Skip to content

feat: taint checking and security#197

Open
ambrishrawat wants to merge 45 commits intogenerative-computing:mainfrom
ambrishrawat:security_poc
Open

feat: taint checking and security#197
ambrishrawat wants to merge 45 commits intogenerative-computing:mainfrom
ambrishrawat:security_poc

Conversation

@ambrishrawat
Copy link

@ambrishrawat ambrishrawat commented Oct 14, 2025

This PR introduces a minimal proof-of-concept for taint and security propagation across CBlock, ModelOutputThunk, and session flows, as discussed in generative-computing/mellea#189
.

@ambrishrawat ambrishrawat marked this pull request as draft October 14, 2025 19:21
@mergify
Copy link

mergify bot commented Oct 14, 2025

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@nrfulton nrfulton self-requested a review October 15, 2025 16:54
@ambrishrawat
Copy link
Author

ambrishrawat commented Oct 17, 2025

@nrfulton quick clarifications -

  1. What’s the best way for expose taint configuration to devs? e.g. when a description includes a user variable like summarise the following {{email_body}}, should taint be inferred automatically or something they can configure?
  2. Would it make sense to have a global strictness setting to toggle between warnings and exceptions for taint violations? Is blocify the best place for this?

@nrfulton
Copy link
Member

nrfulton commented Oct 22, 2025

What’s the best way for expose taint configuration to devs? e.g. when a description includes a user variable like summarise the following {{email_body}}, should taint be inferred automatically or something they can configure?

We should infer automatically where-ever possible. I nthis case, I'm not sure how you would infer taint. I guess you assumption here is that email_boy -- or any user_variable input -- should entail taint?

@ambrishrawat
Copy link
Author

ambrishrawat commented Oct 23, 2025

Yes, that was the thinking. Making it configurable may make more sense for taint. Any thoughts on the best way to expose that? Would love your take on the code too.

@davidcox
Copy link

davidcox commented Oct 23, 2025

If there is a tainted variable in the context, everything downstream should get tainted. As for how variables get tainted in the first place, a common way people do this is to define sources, sinks, and (optionally) washers. These are wrappers around interfaces that produce sensitive data (e.g. HR database api), or where it enters an unsafe place (e.g. sending to a UI).

@ambrishrawat ambrishrawat marked this pull request as ready for review November 12, 2025 11:11
@ambrishrawat
version 2 of taint tracking
7d4e73e 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
version 2 of taint tracking
4c9ab68 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
taint tracking updates for ollama and litellm
daaf5ee 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
docs taint analysis
2fd7bc0 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
restored formatter to original
0efbee6 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
removed redundant sanitise helper
5e1a266 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
updated taint analysis dev docs
4ea932a 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
updated taint analysis dev docs
b0a23a5 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
updated taint analysis dev docs
5466c31 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
nrfulton
nrfulton requested changes Nov 21, 2025
View reviewed changes
docs/dev/taint_analysis.md Outdated
Comment on lines 79 to 80
component = CBlock("user input")
component.mark_tainted() # Sets SecLevel.tainted_by(component)
Copy link
Member

@nrfulton nrfulton Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. CBlocks should be immutable.
  2. Naming a variable Ccmponent and assigning it to a CBlock is confusing.
  3. The cyclic reference here is a bit confusing and invites buggy code. Use tainted_by(None) instead of tainted_by(self) for the root node.
c = CBlock("user input", sec_level=SecLevel.tained_by(None))

Copy link
Author

@ambrishrawat ambrishrawat Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated this; tainted_by(None) for root now

docs/dev/taint_analysis.md Outdated
component = CBlock("user input")
component.mark_tainted() # Sets SecLevel.tainted_by(component)

if component._meta["_security"].is_tainted():
Copy link
Member

@nrfulton nrfulton Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not c.sec_level?

Copy link
Author

@ambrishrawat ambrishrawat Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defined it as a property and now this works as c.sec_level.is_tainted()

docs/examples/security/taint_example.py Outdated
print(f"Original CBlock is tainted: {not tainted_desc.is_safe()}")

# Create session
session = MelleaSession(OllamaModelBackend("llama3.2"))
Copy link
Member

@nrfulton nrfulton Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless the example critically depends on using a particular model, always use session = start_session() instead. This makes the examples easier to maintain.

docs/examples/security/taint_example.py Outdated

# The result should be tainted
print(f"Result is tainted: {not result.is_safe()}")
if not result.is_safe():
Copy link
Member

@nrfulton nrfulton Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use is_tainted instead of is_safe. The meaning of safe is very ambiguous.

