topology

package

v3.2.0 Latest Latest Go to latest Published: Feb 1, 2026 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/BlackVectorOps/semantic_firewall

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func CalculateEntropy(data []byte) float64
func CalculateEntropyNormalized(data []byte) float64
func EntropyDistance(e1, e2 float64) float64
func EntropyMatch(e1, e2, tolerance float64) bool
func GenerateFuzzyHash(t *FunctionTopology) string
func MapSimilarity(a, b map[string]int) float64
func SetTopologyLimits(maxLen, maxTotal int)
func TopologyFingerprint(t *FunctionTopology) string
func TopologySimilarity(a, b *FunctionTopology) float64
type EntropyClass
- func ClassifyEntropy(entropy float64) EntropyClass
- func (c EntropyClass) String() string
type EntropyProfile
- func CalculateEntropyProfile(bodyBytes []byte, stringLiterals []string) EntropyProfile
type FunctionTopology
- func ExtractTopology(fn *ssa.Function) *FunctionTopology

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	MaxStringLiteralLen = 4096      // 4KB limit per string
	MaxTotalStringBytes = 1024 * 64 // 64KB limit per function

)

Functions ¶

func CalculateEntropy ¶

func CalculateEntropy(data []byte) float64

Returns the Shannon entropy of a byte slice. Result ranges from 0.0 (completely uniform/predictable) to 8.0 (maximum randomness). High entropy (>7.0) often indicates packed/encrypted code. Normal code typically has entropy between 4.5 and 6.5.

func CalculateEntropyNormalized ¶

func CalculateEntropyNormalized(data []byte) float64

Returns entropy normalized to 0.0-1.0 range. Useful for direct comparison and threshold checks.

func EntropyDistance ¶

func EntropyDistance(e1, e2 float64) float64

Calculates the absolute difference between two entropy values. Used for fuzzy matching: two functions with similar entropy are more likely related.

func EntropyMatch ¶

func EntropyMatch(e1, e2, tolerance float64) bool

Returns true if two entropy values are within the given tolerance. Default tolerance of 0.5 is recommended for malware family matching.

func GenerateFuzzyHash ¶

func GenerateFuzzyHash(t *FunctionTopology) string

GenerateFuzzyHash creates a short representation of the function structure.

func MapSimilarity ¶

func MapSimilarity(a, b map[string]int) float64

MapSimilarity calculates the similarity between two frequency maps.

func SetTopologyLimits ¶

func SetTopologyLimits(maxLen, maxTotal int)

SetTopologyLimits adjusts the memory safeguards for string processing.

func TopologyFingerprint ¶

func TopologyFingerprint(t *FunctionTopology) string

func TopologySimilarity ¶

func TopologySimilarity(a, b *FunctionTopology) float64

TopologySimilarity calculates the similarity between two function topologies.

Types ¶

type EntropyClass ¶

type EntropyClass int

Categorizes entropy levels for quick analysis.

const (
	EntropyLow    EntropyClass = iota // < 4.0: Simple/sparse code
	EntropyNormal                     // 4.0-6.5: Typical compiled code
	EntropyHigh                       // 6.5-7.5: Potentially obfuscated
	EntropyPacked                     // > 7.5: Likely packed/encrypted
)

func ClassifyEntropy ¶

func ClassifyEntropy(entropy float64) EntropyClass

Determines the entropy class from a raw entropy value.

func (EntropyClass) String ¶

func (c EntropyClass) String() string

type EntropyProfile ¶

type EntropyProfile struct {
	// Overall entropy of the function body
	Overall float64

	// Entropy of string literals within the function
	StringLiteralEntropy float64

	// Entropy classification
	Classification EntropyClass
}

Captures entropy characteristics for malware analysis.

func CalculateEntropyProfile ¶

func CalculateEntropyProfile(bodyBytes []byte, stringLiterals []string) EntropyProfile

Builds a complete entropy profile for analysis.

type FunctionTopology ¶

type FunctionTopology struct {
	FuzzyHash string

	// Basic metrics
	ParamCount  int
	ReturnCount int
	BlockCount  int
	InstrCount  int
	LoopCount   int
	BranchCount int // if statements
	PhiCount    int

	// Complexity metrics
	CyclomaticComplexity int

	// Call profile: map of "package.func" or "method" -> count
	CallSignatures map[string]int

	// Granular instruction tracking
	InstrCounts map[string]int

	// Type signature (normalized)
	ParamTypes  []string
	ReturnTypes []string

	// Control flow features
	HasDefer   bool
	HasRecover bool
	HasPanic   bool
	HasGo      bool
	HasSelect  bool
	HasRange   bool

	// Operator profile
	BinOpCounts map[string]int
	UnOpCounts  map[string]int

	// String literal hashes (for behavioral matching)
	StringLiterals []string

	// Entropy analysis for obfuscation detection
	EntropyScore   float64
	EntropyProfile EntropyProfile
	// contains filtered or unexported fields
}

FunctionTopology captures the structural "shape" of a function independent of names.

func ExtractTopology ¶

func ExtractTopology(fn *ssa.Function) *FunctionTopology

ExtractTopology analyzes an SSA function and extracts its structural features.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL