🛡️ RASP.Net

Runtime Application Self-Protection (RASP) for High-Scale .NET Services Defense that lives inside your application process, operating at the speed of code.

---

🎮 Why This Matters for Gaming Security

The Problem: Multiplayer game services process millions of transactions per second. Traditional WAFs introduce network latency and cannot see inside the encrypted gRPC payload or understanding game logic context.

The Solution: RASP.Net acts as a last line of defense inside the game server process. It instruments the runtime to detect attacks that bypass perimeter defenses, detecting logic flaws like item duplication exploits or economy manipulation.

Key Engineering Goals:

1. Zero GC Pressure: Security checks must NOT trigger Garbage Collection pauses that cause frame drops/lag.
2. Sub-Microsecond Latency: Checks happen in nanoseconds, not milliseconds.
3. Defense in Depth: Complements kernel-level Anti-Cheat (BattlEye/EAC) by protecting the backend API layer.

---

⚡ Performance Benchmarks

Methodology: Benchmarks isolate the intrinsic cost of the SqlInjectionDetectionEngine using BenchmarkDotNet. Hardware: AMD Ryzen 7 7800X3D (4.2GHz) | Runtime: .NET 10.0.2

Payload Size	Scenario	Mean Latency	Allocation	Verdict
100 Bytes	✅ Safe Scan (Hot Path)	4.3 ns	0 Bytes	Zero-Alloc 🚀
	🛡️ Attack Detected	202.0 ns	232 Bytes	Blocked
1 KB	✅ Safe Scan (Hot Path)	16.4 ns	0 Bytes	Zero-Alloc 🚀
	🛡️ Attack Detected	1,036 ns	232 Bytes	Blocked
10 KB	✅ Safe Scan (Hot Path)	141.0 ns	0 Bytes	Zero-Alloc 🚀
	⚠️ Deep Inspection	5,871 ns	0 Bytes	Suspicious

Key Takeaway:

• Hot Path Optimization: For 99% of legitimate traffic (Safe Scan), the engine uses vectorized SIMD checks (SearchValues<T>), incurring negligible overhead (~4ns).
• Zero Allocation: The inspection pipeline uses stackalloc and Span<T> buffers, ensuring 0 GC Pressure during routine checks.
• Deep Inspection: Only when suspicious characters (e.g., ', --) are detected does the engine perform full normalization, costing a few microseconds but protecting the app.

---

🛡️ Security Analysis & Threat Modeling

This repository contains professional-grade security documentation demonstrating Purple Team capabilities.

📄 Threat Model & Attack Scenarios

A comprehensive STRIDE analysis of the Game Economy architecture.

• Vectors: gRPC SQL Injection, Protobuf Tampering, GC Pressure DoS.
• Validation: Python exploit walkthroughs and mitigation strategies.

🕵️ Reverse Engineering & Anti-Tamper

A deep dive into the Native C++ Protection Layer.

• Internals: Analysis of IsDebuggerPresent, PEB manipulation, and timing checks.
• Bypasses: Documentation of known evasion techniques (ScyllaHide, Detours) to demonstrate adversarial thinking.
• Roadmap: Advanced heuristics (RDTSC/SEH) for Phase 2.

---

🏗️ Architecture: Composite Solution

This repository utilizes a Composite Architecture Strategy.
It is designed to develop and validate the Security SDK (Rasp.*) by instrumenting a real-world "Victim" application (dotnet-grpc-library-api) without polluting its source code.

📂 Structure

Directory	Component	Description
src/	🛡️ The Defense (SDK)	The RASP Source Code.
├── Rasp.Core	🧠 Kernel	Detection engine & telemetry contracts
├── Rasp.Instrumentation.Grpc	📡 Sensor	gRPC request interceptors
├── Rasp.Bootstrapper	⚙️ Loader	DI extensions (AddRasp())
modules/	🎯 The Victim (Target)	Git submodules
└── dotnet-grpc-library-api	🏛️ App	Clean Architecture sample