Copy link
Author

@ambrishrawat ambrishrawat Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed all instances of is_safe

mellea/security/core.py Outdated
Returns:
The CBlock or Component that tainted this content, or None
"""
if self.level_type == "tainted_by":
Copy link
Member

@nrfulton nrfulton Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Especially in a module called security.core, we should avoid use of magic strings.

Copy link
Author

@ambrishrawat ambrishrawat Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created SecLevelType enum

mellea/security/core.py Outdated
sources.append(action)

# For Components, check their constituent parts for taint
if hasattr(action, 'parts'):
Copy link
Member

@nrfulton nrfulton Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead us something like:

match action:
     case Component...

    case CBlock...

(If type(action) :> Component then check is not necessary because the Component protocol has a parts() method. )

Copy link
Author

@ambrishrawat ambrishrawat Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated it to use match/case

@ambrishrawat
updates based on PR feedback
c303b87 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
added tests for taint_sources of a Component
f85f953 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@ambrishrawat
Copy link
Author

ambrishrawat commented Nov 25, 2025

Thanks for the review @nrfulton !
I have incorporated your suggestions. Appreciate another pass when you get the chance

@ambrishrawat
minor doc updates to remove the use of word safe
c1062e5 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@guicho271828
Copy link
Contributor

guicho271828 commented Nov 26, 2025

hi ambrish!

@nrfulton nrfulton self-requested a review December 2, 2025 02:15
@mergify
Copy link

mergify bot commented Jan 14, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@ambrishrawat
merged with main
a81e584 
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
@mergify
Copy link

mergify bot commented Jan 16, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@mergify
Copy link

mergify bot commented Jan 18, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@mergify
Copy link

mergify bot commented Jan 22, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@mergify
Copy link

mergify bot commented Jan 23, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@mergify
Copy link

mergify bot commented Jan 26, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@mergify
Copy link

mergify bot commented Jan 28, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@mergify
Copy link

mergify bot commented Feb 1, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@mergify
Copy link

mergify bot commented Feb 8, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

@mergify
Copy link

mergify bot commented Feb 12, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

planetf1
planetf1 reviewed Feb 25, 2026
View reviewed changes
mellea/security/core.py
def wrapper(*args, **kwargs):
# Check all arguments for marked content (tainted or classified)
for arg in args:
if isinstance(arg, TaintChecking):
Copy link
Contributor

@planetf1 planetf1 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if there's an issue with here in not looking recursively (ie via taint_sources() )? the args may be ok, but we could have a tainted Component?

Copy link
Author

@ambrishrawat ambrishrawat Feb 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see that, yes need to call taint_sources here and do a recursive check for classified sources as well. I will update this.

@mergify
Copy link

mergify bot commented Feb 25, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

planetf1
planetf1 reviewed Feb 25, 2026
View reviewed changes
mellea/security/core.py


def declassify(cblock: "CBlock") -> "CBlock":
"""Create a declassified version of a CBlock (non-mutating).
Copy link
Contributor

@planetf1 planetf1 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only CBlocks or any subclass? If the latter, we return a CBlock which would lose the subclass info?
For example could it be an ImageBlock?
Also note that ImageBlock never calls super().init() which means the value that is being copied does not exist == crash?

Copy link
Author

@ambrishrawat ambrishrawat Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, this particular declassify is merely illustrative, hence only applicable to CBlocks. One would need bespoke declassification methods for applications to sparsify taint information across the code. That was my initial thinking

@ambrishrawat ambrishrawat requested review from a team and jakelorocco as code owners February 25, 2026 18:12
@mergify
Copy link

mergify bot commented Feb 27, 2026

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@planetf1 planetf1 planetf1 left review comments

@nrfulton nrfulton Awaiting requested review from nrfulton nrfulton is a code owner

@jakelorocco jakelorocco Awaiting requested review from jakelorocco jakelorocco is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ambrishrawat @nrfulton @davidcox @guicho271828 @planetf1