Make possibly-missing WBCL values ternary-typed (#226)

2024-12-18 20:47:57 +00:00 · 2021-06-21 14:10:45 -07:00 · 2021-06-21 14:10:45 -07:00 · 1b4849d2c3
commit 1b4849d2c3
parent 0a3c6e82bf
2 changed files with 24 additions and 11 deletions
--- a/attest/win_events.go
+++ b/attest/win_events.go
@ -146,6 +146,16 @@ const (
 	BitlockerStatusRecovery = 0x40
 )

+// Ternary describes a boolean value that can additionally be unknown.
+type Ternary uint8
+
+// Valid Ternary values.
+const (
+	TernaryUnknown Ternary = iota
+	TernaryTrue
+	TernaryFalse
+)
+
 // WinEvents describes information from the event log recorded during
 // bootup of Microsoft Windows.
 type WinEvents struct {
@ -169,19 +179,16 @@ type WinEvents struct {
 	KernelDebugEnabled bool
 	// DEPEnabled is true if NX (Data Execution Prevention) was consistently
 	// reported as enabled.
-	DEPEnabled bool
+	DEPEnabled Ternary
 	// CodeIntegrityEnabled is true if code integrity was consistently
 	// reported as enabled.
-	CodeIntegrityEnabled bool
+	CodeIntegrityEnabled Ternary
 	// TestSigningEnabled is true if test-mode signature verification was
 	// ever reported as enabled.
 	TestSigningEnabled bool
 	// BitlockerUnlocks reports the bitlocker status for every instance of
 	// a disk unlock, where bitlocker was used to secure the disk.
 	BitlockerUnlocks []BitlockerStatus
-
-	seenDep           bool
-	seenCodeIntegrity bool
 }

 // WinModuleLoad describes a module which was loaded while
@ -346,8 +353,11 @@ func (w *WinEvents) readBooleanInt64Event(header microsoftEventHeader, r *bytes.
 	// Boolean signals that latch off if the are ever false (ie: attributes
 	// that represent a stronger security state when set).
 	case dataExecutionPrevention:
-		w.DEPEnabled = isSet && !(w.DEPEnabled != isSet && w.seenDep)
-		w.seenDep = true
+		if isSet && w.DEPEnabled == TernaryUnknown {
+			w.DEPEnabled = TernaryTrue
+		} else if !isSet {
+			w.DEPEnabled = TernaryFalse
+		}
 	}
 	return nil
 }
@ -375,8 +385,11 @@ func (w *WinEvents) readBooleanByteEvent(header microsoftEventHeader, r *bytes.R
 	// Boolean signals that latch off if the are ever false (ie: attributes
 	// that represent a stronger security state when set).
 	case codeIntegrity:
-		w.CodeIntegrityEnabled = isSet && !(w.CodeIntegrityEnabled != isSet && w.seenCodeIntegrity)
-		w.seenCodeIntegrity = true
+		if isSet && w.CodeIntegrityEnabled == TernaryUnknown {
+			w.CodeIntegrityEnabled = TernaryTrue
+		} else if !isSet {
+			w.CodeIntegrityEnabled = TernaryFalse
+		}
 	}
 	return nil
 }
--- a/attest/win_events_test.go
+++ b/attest/win_events_test.go
@ -27,8 +27,8 @@ func TestParseWinEvents(t *testing.T) {
 	want := &WinEvents{
 		ColdBoot:             true,
 		BootCount:            4,
-		DEPEnabled:           true,
-		CodeIntegrityEnabled: true,
+		DEPEnabled:           TernaryTrue,
+		CodeIntegrityEnabled: TernaryTrue,
 		BitlockerUnlocks:     []BitlockerStatus{0, 0},
 		LoadedModules: map[string]WinModuleLoad{
 			"0fdce7d71936f79445e7d2c84cbeb97c948d3730e0b839166b0a4e625c2d4547": WinModuleLoad{