---

🛡️ How It Works (Attack Flow)

sequenceDiagram
    participant Attacker
    participant gRPC as gRPC Gateway
    participant RASP as 🛡️ RASP.Net
    participant GameAPI as Game Service
    participant DB as Database
    
    Note over Attacker,RASP: 🔴 Attack Scenario: Item Duplication
    Attacker->>gRPC: POST /inventory/add {item: "Sword' OR 1=1"}
    gRPC->>RASP: Intercept Request
    
    activate RASP
    RASP->>RASP: ⚡ Zero-Alloc Inspection
    RASP-->>Attacker: ❌ 403 Forbidden (Threat Detected)
    deactivate RASP
    
    Note over Attacker,DB: 🟢 Legitimate Scenario
    Attacker->>gRPC: POST /inventory/add {item: "Legendary Sword"}
    gRPC->>RASP: Intercept Request
    
    activate RASP
    RASP->>GameAPI: ✅ Clean - Forward Request
    deactivate RASP
    
    GameAPI->>DB: INSERT INTO inventory...
    DB-->>GameAPI: Success
    GameAPI-->>Attacker: 200 OK

Loading

---

🚀 Setup & Build

⚠️ CRITICAL: This repository relies on submodules. A standard clone will result in missing projects.

1. Clone Correctly

Use the --recursive flag to fetch the Target Application code:

git clone --recursive https://github.com/JVBotelho/RASP.Net.git

If you have already cloned without the flag:

git submodule update --init --recursive

2. Build the Composite Solution

We use a "God Mode" solution file (Rasp_Dev.sln) that links both the SDK and the Victim App for a unified debugging experience.

dotnet build Rasp_Dev.sln

---

🔧 Troubleshooting

Problem: Submodule 'modules/dotnet-grpc-library-api' not found
Solution: Run git submodule update --init --recursive

Problem: The type or namespace name 'Rasp' could not be found
Solution: Ensure you're opening Rasp_Dev.sln, not individual .csproj files

Problem: gRPC service not starting
Solution: Check if port 5001 is already in use: netstat -ano | findstr :5001

---

🧪 Development Workflow

The Composite Solution allows you to debug the SDK as if it were part of the application, while keeping git histories separate.

1. Open Rasp_Dev.sln in Rider or Visual Studio.
2. Set Startup Project: Select LibrarySystem.Api (from the modules folder).
3. Debug: Breakpoints in Rasp.Instrumentation.Grpc will be hit when requests are sent to the API.

---

🛑 Rules of Engagement

• Modify src/: Commits go to this repository (RASP.Net).
• Modify modules/: Commits go to the dotnet-grpc-library-api repository. Do not modify the victim code unless necessary for integration hooks.

---

🛡️ Security & Performance Goals

• Zero-Allocation Hot Paths: Usage of Span<T> and frozen collections to minimize GC pressure during inspection.
• Observability First: Native OpenTelemetry integration (System.Diagnostics.ActivitySource).
• Safe by Design: Strict mode enabled (<TreatWarningsAsErrors>true).

---

🎯 Roadmap

• Phase 1: Setup & Vulnerability injection in Target App
• Phase 2: gRPC Interceptor with payload inspection
• Phase 3: EF Core Interceptor with SQL analysis 🚧 IN PROGRESS
• Phase 4: Benchmarks & Documentation

---

🤝 Contributing

This is an educational/research project for Advanced AppSec Training.
Contributions are welcome via pull requests. Please ensure:

• All tests pass (dotnet test)
• Code follows .NET conventions (dotnet format)
• Security improvements are documented

---

📖 References

• OWASP RASP
• gRPC Interceptors in .NET
• EF Core Interceptors

---

📜 License

MIT License - Free and open source.

Copyright (c) 2025 RASP.Net Contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software.

TL;DR:

• ✅ Use commercially, modify, distribute, private use
• ✅ No restrictions on derivative works
• ⚠️ Provided "as is" without warranty
• 📋 Must include license notice in copies

See LICENSE for full terms.

---

Found a security issue? See SECURITY.md for responsible disclosure.

---

⚡ Built with .NET 10 Preview | Powered by Clean Architecture