Context
The .akavdb reader (sigdb.cpp) supports RSA-2048 signature verification but currently skips it when no public key is provided. The Python akavdb-tool supports signing but it's optional. For production use, signature verification should be mandatory to prevent tampering with definition files.
Problem
Without enforced verification, an attacker who gains write access to the .akavdb file on an endpoint could:
- Remove signatures for their malware
- Inject whitelist entries for malicious files
- Corrupt Aho-Corasick byte patterns to evade detection
Proposed Work
- Generate an RSA-2048 keypair for the build pipeline
- Embed the public key (DER-encoded) in the engine binary
- Make
akav_sigdb_open reject unsigned databases in release builds (allow skip in debug/test only)
- Add
--key to the akavdb-tool compile workflow as a required step in CI
- Add unit tests: valid signature passes, tampered file rejected, missing signature rejected
Phase
Phase 11 (Hardening) — alongside GitHub issue #5 (Aho-Corasick match density hardening)
Context
The
.akavdbreader (sigdb.cpp) supports RSA-2048 signature verification but currently skips it when no public key is provided. The Pythonakavdb-toolsupports signing but it's optional. For production use, signature verification should be mandatory to prevent tampering with definition files.Problem
Without enforced verification, an attacker who gains write access to the
.akavdbfile on an endpoint could:Proposed Work
akav_sigdb_openreject unsigned databases in release builds (allow skip in debug/test only)--keyto theakavdb-tool compileworkflow as a required step in CIPhase
Phase 11 (Hardening) — alongside GitHub issue #5 (Aho-Corasick match density hardening)