[Security Review] Daily Security Review — AWF Firewall Codebase (2026-04-18)

[github-actions[bot]]

📊 Executive Summary

The AWF (Agentic Workflow Firewall) demonstrates a strong, defense-in-depth security posture overall. The architecture makes several sound design choices: separation of the iptables-init container from the agent (preventing NET_ADMIN in the agent), the one-shot-token LD_PRELOAD library to prevent token replay, Squid-enforced domain allowlisting with injection-safe config generation, and an API proxy sidecar that keeps real credentials out of the agent environment.

Key metrics:

• 4,683 lines of security-critical code analyzed across 7 files
• 0 known CVEs in production dependencies (4 total: chalk, commander, execa, js-yaml)
• 8 identified attack surfaces
• STRIDE threats identified: 12 (3 High, 6 Medium, 3 Low)

Overall posture: GOOD — No critical-severity gaps found. Several medium/low findings documented below.

---

🔍 Findings from Firewall Escape Test

The escape test summary file (/tmp/gh-aw/escape-test-summary.txt) contained CI orchestration metadata from a prior "Secret Digger (Copilot)" workflow run rather than actual escape test payloads. That run concluded with GH_AW_SECRET_VERIFICATION_RESULT: success and GH_AW_AGENT_CONCLUSION: success (noop outputs), meaning the agent found no secrets to exfiltrate — consistent with proper credential isolation.

Key observations from the metadata:

• GH_AW_LOCKDOWN_CHECK_FAILED: false — lockdown enforcement was not bypassed
• GH_AW_INFERENCE_ACCESS_ERROR: false — inference credentials were accessible
• The agent produced only a noop safe output, implying no exfiltration opportunities were discovered

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence — src/host-iptables.ts (lines 522–563) and containers/agent/setup-iptables.sh (lines 312–430):

# Host-level DOCKER-USER chain blocks:
- 169.254.0.0/16 (link-local / AWS IMDS) → REJECT
- 224.0.0.0/4 (multicast) → REJECT
- UDP default deny (DNS exfiltration prevention)
- Default REJECT for all other traffic

# Agent-level OUTPUT chain:
- IPv6 disabled via sysctl (prevents IPv6 bypass of IPv4 DNAT rules)
- Dangerous ports (22, 25, 3306, 5432, 6379, 27017, etc.) → DROP
- Port 80/443 → DNAT to Squid:3128
- Default TCP/UDP DROP

Strengths:

• Cloud metadata endpoint (169.254.169.254 / AWS IMDS) is blocked at the host DOCKER-USER chain level (host-iptables.ts:531), preventing credential theft from cloud platforms.
• IPv6 is explicitly disabled in the agent network namespace (setup-iptables.sh:48-49) to prevent IPv6-based proxy bypass ("Happy Eyeballs").
• Docker's embedded DNS DNAT rules are saved and restored when flushing (setup-iptables.sh:78-95), preventing DNS breakage.

Gap — RFC1918 private ranges not blocked at host level:
The host-level FW_WRAPPER chain (host-iptables.ts) blocks link-local and multicast but does not explicitly block 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 (other than the awf-net subnet itself). An agent that knows a private IP on the host network could potentially reach other internal services if routing permits. The DOCKER-USER chain relies on Docker's own subnet isolation, but this is worth documenting.

Gap — Non-TCP traffic not DNAT'd through Squid:
Only TCP ports 80 and 443 are redirected to Squid. Non-HTTP TCP traffic on non-standard ports (e.g., custom TCP tunneling on port 4443, 8080, etc.) is dropped by the default DROP rule — correct behavior. However, ICMP is not explicitly blocked in the agent OUTPUT chain filter (only TCP/UDP have DROP rules at setup-iptables.sh:428-430). ICMP ping to external hosts may succeed.

Container Security Assessment

Evidence — src/docker-manager.ts (lines 680–683, 1531, 1681-1682):

// Agent: drops NET_RAW and SYS_PTRACE (among others)
cap_drop: ['NET_RAW', 'SYS_PTRACE', ...]

