Add Snowflake platform red-team assessment#44
Merged
Conversation
Deep dive covering UNC5537 / post-2024 landscape, authoritative CVE inventory (CVE-2026-6442 Cortex Code sandbox escape, JDBC privilege escalation, connector secret-leakage cohort), five attack chains (credential theft, AI injection, Native Apps supply-chain, federated-IdP pivot, cross-cloud storage integration), detection surface analysis, and prioritized recommendations. Deliverables: - docs/analysis/snowflake-platform-attack-surface-2026.md — working notes - reports/snowflake-platform-assessment/ — six linked static HTML pages (no build step; CI copies directory as-is to _site/snowflake/) - site/index.html — report card added to GitHub Pages landing page Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the attack chains and audit surfaces the analysis doc carried but the HTML report omitted (key-pair theft, Direct Share / Replication exfil, SPCS egress, MCP tool poisoning, connector debug-log to SIEM, bind-parameter evasion, CVE-2026-6442 retrospective hunt), the auth-surface table covering PATs and SCIM, and a Cortex inference-egress section. Tiers recommendations with P0/P1/P2 badges and owner/effort hints. Adds an appendix page with glossary and scope. CI gains a nav-parity and internal-link check, and the assemble step is hardened with an explicit allowlist and an existence gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
AndrewAltimit
added a commit
that referenced
this pull request
May 15, 2026
…depth (#45) Builds on the docs-only iter-1 (PR #44) with full-PoC tooling across the three target areas plus the empirical work the prior appendix flagged as deferred. New tooling — all loopback-mocked, all gated on ContainmentGuard, all paired with detection/ subdirs per the repo convention: - tools/cloud-identity/snowflake/ — JWT key-pair signer (Chain F), PAT scope walk, SCIM token harvester w/ role-race primitive - tools/lateral-movement/snowflake-pivot/ — storage-integration enum (Chain E), Direct Share + replication-group exfil (Chain G, audit-bypass demo), bind-param evasion against QUERY_HISTORY - tools/llm-attacks/cortex/ — Cortex Search poisoning bench, Cortex Agent MCP poisoning bench (Chain I), Cortex Guardrails FP/FN test harness Mocks (loopback-only, ports 9600/9610/9620): - infra/lab/mock-snowflake/ — REST surface: JWT/PAT/SCIM auth, SQL exec w/ QUERY_HISTORY replay, shares/replication, Cortex Search/Agents w/ a deterministic planner stub - infra/lab/mock-snowflake-mcp/ — pluggable MCP server for the Cortex agent bench Detection pack: - 13 Sigma rules + KQL/SPL hunts + per-tool false-positive notes - detection/snowflake/ cross-chain index covering chains A–I, plus a streaming QUERY_HISTORY ingest pattern (KQL) and a connector-debug- log secret-cohort regex (SPL) — addresses prior appendix question about real-time alerting vs ACCOUNT_USAGE's ~45m latency Analysis / report content: - docs/analysis/snowflake-platform-attack-surface-2026.md gains chains F–I (closes the gap with the HTML report's chain set), the Snowflake Trail vs ACCOUNT_USAGE field-by-field mapping, and the JDBC 4.0.0–4.2.0 transitive-CVE rollup - reports/.../cve-inventory.html adds the 9 transitive CVEs shipped in 2026 H1 JDBC releases - reports/.../index.html clarifies how technical, business, and leadership readers should each navigate the report - site/index.html landing card refreshed for chains A–I + new tooling Containment additions: - tools/lib/containment.py — assert_snowflake_is_mock, assert_snowflake_lab_account (multi-account aware so source+target lab accounts both pass Chain G validation), three reserved mock ports CI: - ci/check_snowflake_tools_syntax.py compiles every new module; wired into main-ci.yml alongside the existing snowflake report-integrity gate - All 11 CI gates pass locally (detection-pairing confirms each new tool dir is paired with a detection/ subdir) Empirical findings landing in this iteration: - Chain G server-side data motion confirmed as a source-side audit gap on the mock — pair with lab-validation/*.sql to validate against a sandbox tenant - Bind-parameter coverage gap reproduced end-to-end: prepared COPY INTO @stage statements record only the parameterized text in QUERY_HISTORY, bind values are absent - Cortex Agent planner does propagate second-order tool calls and does execute SQL embedded in tool output — demonstrated against both directive and sql_embed MCP modes - First-gen regex Guardrails baseline catches ~54.5% of the public IPI seed corpus — concrete floor for the appendix question Co-authored-by: AI Agent Bot <ai-agent@localhost> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/analysis/snowflake-platform-attack-surface-2026.md) — working notes covering UNC5537 / post-2024 threat landscape, authoritative CVE inventory sourced from OpenCVE, full platform attack surface (auth/identity, Cortex AI, Native Apps/NAAAPS, SPCS, external functions/storage integrations, execution primitives), five attack chains, detection blind spots, and tooling-reuse map against existing repo modulesreports/snowflake-platform-assessment/) — six linked static HTML pages with no build step; CI copies the directory as-is to_site/snowflake/site/index.html) — Snowflake report card added alongside the Databricks dashboardPages
index.htmlthreat-landscape.htmlcve-inventory.htmlattack-chains.htmldetection.htmlrecommendations.htmlCI change
Removed the build step entirely (no concatenation needed for a plain HTML site). The assemble step is now a single
cp -r.Test plan
python -m http.server 8080in the report dir)_site/snowflake/correctly)Generated with Claude Code