Skip to content

feat: add exhaustive-path-tracing to security audit template#244

Merged
Alan-Jowett merged 1 commit intomicrosoft:mainfrom
Alan-Jowett:feat/security-audit-exhaustive-path-tracing
Apr 14, 2026
Merged

feat: add exhaustive-path-tracing to security audit template#244
Alan-Jowett merged 1 commit intomicrosoft:mainfrom
Alan-Jowett:feat/security-audit-exhaustive-path-tracing

Conversation

@Alan-Jowett
Copy link
Copy Markdown
Member

@Alan-Jowett Alan-Jowett commented Apr 14, 2026

Summary

Add the exhaustive-path-tracing protocol to the investigate-security template so that security audits systematically deep-analyze parser and decoder functions that process untrusted structured input.

Changes

File Change
templates/investigate-security.md Add reasoning/exhaustive-path-tracing to protocol list; add instruction 7 (parser/decoder deep analysis criteria and attention items); expand investigation plan from 5 to 7 steps; add coverage ledger to quality checklist
protocols/reasoning/exhaustive-path-tracing.md Add investigate-security to applicable_to list
manifest.yaml Add exhaustive-path-tracing to protocol list; update description

Motivation

The investigate-security template previously included exhaustive-path-tracing only as a comment in the template body instructions but did not declare it in the protocol list or provide criteria for when to apply it. This meant the protocol's full methodology (structural mapping, per-function path tracing, coverage ledgers) was not consistently invoked during security audits.

During a real security audit of a QUIC protocol implementation, the most impactful confirmed finding (ACK frame last-iteration integer underflow) was in exactly the class of function this protocol targets: a loop decoding multiple fields from a wire format with inter-value arithmetic on a running accumulator.

Design Decisions

  • Selective application: The protocol is marked optional and scoped to functions meeting all three criteria (multi-field decode, inter-value arithmetic, iteration with shared state). This prevents over-application to simple functions.
  • Three specific attention items: Inter-value arithmetic validation, loop-carried invariant gaps, and truncation after bounds check — derived from real false-negative and true-positive patterns observed in the audit.
  • Investigation plan expansion: Steps 3 (identify parsers) and 5 (deep-dive) make the workflow explicit rather than leaving parser identification to ad-hoc judgment.

Checklist

  • All files have SPDX license headers
  • YAML frontmatter is valid and complete
  • Component names match file names (kebab-case)
  • manifest.yaml updated with all new components
  • No vague instructions in protocols or templates
  • Templates have a quality checklist section
  • New components do not conflict with existing ones

Copilot AI review requested due to automatic review settings April 14, 2026 15:47
@Alan-Jowett
feat: add exhaustive-path-tracing to security audit template
dbc3cac 
Add the exhaustive-path-tracing protocol to the investigate-security
template for systematic deep analysis of parser and decoder functions
that process untrusted structured input.

Changes:
- Add exhaustive-path-tracing to template protocol list (optional,
  applied selectively to parser/decoder functions)
- Add instruction 7 with criteria for identifying functions that
  warrant deep path tracing (multi-field decode, inter-value
  arithmetic, iteration over decoded elements)
- Add specific attention items: inter-value arithmetic validation,
  loop-carried invariant gaps, truncation after bounds check
- Expand investigation plan from 5 to 7 steps, adding parser
  identification (step 3) and deep-dive (step 5)
- Add coverage ledger requirement to quality checklist
- Update manifest.yaml protocol list and description
- Add investigate-security to exhaustive-path-tracing applicable_to

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Alan-Jowett Alan-Jowett force-pushed the feat/security-audit-exhaustive-path-tracing branch from b2c3b1a to dbc3cac Compare April 14, 2026 15:49
@Alan-Jowett Alan-Jowett merged commit 91320b1 into microsoft:main Apr 14, 2026
2 of 4 checks passed
@Alan-Jowett Alan-Jowett deleted the feat/security-audit-exhaustive-path-tracing branch April 14, 2026 15:50
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds the exhaustive-path-tracing protocol to the security audit template configuration so audits consistently apply deeper parser/decoder path analysis for untrusted structured input.

Changes:

  • Expand investigate-security template manifest description to mention selective exhaustive path tracing for parsers/decoders.
  • Add exhaustive-path-tracing to the investigate-security template’s protocol list in manifest.yaml.

Reviewed changes

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

File Description
manifest.yaml Updates the investigate-security template metadata to include exhaustive-path-tracing and describe its selective use
templates/investigate-security.md Not included in provided diff; PR metadata indicates protocol list + investigation steps expanded
protocols/reasoning/exhaustive-path-tracing.md Not included in provided diff; PR metadata indicates applicability updated

Comment thread manifest.yaml
that handle untrusted structured input.
persona: security-auditor
protocols: [anti-hallucination, self-verification, operational-constraints, adversarial-falsification, security-vulnerability]
protocols: [anti-hallucination, self-verification, operational-constraints, adversarial-falsification, security-vulnerability, exhaustive-path-tracing]
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description indicates the protocol identifier being added to templates is reasoning/exhaustive-path-tracing, but this manifest entry adds exhaustive-path-tracing without the reasoning/ prefix. If protocol IDs are expected to match exactly across the manifest and template/protocol definitions, this mismatch can cause the protocol to not resolve (or be duplicated under two IDs). Align the manifest entry with the canonical protocol identifier used elsewhere (either add the reasoning/ prefix here, or standardize on the unprefixed name across all references).

Suggested change
protocols: [anti-hallucination, self-verification, operational-constraints, adversarial-falsification, security-vulnerability, exhaustive-path-tracing]
protocols: [anti-hallucination, self-verification, operational-constraints, adversarial-falsification, security-vulnerability, reasoning/exhaustive-path-tracing]

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Alan-Jowett