Symbol and Native Loader Rules

Detects dangerous exported symbols, native library load hooks, and unresolved entry points in model runtimes.

Definition

The Symbols rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

Model pipelines often bridge Python, Rust, C++, CUDA, and native extensions. Symbol-level issues can bypass application-layer review.

Canonical help URL

Supported inputs

.so
.dylib
.dll
Python extension modules
CUDA kernels

Typical attack scenarios

A native extension exports an unexpected init hook.
A model runtime loads a shared library from a writable directory.
An unresolved entry point masks a dependency confusion issue.

Detection logic

Sentinel ties Symbols evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read Symbols findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: SYM
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel sast ./src/ --rule SYM"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
SYM-DANGEROUS-EXPORT	HIGH	Dangerous Native Export	CWE-749	Block native plugins with dangerous exports unless explicitly approved.
SYM-NATIVE-LOAD-HOOK	HIGH	Unsafe Native Load Hook	CWE-829	Pin native loader paths to signed artifacts.
SYM-UNRESOLVED-ENTRYPOINT	LOW	Unresolved Native Entrypoint	CWE-477	Keep native runtime ABI and extension versions aligned.

SYM-DANGEROUS-EXPORT — Dangerous Native Export

HIGH

Rule ID	SYM-DANGEROUS-EXPORT
Category	SYM
Severity	HIGH
CWE	CWE-749
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	Application security and backend/agent owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Flags exported symbols associated with command execution, dynamic loading, or unsafe process control in native model extensions.

Why it matters

Model pipelines often bridge Python, Rust, C++, CUDA, and native extensions. Symbol-level issues can bypass application-layer review.

When it fires

Sentinel fires this rule in the Symbols category when it sees symbol table entries such as system, popen, execve, dlopen, loadlibrary, or processbuilder bridges.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Symbol table entries such as system, popen, execve, dlopen, LoadLibrary, or ProcessBuilder bridges.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Symbol table entries such as system, popen, execve, dlopen, LoadLibrary, or ProcessBuilder bridges.
Closure: sentinel sast ./src/ --rule SYM must return clean output.

How to fix

Review native source, remove unsafe exports, and require signed build artifacts.

CLI

sentinel sast ./src/ --rule SYM

Policy example

sentinel-policy.yml

rules:
  SYM-DANGEROUS-EXPORT:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel sast ./src/ --rule SYM"

Expected output

SYM-DANGEROUS-EXPORT HIGH
Dangerous Native Export
Block native plugins with dangerous exports unless explicitly approved.

Example

Bad

ctypes.CDLL("./plugins/libcustom_op.so")

Good

ctypes.CDLL("/opt/eresus/signed/libcustom_op.so")  # Hash verified before load.

Related rules

SYM-NATIVE-LOAD-HOOK: Unsafe Native Load Hook
SYM-UNRESOLVED-ENTRYPOINT: Unresolved Native Entrypoint

SYM-NATIVE-LOAD-HOOK — Unsafe Native Load Hook

HIGH

Rule ID	SYM-NATIVE-LOAD-HOOK
Category	SYM
Severity	HIGH
CWE	CWE-829
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	Application security and backend/agent owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Detects runtime hooks or path settings that load native extensions from mutable, user-writable, or remote locations.

Why it matters

Model pipelines often bridge Python, Rust, C++, CUDA, and native extensions. Symbol-level issues can bypass application-layer review.

When it fires

Sentinel fires this rule in the Symbols category when it sees ld_library_path, dyld_library_path, ctypes, cffi, or importlib paths resolving to unsafe directories.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

LD_LIBRARY_PATH, DYLD_LIBRARY_PATH, ctypes, cffi, or importlib paths resolving to unsafe directories.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: LD_LIBRARY_PATH, DYLD_LIBRARY_PATH, ctypes, cffi, or importlib paths resolving to unsafe directories.
Closure: sentinel sast ./src/ --rule SYM must return clean output.

How to fix

Load extensions from immutable directories and verify hashes before runtime activation.

CLI

sentinel sast ./src/ --rule SYM

Policy example

sentinel-policy.yml

rules:
  SYM-NATIVE-LOAD-HOOK:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel sast ./src/ --rule SYM"

Expected output

SYM-NATIVE-LOAD-HOOK HIGH
Unsafe Native Load Hook
Pin native loader paths to signed artifacts.

Example

Bad

ctypes.CDLL("./plugins/libcustom_op.so")

Good

ctypes.CDLL("/opt/eresus/signed/libcustom_op.so")  # Hash verified before load.

Related rules

SYM-DANGEROUS-EXPORT: Dangerous Native Export
SYM-UNRESOLVED-ENTRYPOINT: Unresolved Native Entrypoint

SYM-UNRESOLVED-ENTRYPOINT — Unresolved Native Entrypoint

LOW

Rule ID	SYM-UNRESOLVED-ENTRYPOINT
Category	SYM
Severity	LOW
CWE	CWE-477
OWASP LLM	LLM03 — Supply Chain
FP Risk	HIGH
Owner	Application security and backend/agent owner
Release decision	Plan as hygiene work; raise policy strictness if the same pattern grows.

Description

Reports missing or deprecated native symbols that can break runtime safety checks or cause fallback behavior.

Why it matters

Model pipelines often bridge Python, Rust, C++, CUDA, and native extensions. Symbol-level issues can bypass application-layer review.

When it fires

Sentinel fires this rule in the Symbols category when it sees symbol resolution failure for expected inference, validation, or sandbox functions.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Symbol resolution failure for expected inference, validation, or sandbox functions.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is high. The finding is still useful for policy tuning; request owner review, sample file, and retest output before making a release decision.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Plan as hygiene work; raise policy strictness if the same pattern grows.
Evidence: Symbol resolution failure for expected inference, validation, or sandbox functions.
Closure: sentinel sast ./src/ --rule SYM must return clean output.

How to fix

Rebuild the extension against the expected runtime and remove deprecated entry points.

CLI

sentinel sast ./src/ --rule SYM

Policy example

sentinel-policy.yml

rules:
  SYM-UNRESOLVED-ENTRYPOINT:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel sast ./src/ --rule SYM"

Expected output

SYM-UNRESOLVED-ENTRYPOINT LOW
Unresolved Native Entrypoint
Keep native runtime ABI and extension versions aligned.

Example

Bad

ctypes.CDLL("./plugins/libcustom_op.so")

Good

ctypes.CDLL("/opt/eresus/signed/libcustom_op.so")  # Hash verified before load.

Related rules

SYM-DANGEROUS-EXPORT: Dangerous Native Export
SYM-NATIVE-LOAD-HOOK: Unsafe Native Load Hook

References

PreviousNetwork NextJIT