// iptables-init: only NET_ADMIN + NET_RAW, drops ALL others
cap_add: ['NET_ADMIN', 'NET_RAW'],
cap_drop: ['ALL'],

// Squid: drops ALL capabilities
cap_drop: ['ALL']
```

**Evidence — `containers/agent/seccomp-profile.json`:**
```
Default action: SCMP_ACT_ERRNO (deny-by-default)
Syscall entries: 5
- ALLOW: large allowlist (~hundreds of safe syscalls)
- ALLOW: kcmp, pidfd_getfd, process_madvise
- DENY: ptrace, process_vm_readv, process_vm_writev  ← memory inspection blocked
- DENY: kexec_load, kexec_file_load, reboot, init_module, finit_module  ← kernel modification blocked
- DENY: umount, umount2

Strengths:

• ptrace and process_vm_readv/writev are explicitly denied — prevents memory scraping attacks.
• kexec, init_module, finit_module denied — prevents kernel module loading / container escape.
• NET_ADMIN is never granted to the agent container; iptables setup is isolated to a separate init container that exits.
• UID/GID validation in entrypoint.sh (lines 15-33) prevents setting UID/GID to 0 (root).

Gap — kcmp and pidfd_getfd are explicitly ALLOWED in the seccomp profile:

• kcmp compares kernel structures of different processes (file descriptors, memory maps). It can be used to detect container boundaries or to assist in side-channel attacks.
• pidfd_getfd allows duplicating file descriptors from other processes via a pidfd. This is potentially dangerous: if the agent can obtain a pidfd for the Squid proxy or init container process (which share the network namespace), it could duplicate their socket FDs, potentially exfiltrating data through established connections.

These syscalls appear in the explicit ALLOW block and should be reviewed — they may be there for legitimate reasons (e.g., test frameworks), but the risk is non-trivial in an adversarial agent context.

Gap — umount2 is blocked but mount is not mentioned in the deny list:
The seccomp profile explicitly denies umount and umount2 but doesn't appear to block mount. In chroot mode, CAP_SYS_ADMIN is required and dropped before user code runs, so this is mitigated. In non-chroot mode, if the container somehow retained SYS_ADMIN, mount could be used.

Domain Validation Assessment

Evidence — src/domain-patterns.ts (lines 27, 153-173):

// Characters that break Squid config if interpolated unsanitized:
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

// validateDomainOrPattern rejects:
// - whitespace, null bytes, quotes, semicolons, backticks, hash
// - backslash in plain domain names
// - domains > 253 chars
// - wildcard patterns not matching *.<domain> structure

Strengths:

• Input validation is enforced before any domain reaches Squid config via assertSafeForSquidConfig() (squid-config.ts:~100), providing injection defense.
• Wildcard * is converted to a character-class regex [a-zA-Z0-9.-]* rather than .*, preventing ReDoS attacks (domain-patterns.ts:~98).
• DLP module (src/dlp.ts) detects credential patterns (GitHub tokens, AWS keys, etc.) in outbound URLs via Squid url_regex ACLs.

Gap — Backslash excluded from SQUID_DANGEROUS_CHARS:
The comment in domain-patterns.ts:25 documents that backslash is intentionally excluded from the dangerous chars regex for URL patterns (--allow-urls). Domain names separately reject \. However, if a URL pattern contains \\ constructs that reach Squid's regex engine, there's a small theoretical injection surface depending on Squid version's regex handling.

Input Validation Assessment

Evidence — src/cli.ts (line 28), src/host-iptables.ts (lines 38-48):

// Port validation - rejects leading zeros, validates numeric range
export function isValidPortSpec(spec: string): boolean {
  // Accepts: single port (1-65535) or range "N-M"
  // Rejects: leading zeros, out-of-range, non-numeric
}

Strengths:

• Port specifications validated on both TypeScript side (isValidPortSpec) and shell side (is_valid_port_spec in setup-iptables.sh:185-196) — defense-in-depth.
• UID/GID validation in entrypoint prevents numeric injection into usermod/groupmod.

---

⚠️ Threat Model (STRIDE)

Category	Threat	Evidence	Likelihood	Impact	Severity
Spoofing	Agent spoofs DNS responses to redirect whitelisted domain traffic	DNS is restricted to 127.0.0.11 only in resolv.conf; upstream DNS controlled by docker-compose	Low	High	Medium
Spoofing	Agent uses --allow-host-ports to connect directly to host services bypassing Squid domain check	Host gateway bypass skips domain ACL (setup-iptables.sh:206-208)	Medium	Medium	Medium
Tampering	Agent modifies /tmp/awf-lib/one-shot-token.so before LD_PRELOAD	/tmp is world-writable; library is copied from container to /host/tmp — race condition if agent starts before copy completes	Low	High	Medium
Tampering	Agent modifies iptables-audit.txt or init-signal volume	Init volume is rw and shared with agent namespace	Low	Low	Low
Repudiation	Agent clears Squid access logs via log rotation or truncation	Squid logs in shared volume; agent could truncate via /host/tmp	Low	Medium	Low
Information Disclosure	Token in /proc/<PID>/environ before unset_sensitive_tokens runs	Window of ~1s between exec and unset (entrypoint.sh:828-837); mitigated by one-shot-token LD_PRELOAD	Low	High	Medium
Information Disclosure	pidfd_getfd + Squid process FD duplication	Explicitly allowed syscall; agent could duplicate Squid's listening socket FDs	Low	Medium	Medium
Information Disclosure	ICMP exfiltration (DNS-over-ICMP or timing covert channel)	ICMP not blocked in agent OUTPUT filter chain (only TCP/UDP have explicit DROP)	Low	Low	Low
Denial of Service	Agent exhausts Docker network subnet pool via rapid container creation	Mitigated by pre-test cleanup scripts and CI always() cleanup	Medium	Medium	Medium
Denial of Service	Rate limiter bypass in API proxy via parallel connections	containers/api-proxy/rate-limiter.js exists; effectiveness depends on implementation	Low	Medium	Medium
Elevation of Privilege	process_madvise syscall (allowed) could be used for memory manipulation	Allowed in seccomp (SCMP_ACT_ALLOW entry for kcmp, pidfd_getfd, process_madvise)	Low	Medium	Medium
Elevation of Privilege	Container escape via mount syscall if SYS_ADMIN not properly dropped	Depends on cap drop order; entrypoint.sh:416 mounts procfs before drop	Low	High	High

---

🎯 Attack Surface Map

Surface	Entry Point	Current Protections	Risk
Domain allowlist input	CLI --allow-domains flag	validateDomainOrPattern() + assertSafeForSquidConfig() + char blocklist	🟢 Low
Port specification input	CLI --allow-host-ports	isValidPortSpec() in TypeScript + is_valid_port_spec() in shell	🟢 Low
Squid config generation	src/squid-config.ts	assertSafeForSquidConfig() called before every interpolation	🟢 Low
DNS resolution	Agent container /etc/resolv.conf	Docker embedded DNS only; upstream whitelisted in docker-compose	🟡 Medium
iptables NAT rules	Agent network namespace	Init container exits after setup; agent has no NET_ADMIN	🟢 Low
API proxy (port 10001, etc.)	containers/api-proxy/server.js	Rate limiter, body size limit (10MB), header stripping	🟡 Medium
One-shot token library	/host/tmp/awf-lib/one-shot-token.so	Copied before exec; ~1s window before unset	🟡 Medium
pidfd_getfd syscall	Agent process	Allowed in seccomp; no additional mitigation	🟠 High

---

📋 Evidence Collection

Network rules summary

Host-level (src/host-iptables.ts):

• Line 531: 169.254.0.0/16 → REJECT (blocks cloud metadata endpoints)
• Line 537: 224.0.0.0/4 → REJECT (blocks multicast)
• Lines 549-563: UDP → LOG+REJECT, all others → LOG+REJECT (default deny)
• Lines 566-581: DOCKER-USER chain jump to FW_WRAPPER chain for awf-net bridge

Agent-level (containers/agent/setup-iptables.sh):

• Lines 48-49: IPv6 disabled via sysctl
• Lines 312-335: Dangerous ports (SSH, DB, etc.) → NAT RETURN + OUTPUT DROP
• Lines 341-342: TCP 80/443 → DNAT to Squid:3128
• Lines 428-430: Default TCP/UDP → DROP

Capability matrix

Container	cap_add	cap_drop
Squid	none	ALL
Agent	SYS_CHROOT, SYS_ADMIN (chroot mode only, dropped before user code)	NET_RAW, SYS_PTRACE, + others
iptables-init	NET_ADMIN, NET_RAW	ALL others
API proxy	none	ALL
CLI proxy	none	ALL

Seccomp profile analysis

File: containers/agent/seccomp-profile.json

• Default action: SCMP_ACT_ERRNO (deny-by-default — correct)
• Notable explicit ALLOW: kcmp, pidfd_getfd, process_madvise
• Notable explicit DENY: ptrace, process_vm_readv, process_vm_writev, kexec_load, kexec_file_load, reboot, init_module, finit_module, umount, umount2

Dependency audit

Production dependencies: chalk, commander, execa, js-yaml (4 total)
npm audit result: 0 vulnerabilities (info: 0, low: 0, moderate: 0, high: 0, critical: 0)

---

✅ Recommendations

🔴 Critical

None identified.

