From b1bf909679734e90eda2e5ff192bfbed93287fe9 Mon Sep 17 00:00:00 2001 From: Adamthereal Date: Mon, 11 May 2026 16:59:04 +0800 Subject: [PATCH] add(mapping): Agent Threat Rules cross-reference for CCC GenAI catalog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds Agent Threat Rules (ATR) as a Gemara MappingReference in the CCC GenAI catalog metadata, plus EntryMapping blocks under four GenAI controls where ATR's detection coverage is genuinely adjacent to the control's intent: - CCC.GenAI.CN01 (Model Input Filtering) → ATR prompt-injection rules (00001, 00002, 00003, 00440) - CCC.GenAI.CN02 (Model Output Filtering) → ATR context-exfiltration + agent-manipulation rules (00020, 00021, 00132) - CCC.GenAI.CN04 (Sanitisation of Ingested Data)→ ATR indirect-injection + credential-disclosure rules (00002, 00021) - CCC.GenAI.CN06 (Least Privilege for Plugins) → ATR tool-poisoning / privilege-escalation rules (00010, 00040, 00060, 00441) The mapping is one-way and lossy by design: ATR is a detection-rule corpus (runtime / scanner-time pattern-based), not a control framework. Consumers of the CCC controls reading the mapping should understand that an ATR rule offers a detection signal adjacent to a control's intent, not a control equivalent. Each EntryMapping's remarks field clarifies the specific adjacency. This follows the directional guidance in finos/common-cloud-controls#985 from @eddie-knight to use a Gemara mapping document rather than a schema-invasive integration. Implementation mirrors the existing MappingReference / EntryMapping pattern used by CCC for FINOS-AIGF, SAIF, MITRE-ATLAS, etc. Scope is intentionally narrow (4 controls × 14 rule-references) rather than a full sweep of all 8 GenAI controls. After this first batch lands, the same pattern can extend to CN03, CN08, and the threat-level mappings. ATR upstream: https://github.com/Agent-Threat-Rule/agent-threat-rules (MIT, v2.1.2, 338 rules across 10 attack categories). --- catalogs/ai-ml/gen-ai/controls.yaml | 47 +++++++++++++++++++++++++++++ catalogs/ai-ml/gen-ai/metadata.yaml | 20 +++++++++++- 2 files changed, 66 insertions(+), 1 deletion(-) diff --git a/catalogs/ai-ml/gen-ai/controls.yaml b/catalogs/ai-ml/gen-ai/controls.yaml index 5a8ed2f3..ea4178fb 100644 --- a/catalogs/ai-ml/gen-ai/controls.yaml +++ b/catalogs/ai-ml/gen-ai/controls.yaml @@ -108,6 +108,20 @@ control-families: - reference-id: AML.M0015 strength: 0 # Not yet specified remarks: Adversarial Input Detection + - reference-id: agent-threat-rules + entries: + - reference-id: ATR-2026-00001 + strength: 0 # Not yet specified + remarks: Direct Prompt Injection via User Input — detection-side coverage for adversarial input that this control mandates be filtered/sanitised. + - reference-id: ATR-2026-00002 + strength: 0 # Not yet specified + remarks: Indirect Prompt Injection (via RAG / tool output / retrieved content) — covers the untrusted-input path AR01 explicitly calls out. + - reference-id: ATR-2026-00003 + strength: 0 # Not yet specified + remarks: Jailbreak / system-prompt-override attempts at input layer. + - reference-id: ATR-2026-00440 + strength: 0 # Not yet specified + remarks: Semantic Kernel CVE-2026-26030 lambda+eval RCE via filter-expression input. - id: CCC.GenAI.CN02 title: Model Output Filtering and Sanitisation @@ -182,6 +196,17 @@ control-families: - reference-id: AML.M0002 strength: 0 # Not yet specified remarks: Passive AI Output Obfuscation + - reference-id: agent-threat-rules + entries: + - reference-id: ATR-2026-00020 + strength: 0 # Not yet specified + remarks: