[EPIC][PLUGINS]: Encoded exfiltration detector plugin - suspicious encoded payload leak prevention

[crivetimihai]

🔐 Epic: Encoded Exfiltration Detector Plugin

Goal

Implement a security-focused plugin that detects and mitigates suspicious encoded payload exfiltration attempts in prompt arguments and tool outputs.

The plugin will identify high-risk encoded segments (base64, base64url, hex, percent-encoding, escaped hex), score them using heuristics, and enforce policy via block or redact behavior.

Why Now?

1. Sensitive data can be hidden in encoded payloads and bypass simple keyword checks.
2. Existing secret/PII detection is strong for known token formats, but weaker for generalized encoded leak channels.
3. Plugin hook points (prompt_pre_fetch, tool_post_invoke) are ideal for stopping leaks before output leaves trusted boundaries.
4. Security-conscious deployments need configurable strictness and audit metadata.
5. High-throughput use cases benefit from optional Rust acceleration with safe Python fallback.

---

📖 User Stories

US-1: Security Engineer - Detect suspicious encoded payloads

As a Security Engineer
I want the gateway to detect suspicious encoded payloads in prompts and tool responses
So that exfiltration attempts are surfaced before data leakage occurs

Acceptance Criteria:

Given the plugin is enabled
When prompt args or tool results contain suspicious encoded segments
Then the plugin should detect and score candidates
And findings should include encoding type, path/location, and reason indicators

US-2: Platform Admin - Enforce block policy

As a Platform Admin
I want to block suspicious encoded exfiltration payloads
So that unsafe requests or responses are prevented

Acceptance Criteria:

Given block_on_detection=true
And min_findings_to_block=1
When findings are detected in prompt args
Then processing is stopped
And violation code ENCODED_EXFIL_DETECTED is returned

Given block_on_detection=true
When findings are detected in tool output
Then tool response is blocked
And violation metadata includes finding count and examples

US-3: Platform Admin - Enforce redact policy

As a Platform Admin
I want to redact suspicious encoded segments instead of blocking
So that workflows continue while risky payloads are neutralized

Acceptance Criteria:

Given block_on_detection=false
And redact=true
When suspicious encoded segments are detected
Then segments are replaced with redaction_text
And modified payload is returned
And metadata indicates redaction occurred

US-4: Operator - Preserve reliability and performance

As an Operator
I want optional Rust acceleration with deterministic Python fallback
So that performance improves without reducing reliability

Acceptance Criteria:

Given encoded_exfil_detection Rust module is available
When scans run
Then plugin uses Rust implementation

Given Rust module is unavailable or errors
When scans run
Then plugin falls back to Python implementation
And request processing continues according to configured policy

---

✅ Acceptance Criteria (Epic)

• Plugin exists under plugins/encoded_exfil_detector/
• Hooks implemented: prompt_pre_fetch, tool_post_invoke
• Detection support for:
  • base64
  • base64url
  • hex
  • percent_encoding
  • escaped_hex
• Scoring includes decoded length, entropy, printable ratio, sensitive keyword hits, egress context hints
• Enforcement modes supported:
  • block (ENCODED_EXFIL_DETECTED)
  • redact (redaction_text replacement)
• Configurable thresholds and detector enable/disable toggles
• Metadata emitted with finding count and sample findings
• Plugin manifest added with defaults
• plugins/config.yaml entry added (disabled by default)
• Unit tests cover detection, redaction, block behavior, and clean payload path
• Optional Rust acceleration module added under plugins_rust/encoded_exfil_detection/
• Python fallback path covered when Rust module unavailable

---

⚙️ Example Configuration

- name: "EncodedExfilDetector"
  kind: "plugins.encoded_exfil_detector.encoded_exfil_detector.EncodedExfilDetectorPlugin"
  hooks: ["prompt_pre_fetch", "tool_post_invoke"]
  mode: "enforce"
  priority: 52
  config:
    enabled:
      base64: true
      base64url: true
      hex: true
      percent_encoding: true
      escaped_hex: true

    min_encoded_length: 24
    min_decoded_length: 12
    min_entropy: 3.3
    min_printable_ratio: 0.70
    min_suspicion_score: 3

    max_scan_string_length: 200000
    max_findings_per_value: 50

    redact: false
    redaction_text: "***ENCODED_REDACTED***"
    block_on_detection: true
    min_findings_to_block: 1
    include_detection_details: true

---

🧰 THE WORKS! (Implementation Checklist)

• Finalize detector heuristics and false-positive controls
• Add additional test fixtures for borderline entropy/content cases
• Validate behavior in permissive plugin mode with metadata-only outcomes
• Add performance benchmark script for Python vs Rust scanner path
• Integrate plugin into broader plugin-init hook test matrix
• Document operational tuning guidance for security teams

---

🔗 Related

• [EPIC][PERFORMANCE]: Rust-powered PII filter plugin #1249 [EPIC][PERFORMANCE]: Rust-powered PII filter plugin
• [EPIC][SECURITY][PLUGINS]: PII Advanced filter (Presidio + pattern library) #2553 [EPIC][SECURITY][PLUGINS]: PII Advanced filter (Presidio + pattern library)
• [EPIC][SECURITY]: Security clearance levels plugin - Bell-LaPadula MAC implementation #1245 [EPIC][SECURITY]: Security clearance levels plugin - Bell-LaPadula MAC implementation