🟠 High

1. Review pidfd_getfd allowance in seccomp profile (containers/agent/seccomp-profile.json)
   • pidfd_getfd allows duplicating file descriptors from other processes. In a hostile agent scenario, this could be used to duplicate Squid's or the init container's socket FDs if the agent can obtain a pidfd for those processes.
   • Recommendation: Audit whether pidfd_getfd is required by any legitimate tool used in agent workflows. If not, move it to SCMP_ACT_ERRNO. At minimum, document the rationale for allowing it.

🟡 Medium

2. Explicitly block ICMP in agent OUTPUT chain (containers/agent/setup-iptables.sh)

   • Current default deny is TCP+UDP only. ICMP is not in an explicit DROP rule, though it may be handled by the Docker bridge differently.
   • Recommendation: Add iptables -A OUTPUT -p icmp -j DROP after the UDP drop rule (~line 430) to prevent ICMP-based covert channels or ping-based network reconnaissance.

3. Block RFC1918 private ranges at host DOCKER-USER level (src/host-iptables.ts)

   • The host firewall blocks link-local and multicast but not other private address ranges (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 excluding awf-net). Depending on host network topology, containers could reach internal services.
   • Recommendation: Add explicit REJECT rules for RFC1918 ranges (excluding 172.30.0.0/24) unless --enable-host-access is specified.

4. Review the ~1-second token exposure window (containers/agent/entrypoint.sh, lines 828–837)

   • There is a deliberate 1-second window between agent exec and unset_sensitive_tokens to allow the one-shot-token library to cache credentials. If the agent launches sub-processes quickly, those sub-processes could read /proc/1/environ before unsetting.
   • Recommendation: The one-shot-token LD_PRELOAD is the primary mitigation here. Ensure the library correctly intercepts getenv() calls for all listed tokens and verify it handles dynamic linking edge cases (e.g., statically linked binaries that bypass LD_PRELOAD).

5. Harden /tmp/awf-lib write window for one-shot-token library (containers/agent/entrypoint.sh, lines 431-435)

   • The library is copied to /host/tmp/awf-lib/one-shot-token.so which is on the host /tmp bind-mount (world-writable). A fast-starting agent process could potentially replace the .so before LD_PRELOAD is applied.
   • Recommendation: Consider using a container-private /var/awf-lib/ directory (not bind-mounted from host) for the one-shot-token library in chroot mode, or set strict file permissions (0444 + owned by root) immediately after copy.

🟢 Low

6. Document kcmp and process_madvise allowances — add comments in seccomp-profile.json explaining why these are allowed.

7. Consider --read-only filesystem for API proxy container — it drops all capabilities but its root filesystem is still writable.

8. Squid ICMP pinger is disabled (squid-config.ts:589) — already correct. No action needed.

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analyzed	4,683
Production dependencies	4
Known CVEs in dependencies	0
Attack surfaces identified	8
STRIDE threats identified	12
Critical findings	0
High findings	1
Medium findings	6
Low findings	3
Dangerous ports blocked	15 (iptables) + 20 (Squid)
Sensitive syscalls explicitly denied	10

---

Review conducted: 2026-04-18 by GitHub Copilot CLI security review workflow. Evidence gathered from static code analysis of src/host-iptables.ts, src/squid-config.ts, src/domain-patterns.ts, src/dlp.ts, containers/agent/setup-iptables.sh, containers/agent/entrypoint.sh, containers/api-proxy/server.js, and containers/agent/seccomp-profile.json. No runtime testing was performed in this review.

Generated by Daily Security Review and Threat Modeling · ● 1.3M · ◷

• expires on Apr 25, 2026, 1:10 PM UTC