulnerability Directory: For each confirmed flaw, create a new directory at vulnerabilities/[id]/ (e.g., vulnerabilities/VULN-01/).
Write the PoC: Place a Go test or a minimal .wasm file that reliably triggers the flaw inside the specific vulnerability directory.
Test Constraints:
- Do NOT write tests that invoke a single VM instance concurrently.
- To prove state leakage, write tests that run multiple independent VMs concurrently using go test -race.
- To prove parser crashes or bounds-check failures, write a standard Go fuzz test (go test -fuzz).

3. Reporting Format

If a vulnerability is confirmed locally, document it in a README.md file located within the corresponding vulnerabilities/[id]/ directory using this exact format:

# [Concise Title of the Issue]

**Severity:** [Critical | High | Medium | Low] **Affected Component:** [File
path and function name] **Bug Type:** [e.g., Path Traversal, OOB Slice Panic,
State Leakage]

## Root Cause

[Strictly technical explanation of the code flaw. Cite specific lines. Explain
the gap between intended logic and actual behavior.]

## Execution Flow

[Step-by-step breakdown of how the PoC triggers the bug.]

## Observable Impact

[Exact result: e.g., "Go panic: index out of range", "Race condition detected".]

## Proposed Remediation

[Provide the specific Go code diff to patch the vulnerability.]

Critical Rules

Isolation: You are strictly prohibited from modifying any existing files in the repository. All work, including PoCs and documentation, must be contained within the vulnerabilities/ directory.
No Panics: The engine must never panic on untrusted WASM or invalid WASI arguments. All bounds and inputs must be validated and returned as standard Go errors.
No Speculation: If you cannot write a failing Go test to prove the bug, do not report it.

Security Audit

Overview

Procedure

1. Investigation Methodology

Your goal is to find flaws that automated tools or basic reviews miss. Do not restrict yourself to a predefined checklist. Instead, employ a systematic, deep-dive methodology:

Select Entry Points: Begin at the boundaries where untrusted input enters the system or interacts with the host. High-value starting points include the main execution loop (e.g., epsilon/vm.go), host interface boundaries (e.g., wasip1/), or memory indexing operations.

Spawn Specialized Subagents: For complex files or distinct components, spawn focused subagents to audit them in isolation. Instruct these subagents to investigate specific mechanics deeply rather than doing a shallow read.

Trace Execution Paths: Follow the flow of untrusted data (instructions, indices, offsets, file descriptors) from ingestion to execution. Assume the input is malicious.

Audit Specification Deviations: Compare the implementation of complex instructions against the WebAssembly 2.0 formal execution rules. Any optimization that skips or defers a spec-mandated check is a potential vulnerability.

2. Verification & PoC Generation

Never report a bug without actively triggering it locally.

Create a Vulnerability Directory: For each confirmed flaw, create a new directory at vulnerabilities/[id]/ (e.g., vulnerabilities/VULN-01/).

Write the PoC: Place a Go test or a minimal .wasm file that reliably triggers the flaw inside the specific vulnerability directory.

Test Constraints:

Do NOT write tests that invoke a single VM instance concurrently.
To prove state leakage, write tests that run multiple independent VMs concurrently using go test -race.
To prove parser crashes or bounds-check failures, write a standard Go fuzz test (go test -fuzz).

3. Reporting Format

If a vulnerability is confirmed locally, document it in a README.md file located within the corresponding vulnerabilities/[id]/ directory using this exact format:

# [Concise Title of the Issue] **Severity:** [Critical | High | Medium | Low] **Affected Component:** [File path and function name] **Bug Type:** [e.g., Path Traversal, OOB Slice Panic, State Leakage] ## Root Cause [Strictly technical explanation of the code flaw. Cite specific lines. Explain the gap between intended logic and actual behavior.] ## Execution Flow [Step-by-step breakdown of how the PoC triggers the bug.] ## Observable Impact [Exact result: e.g., "Go panic: index out of range", "Race condition detected".] ## Proposed Remediation [Provide the specific Go code diff to patch the vulnerability.]

Critical Rules

Isolation: You are strictly prohibited from modifying any existing files in the repository. All work, including PoCs and documentation, must be contained within the vulnerabilities/ directory.

No Panics: The engine must never panic on untrusted WASM or invalid WASI arguments. All bounds and inputs must be validated and returned as standard Go errors.

No Speculation: If you cannot write a failing Go test to prove the bug, do not report it.

security-audit

Security Audit

Overview

Procedure

1. Investigation Methodology

2. Verification & PoC Generation

3. Reporting Format

Critical Rules

Más de este repositorio

Más de este repositorio

Security Audit

Overview

Procedure

1. Investigation Methodology

2. Verification & PoC Generation

3. Reporting Format

Critical Rules