Automated attack surface mapping and API boundary analysis using CPG queries and domain plugin integration.
Overview¶
The entry points handler (EntryPointsHandler) discovers and categorizes all entry points in a codebase — network listeners, file access functions, authentication checks, trust boundaries, and more. It is domain-agnostic — all function names and patterns are loaded dynamically from the active domain plugin via DomainRegistry.get_security_entry_points() and get_security_entry_point_patterns().
Detection method:
- CPG Queries — SQL LIKE patterns against the Code Property Graph database
- Domain Plugin — category-specific function lists from
security_entry_pointsYAML config - Question-Type Detection — 40+ question types (EN + RU) via
_detect_entry_point_question_type(), routing to relevant categories - Relevance Ranking —
_rank_by_query_relevance()scores and sorts results by similarity to the query
Entry point categories (15 total):
| Category | Description |
|---|---|
network |
Socket/protocol listeners, connection handlers |
query |
Query processing entry points |
auth |
Authentication and authorization checks |
file_access |
File I/O functions (read, write, list) |
trust_boundary |
Privilege transitions, role switching |
connection |
Connection establishment handlers |
protocol |
Wire protocol message handlers |
replication |
WAL/replication entry points |
copy |
Data import/export (COPY-like commands) |
spi |
Internal extension API |
extension |
Extension/plugin loading |
external |
External function call interface |
socket |
Low-level socket handlers |
exec |
Code execution entry points |
bgworker |
Background worker entry points |
Quick Start¶
# Select Entry Points Scenario via CLI or MCP
/select 16
REST API¶
curl -X POST http://localhost:8000/api/v1/query \
-H "Content-Type: application/json" \
-d '{"query": "Find all network entry points", "scenario_id": "16"}'
Attack Surface Mapping¶
Network Entry Points¶
> Find all network-accessible entry points
╭─────────────── Network Entry Points ────────────────────────╮
│ │
│ Network-Accessible Entry Points: │
│ │
│ Protocol Layer: │
│ accept_connection() - Connection handshake │
│ handle_client_read() - Main data receive │
│ read_message_string() - Read string from client │
│ read_message_int() - Read integer from client │
│ │
│ Request Processing: │
│ handle_query() - Direct query execution │
│ handle_parse_message() - Prepared statement │
│ handle_bind_message() - Parameter binding │
│ handle_execute() - Execute prepared statement │
│ │
│ Replication: │
│ replication_sender() - Data streaming │
│ replication_receiver() - Data receive │
│ │
│ Total network entry points: 23 │
│ │
╰──────────────────────────────────────────────────────────────╯
File System Entry Points¶
> Find file system entry points
╭─────────────── File System Entry Points ────────────────────╮
│ │
│ File System Access Points: │
│ │
│ SQL-Callable Functions: │
│ read_file() - Read arbitrary file │
│ read_binary_file() - Read binary file │
│ list_directory() - List directory contents │
│ stat_file() - Get file stats │
│ │
│ Data Import/Export: │
│ do_copy() → copy_from() - Read from file │
│ do_copy() → copy_to() - Write to file │
│ │
│ Extension Loading: │
│ load_external_function() - Load shared library │
│ dynamic_load() - Dynamic library loading │
│ │
│ Risk Level: HIGH │
│ Requires: Elevated privilege for most operations │
│ │
╰──────────────────────────────────────────────────────────────╯
API Boundary Analysis¶
Public API Functions¶
> List all public API entry points
╭─────────────── Public API ──────────────────────────────────╮
│ │
│ Exported Extension Functions: 1,234 │
│ │
│ Categories: │
│ Data types: 234 functions │
│ Operators: 189 functions │
│ Aggregate: 67 functions │
│ Window: 23 functions │
│ Procedural: 45 functions │
│ │
│ Internal Extension API: │
│ spi_connect() - Connect to internal API │
│ spi_execute() - Execute query │
│ spi_prepare() - Prepare statement │
│ spi_finish() - Disconnect │
│ │
│ Hook Points (interceptable): │
│ utility_hook - Utility command processing │
│ executor_hook - Query execution │
│ planner_hook - Query planning │
│ │
╰──────────────────────────────────────────────────────────────╯
Internal API Boundaries¶
> Show internal module boundaries
╭─────────────── Module Boundaries ───────────────────────────╮
│ │
│ Internal API Boundaries: │
│ │
│ Executor → Storage: │
│ table_insert() - Insert record │
│ table_update() - Update record │
│ table_delete() - Delete record │
│ index_insert() - Index maintenance │
│ │
│ Parser → Catalog: │
│ cache_lookup() - System cache lookup │
│ scan_relation() - Relation scan │
│ resolve_oid() - OID resolution │
│ │
│ Planner → Statistics: │
│ get_relation_stats() - Table statistics │
│ estimate_groups() - Cardinality estimation │
│ │
│ Total internal APIs: 456 functions │
│ │
╰──────────────────────────────────────────────────────────────╯
Trust Boundary Analysis¶
Privilege Escalation Paths¶
> Find functions that change privilege level
╭─────────────── Privilege Transitions ───────────────────────╮
│ │
│ Privilege Escalation Points: │
│ │
│ SECURITY DEFINER Functions: │
│ Total: 23 functions │
│ Risk: Execute with owner privileges │
│ │
│ Elevated-Privilege Functions Called by Regular Users: │
│ reload_config() via admin wrapper │
│ terminate_backend() via admin wrapper │
│ │
│ Role Transitions: │
│ set_role() - Role switching │
│ check_role_grantor() - Permission check │
│ │
│ Row-Level Security Bypass: │
│ check_rls_enabled() - RLS check point │
│ check_permissions() - Permission validation │
│ │
│ Audit Points: 45 locations │
│ │
╰──────────────────────────────────────────────────────────────╯
Authentication Entry Points¶
> Find authentication and authorization check points
╭─────────────── Auth Entry Points ───────────────────────────╮
│ │
│ Authentication Checks: │
│ │
│ check_password() - Password verification │
│ verify_client_cert() - TLS client certificate │
│ auth_handler() - Main auth dispatcher │
│ │
│ Authorization Checks: │
│ acl_check() - General ACL validation │
│ check_table_privilege() - Table-level access │
│ check_object_ownership() - Object ownership │
│ │
│ Session Management: │
│ create_session() - Session initialization │
│ validate_token() - Token verification │
│ │
╰──────────────────────────────────────────────────────────────╯
Untrusted Input Handlers¶
> Find functions that handle untrusted input
╭─────────────── Untrusted Input Handlers ────────────────────╮
│ │
│ Direct Client Input Handling: │
│ │
│ String Input: │
│ read_message_string() - Raw string from client │
│ read_message_text() - Text with encoding │
│ convert_encoding() - Encoding conversion │
│ │
│ Binary Input: │
│ read_message_byte() - Single byte │
│ read_message_int() - Integer (various sizes) │
│ read_message_bytes() - Raw bytes │
│ │
│ Query Input: │
│ parse_query() - SQL parsing │
│ eval_expressions() - Expression evaluation │
│ │
╰──────────────────────────────────────────────────────────────╯
Example Questions¶
- “Find all network entry points”
- “List file system access functions”
- “Show public API functions”
- “Find privilege escalation paths”
- “Identify untrusted input handlers”
- “Map trust boundaries”
- “Find authentication check points”
- “Show full attack surface”
- “Find background worker entry points”
- “List replication entry points”
Related Scenarios¶
- Security Audit - Vulnerability analysis
- Incident Response - Attack investigation
- Architecture - System boundaries