Oleksandr Bezdieniezhnykh
cab7b5d020
- Modified the Docker Compose configuration to include an input root for replay tests and added an environment variable for enabling SITL. - Enhanced documentation for various testing processes, including the addition of a Runtime Completeness Decomposition Gate and clarifications on internal module testing requirements. - Updated the implementation completeness report to reflect the current state and added new test cases for performance and resilience scenarios. Co-authored-by: Cursor <cursoragent@cursor.com>
3.8 KiB
Security Tests
NFT-SEC-01: Signed Cache Manifest Enforcement
Summary: Validate that unsigned or tampered cache manifests cannot produce trusted anchors.
Traces to: AC-8.2, AC-8.3, AC-NEW-4, AC-NEW-7
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Provide valid signed manifest | System accepts cache fixture if all freshness and resolution checks pass |
| 2 | Provide unsigned manifest | System rejects cache fixture and logs security event |
| 3 | Provide hash-mismatched tile sidecar | System rejects affected tile and emits no trusted anchor from it |
Pass criteria: 0 unsigned or hash-mismatched fixtures produce satellite_anchored output or trusted generated tile promotion.
NFT-SEC-02: Cache Poisoning Write Gate
Summary: Validate that generated onboard tiles are not written or promoted when parent-pose covariance is too weak.
Traces to: AC-8.4, AC-NEW-7
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Replay generated tile candidate with parent sigma <=3 m | Tile may be written as candidate with full quality metadata |
| 2 | Replay candidate with parent sigma in (3 m, 5 m] | Tile is marked lower trust per sidecar policy |
| 3 | Replay candidate with parent sigma >5 m | Tile is not eligible for write/promotion |
Pass criteria: Tile trust level and write eligibility match AC-NEW-7; no over-threshold tile becomes trusted basemap.
NFT-SEC-03: MAVLink Source And Spoofing Rejection
Summary: Validate that spoofed real-GPS measurements and unauthorized MAVLink sources do not override trusted estimator state.
Traces to: AC-3.5, AC-4.3, AC-NEW-2, AC-NEW-8
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Inject spoofed GPS_RAW_INT during normal visual operation |
Estimator rejects inconsistent GPS based on FC health and visual/satellite consistency |
| 2 | Inject spoofed GPS during visual blackout | Spoofed GPS remains excluded until health and visual consistency gates pass |
| 3 | Inject MAVLink messages from unauthorized source ID | Message is ignored and security/status event is logged |
Pass criteria: No unauthorized or spoofed input causes a confident position estimate; promotion/demotion status is visible to QGC and FDR.
NFT-SEC-04: No In-Flight Satellite Provider Access
Summary: Validate that the runtime system does not call commercial or Suite satellite services during flight.
Traces to: AC-8.1, AC-8.3, Restrictions Satellite Imagery
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Run replay with network blocked | System continues using local cache |
| 2 | Run replay requiring missing tile | System reports degraded/relocalization-needed status, not an external fetch |
Pass criteria: 0 outbound satellite-provider or Suite Service calls during runtime; missing cache data produces controlled degraded behavior.
NFT-SEC-INFRA: Invalid Cache No-Fetch Smoke
Summary: Validate that the replay harness treats untrusted cache fixtures as a successful security rejection, not as a trusted anchor.
Traces to: AZ-236 AC-2, AZ-236 AC-3, AZ-233 Security NFR
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Run replay with cache_variant=stale |
Satellite cache stub marks the manifest untrusted and records no network fetch |
| 2 | Inspect replay evidence | Scenario reports pass, source_label=untrusted_cache_rejected, and GPS_INPUT.fix_type=0 |
Pass criteria: The invalid cache smoke scenario passes only when the untrusted fixture is rejected and no external satellite-provider or Suite service network fetch is attempted.