Skip to content

Feat(simulator): implement adversarial MCP mocks and attack recipes for Phase 2 Week 4#530

Open
Jean-Regis-M wants to merge 4 commits into
GenAI-Security-Project:mainfrom
Jean-Regis-M:feat/simulator-week4-5
Open

Feat(simulator): implement adversarial MCP mocks and attack recipes for Phase 2 Week 4#530
Jean-Regis-M wants to merge 4 commits into
GenAI-Security-Project:mainfrom
Jean-Regis-M:feat/simulator-week4-5

Conversation

@Jean-Regis-M

@Jean-Regis-M Jean-Regis-M commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

GSoC 2026 - Week 4 Contribution

Description

This week's contribution marks the beginning of Phase 2 (Attack Simulator) of the GSoC project, focusing on the core attack simulation infrastructure. I have implemented:

Core Components

  1. Five adversarial MCP server mocks (finbot/aegis/simulator/mcp_mocks/adversarial.py):

    • AdmServer (ASI02): Admin panel manipulation with privileged escalation tools
    • AdviceServer (ASI04): Financial advice manipulation for investment fraud simulation
    • DataExfiltrationServer (ASI05): Sensitive data theft including PII and financial records
    • FileSystemServer: Unauthorized file system access for reading/writing sensitive files
    • ToolPoisoningServer: Malicious tool injection and backdoor implantation capabilities

  2. Package initializations:

    • finbot/aegis/simulator/mcp_mocks/__init__.py
    • finbot/aegis/simulator/recipes/__init__.py

  3. Attack recipe collections (YAML-defined parametric attack scenarios):

    • 8 ASI01 Prompt Injection recipes (asi01_injection.yaml): System prompt extraction via roleplay, encoding obfuscation, context switching, and authority impersonation
    • 8 ASI02 Tool Misuse recipes (asi02_misuse.yaml): Unauthorized vendor creation, fund transfers, financial report modification, and chained tool misuse attacks

  4. Comprehensive unit test suite (tests/unit/aegis/test_mcp_mocks.py):

    • Tests for all five adversarial MCP servers' initialization and tool exposure
    • Validation of specific attack tool executions (e.g., get_admin_panel, get_user_data)
    • Verification of attack simulation fidelity and error handling

Technical Implementation

  • All MCP servers inherit from BaseAdversarialServer with proper MCP protocol implementation
  • Servers expose realistic attack surface through standardized MCP tool interfaces
  • Recipes follow existing YAML schema with asi, target_agent, description, and executable steps
  • Unit tests utilize pytest-asyncio with mocking for isolated server behavior validation
  • Implementation adheres to existing FinBot codebase patterns and import conventions

Integration Readiness

Components designed for seamless integration with existing SandboxHarness in finbot/aegis/simulator/base.py:

  • MCP servers can be instantiated and run as isolated attack fixtures
  • Recipe collections load automatically via SandboxHarvest._load_recipes()
  • Test suite validates compatibility with attack execution framework

Mentor Acknowledgments

Special thanks to my mentors @mekaizen and @steadhac for their continuous guidance, insightful feedback, and unwavering support throughout this GSoC journey. Their expertise has been invaluable in shaping this contribution to align with project goals and maintain high code quality standards.

This work establishes the foundational attack simulation infrastructure for Phase 2, enabling subsequent weeks to build upon these adversarial simulations for comprehensive attack scenario testing covering all ASI categories (ASI01-ASI10).

Author: Jean Francois Regis MUKIZA
GSoC Week: 4 | Phase 2: Attack Simulator (Weeks 3-6)

@Jean-Regis-M
feat(aegis): add telemetry JSON-LD schema and scaffolding
8f241e0 
- Add finbot/aegis/telemetry/schema.py with AuditEvent models
- Add AEGIS_ENABLED and AEGIS_TELEMETRY_ENABLED settings
- Extend events.py to support 'aegis.*' namespaces
- Add unit tests for telemetry schema
- Update conftest.py for aegis package discovery

Week 1 deliverable - GSoC 2026 OWASP FinBot AEGIS
@Jean-Regis-M
feat(aegis/week2): SentinelStream audit chain + HMAC publisher
2183eeb 
- Add AuditChain for HMAC-SHA256 tamper-evident chaining
- Add SentinelStream service with namespace isolation
- Add event-type indexing (O(1) performance)
- Expand CI workflow (CTF, Labs, Agents tests)
- 11 unit tests with ≥80% coverage
OWASP: ASI01, ASI06
@Jean-Regis-M
feat(aegis/week3): IntentGate + observe service
1181b4b 
- Add IntentGate for policy-as-code PEP/PDP tool validation
- Add AegisEnforcementService observe mode orchestrator
- Add unit tests for IntentGate policy evaluation
- Observe-only mode preserves CTF gameplay (no blocking)
- Integrates with Week 2 SentinelStream for audit telemetry

OWASP Coverage:
- ASI01: Goal hijack detection via policy evaluation
- ASI02: Tool misuse prevention via allow/block decisions
- ASI05: Unexpected RCE blocking via policy rules

Relates to GSoC Week 3 Milestone
@Jean-Regis-M
feat(simulator): week 4 - 5 MCP adversarial servers, 8 ASI01 recipes,…
7e6d839 
… 8 ASI02 recipes, test suite, package inits

Relates to GSoC Week 4 Milestone
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jean-Regis-M