Skip to content

Snowflake red-team iter-7 — audit-driven credibility & deployment fixes#50

Merged
AndrewAltimit merged 1 commit into
mainfrom
snowflake-iter-7-audit-fixes
May 15, 2026
Merged

Snowflake red-team iter-7 — audit-driven credibility & deployment fixes#50
AndrewAltimit merged 1 commit into
mainfrom
snowflake-iter-7-audit-fixes

Conversation

@AndrewAltimit
Copy link
Copy Markdown
Owner

@AndrewAltimit AndrewAltimit commented May 15, 2026

Summary

Addresses the iter-6 audit's P0/P1/P2 findings end-to-end. The analysis docs already
graded chains EMPIRICAL/MODELED/HYPOTHESIS but the executive HTML report stripped that
signal; the detection pack hid which rules were deployment-blocked; and several modelled
chains lacked incident anchors. This iteration restores the maturity signal end-to-end,
ships the IdP audit ingest templates the federated-login / scope-drift rules depend on,
decomposes Chain B into its empirical vs hypothesis parts, and adds integration-test
coverage that pins the contracts the detection pack and analysis narratives rely on.

What changed

Credibility & maturity honesty

  • Maturity badges restored to HTML report: legend + 14 chain headers in
    attack-chains.html; key-findings rows in index.html carry inline maturity tags
    matching the analysis docs.
  • Chain B decomposed: CVE-2026-6442 is now explicitly EMPIRICAL (PromptArmor
    disclosure, vendor-patched), while the end-to-end exfil scenario stacked on top
    remains HYPOTHESIS. Visible in the HTML callout, the analysis doc, and the
    chain-reference-table footnote.
  • Modelled-chain caveats: SPCS egress matrix (Chain H), Polaris API (Chain K),
    Cortex Agent planner robustness (Chain I), and the lab-vs-tenant gap are now
    explicit footnotes in chain-reference-table.md.
  • Incident anchors for Chains C, E, G, H, I, K, L, M — replaces "None direct"
    with documented source/analog statements that name the related class without
    inventing Snowflake-specific incidents.

Detection-pack deployment honesty

  • DEPLOYMENT_BLOCKED table (10 rules) added to detection.html and
    detection/snowflake/README.md. Each row names the dependency (Cortex sidecar,
    IdP audit feed, EDR telemetry) plus the interim policy-layer workaround so SOCs
    aren't left with silently-broken rules.
  • Bind-parameter audit gap reframed as a Snowflake platform limitation in
    attack-chains.html and detection.html, with compensating controls
    (row-access policies, BYTES_WRITTEN_TO_RESULT baselines, external-stage DDL
    alerts, network policies on service users).

IdP audit ingest templates (new)

Three template directories under detection/snowflake/enrichment-templates/:

  • idp-okta-system-log/ — Splunk TA local overrides, Sentinel data-connector spec,
    KQL parser function. Unblocks federated-login, SCIM-role-race, OAuth-scope-drift
    for Okta tenants.
  • idp-entra-signin/ — Entra diagnostic-settings ARM template, Sentinel KQL parser,
    Splunk Microsoft Cloud Services TA local config.
  • oauth-consent-snapshot/ — Snowpark stored procedures (Okta + Entra grants
    pollers) that land a daily IdP consent snapshot via External Access Integration,
    plus Sentinel KQL and Splunk saved-search diffs for Chain L silent-widening.

Healthcare extension

  • Cortex Guardrails corpus extended with 16 healthcare-malicious + 4
    healthcare-benign payloads across 6 HIPAA-relevant categories (phi_extraction,
    cohort_fishing, reid_attempt, deid_bypass, min_necessary_violation,
    baa_scope_violation). Harness README adds healthcare-tier interpretation.
  • Risk Register Template entries (SNOW-A, SNOW-G, SNOW-F, SNOW-J) added to the
    healthcare overlay with HIPAA control mappings — copy-paste-ready for a covered
    entity's risk analysis under §164.308(a)(1)(ii)(A).

Test coverage (new)

tests/integration/ gains 20 new tests + 3 pre-existing Chain A — all 23 green:

  • test_snowflake_pivot_tools.py — 8 tests covering storage_integration_enum,
    share_creation_exfil, replication_group_exfil, bind_param_evasion (pins the
    _bindings audit-gap protocol contract), spcs_egress_probe (schema-pins the
    matrix shape the analysis doc references), spcs_base_image_probe,
    iceberg_catalog_pivot (graceful-failure envelope for Chain K), udf_eai_egress.
  • test_snowflake_identity_tools.py — 7 tests covering jwt_keypair_signer,
    pat_scope_enum (both PAT modes), pat_discovery (with EXPLOIT_FIXTURE_ROOT
    wiring), partner_integration_audit, oauth_scope_audit, scim_token_harvester.
  • test_cortex_corpus_shape.py — 5 tests pinning the corpus schema, the
    healthcare tier's per-category coverage, and the benign-control invariant
    the FP/FN summary depends on.

Diff stats

29 files changed, 2,875 insertions(+), 54 deletions(-).

Test plan

  • python3 tools/ci/check_no_real_tenants.py — PASS
  • python3 tools/ci/check_detection_pairing.py — PASS (40 module trees)
  • python3 tools/ci/check_no_committed_drivers.py — PASS
  • python3 ci/check_snowflake_report_integrity.py — PASS (7 pages, nav parity + internal links)
  • python3 ci/check_snowflake_tools_syntax.py — PASS (24 modules)
  • EXPLOIT_LAB_ACTIVE=1 python3 -m pytest tests/integration/ — 23 passed
  • HTML parse-checked (html.parser) for all three modified report pages
  • Visual spot-check of maturity badges in the HTML report once rendered

Generated with Claude Code

@claude
Snowflake red-team iter-7 — audit-driven credibility & deployment fixes
898c284 
Addresses the iter-6 audit's P0/P1 findings: the analysis docs honestly
graded chain maturity (EMPIRICAL/MODELED/HYPOTHESIS) but the executive
HTML report stripped that signal, the detection pack hid which rules
were deployment-blocked, and several modelled chains lacked source
anchors. This iteration restores the maturity signal end-to-end, ships
the IdP audit ingest templates the federated-login / scope-drift rules
need to fire, decomposes Chain B into its empirical vs hypothesis
parts, and adds integration-test coverage that pins the contracts the
detection pack and analysis narratives depend on.

Also extends the Cortex Guardrails corpus with a healthcare tier
(PHI extraction, cohort fishing, Sweeney-class re-ID, Safe Harbor
bypass, minimum-necessary violation, BAA scope violation) so
covered-entity tenants can measure guardrails efficacy against their
actual threat model, and adds copy-paste-ready risk-register entries
to the healthcare overlay.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@AndrewAltimit AndrewAltimit merged commit 0e6b222 into main May 15, 2026
2 checks passed
@AndrewAltimit AndrewAltimit deleted the snowflake-iter-7-audit-fixes branch May 15, 2026 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AndrewAltimit