Oleksandr Bezdieniezhnykh
3.0 KiB
Security Tests
NFT-SEC-01: Signed Cache Manifest Enforcement
Summary: Validate that unsigned or tampered cache manifests cannot produce trusted anchors.
Traces to: AC-8.2, AC-8.3, AC-NEW-4, AC-NEW-7
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Provide valid signed manifest | System accepts cache fixture if all freshness and resolution checks pass |
| 2 | Provide unsigned manifest | System rejects cache fixture and logs security event |
| 3 | Provide hash-mismatched tile sidecar | System rejects affected tile and emits no trusted anchor from it |
Pass criteria: 0 unsigned or hash-mismatched fixtures produce satellite_anchored output or trusted generated tile promotion.
NFT-SEC-02: Cache Poisoning Write Gate
Summary: Validate that generated onboard tiles are not written or promoted when parent-pose covariance is too weak.
Traces to: AC-8.4, AC-NEW-7
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Replay generated tile candidate with parent sigma <=3 m | Tile may be written as candidate with full quality metadata |
| 2 | Replay candidate with parent sigma in (3 m, 5 m] | Tile is marked lower trust per sidecar policy |
| 3 | Replay candidate with parent sigma >5 m | Tile is not eligible for write/promotion |
Pass criteria: Tile trust level and write eligibility match AC-NEW-7; no over-threshold tile becomes trusted basemap.
NFT-SEC-03: MAVLink Source And Spoofing Rejection
Summary: Validate that spoofed real-GPS measurements and unauthorized MAVLink sources do not override trusted estimator state.
Traces to: AC-3.5, AC-4.3, AC-NEW-2, AC-NEW-8
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Inject spoofed GPS_RAW_INT during normal visual operation |
Estimator rejects inconsistent GPS based on FC health and visual/satellite consistency |
| 2 | Inject spoofed GPS during visual blackout | Spoofed GPS remains excluded until health and visual consistency gates pass |
| 3 | Inject MAVLink messages from unauthorized source ID | Message is ignored and security/status event is logged |
Pass criteria: No unauthorized or spoofed input causes a confident position estimate; promotion/demotion status is visible to QGC and FDR.
NFT-SEC-04: No In-Flight Satellite Provider Access
Summary: Validate that the runtime system does not call commercial or Suite satellite services during flight.
Traces to: AC-8.1, AC-8.3, Restrictions Satellite Imagery
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Run replay with network blocked | System continues using local cache |
| 2 | Run replay requiring missing tile | System reports degraded/relocalization-needed status, not an external fetch |
Pass criteria: 0 outbound satellite-provider or Suite Service calls during runtime; missing cache data produces controlled degraded behavior.