System Prompt / Initial-Configuration Leak in Model Output — output-side detection for the sensitive-data-disclosure path. + - reference-id: ATR-2026-00021 + strength: 0 # Not yet specified + remarks: API Key / Credential Exposure in Model Output — covers TH03 sensitive-information-disclosure at output sanitisation point. + - reference-id: ATR-2026-00132 + strength: 0 # Not yet specified + remarks: Output containing covert-instruction or persona-override content — adversarial output pattern for AR02 rejection / redaction. - id: CCC.GenAI.CN03 title: Data Provenance and Source Vetting @@ -289,6 +314,14 @@ control-families: - reference-id: AML.M0007 strength: 0 # Not yet specified remarks: Sanitize Training Data + - reference-id: agent-threat-rules + entries: + - reference-id: ATR-2026-00002 + strength: 0 # Not yet specified + remarks: Indirect Prompt Injection (RAG / ingested-content / tool-output path) — detection-side coverage for malicious payloads embedded in ingested data per AR01. + - reference-id: ATR-2026-00021 + strength: 0 # Not yet specified + remarks: Credential / API-key disclosure in ingested content — sensitive-information path for AR01 detection. - id: CCC.GenAI.CN05 title: Citations and Source Traceability @@ -367,6 +400,20 @@ control-families: entries: - reference-id: Agent Permissions strength: 0 # Not yet specified + - reference-id: agent-threat-rules + entries: + - reference-id: ATR-2026-00010 + strength: 0 # Not yet specified + remarks: Tool / MCP response with malicious content — covers TH07 Insecure Plugin at the tool-response layer. + - reference-id: ATR-2026-00040 + strength: 0 # Not yet specified + remarks: Privilege Escalation / Admin Function Access via tool calls — covers the over-privileged-tool-invocation aspect of AR01. + - reference-id: ATR-2026-00060 + strength: 0 # Not yet specified + remarks: Skill / Plugin Impersonation — covers the trust-boundary aspect of plugin selection. + - reference-id: ATR-2026-00441 + strength: 0 # Not yet specified + remarks: Semantic Kernel SessionsPythonPlugin CVE-2026-25592 — over-privileged plugin enabling sandbox escape via autostart-path file write. Concrete TH06 / TH07 example. - title: Configuration Management description: | diff --git a/catalogs/ai-ml/gen-ai/metadata.yaml b/catalogs/ai-ml/gen-ai/metadata.yaml index 38557f77..035ac5ee 100644 --- a/catalogs/ai-ml/gen-ai/metadata.yaml +++ b/catalogs/ai-ml/gen-ai/metadata.yaml @@ -21,4 +21,22 @@ metadata: service: Google Vertex AI url: https://cloud.google.com/vertex-ai/docs applicability-categories: [] - mapping-references: [] + mapping-references: + - id: agent-threat-rules + title: Agent Threat Rules + version: v2.1.2 + description: | + Agent Threat Rules (ATR) is an open MIT-licensed detection-rule + corpus for AI agent threats spanning ten attack categories + (prompt-injection, tool-poisoning, skill-compromise, + agent-manipulation, context-exfiltration, data-poisoning, + excessive-autonomy, model-abuse, model-security, privilege-escalation). + Rules are deterministic YAML and ship as the upstream detection + layer in Cisco AI Defense and Microsoft Agent Governance Toolkit, + and are referenced by the MISP taxonomy and galaxy threat-intel + sharing layers (taxonomies#323, galaxy#1207, both merged by the + MISP project lead on 2026-05-10). The mapping from CCC GenAI + controls is one-way and lossy: ATR rule-IDs reference detection + coverage that is adjacent to a control's intent, not control + equivalents themselves. + url: https://github.com/Agent-Threat-Rule/agent-threat-rules