- Rich CLI interface with live updates
- Process status visualization
- Scrollable process list with pagination
- AI analysis results view with pagination
- Arrow key navigation between views
- Group process analysis display
- Process selection interface
- Web interface for remote management
- Mobile monitoring interface
- OpenRouter API integration
- Group process analysis
- Basic error handling
- Process context gathering
- Proper JSON response handling
- Retry mechanism for API failures
- Rate limiting implementation
- Analysis result caching
- Enhanced application metrics
- Custom model training support
- Basic certificate management
- Initial state security implementation
- Group-based security analysis
- PGP-based state encryption system
- Secure memory management for keys
- Certificate rotation and verification
- Secure backup and recovery mechanisms
- Runtime security verification
- State integrity checking
- Hardware security module support
- TPM integration
- Basic UI responsiveness
- Process monitoring
- Memory usage optimization
- Grouped API calls
- Resource usage reduction
- Startup time improvement
- Operation speed increase
- Network performance optimization
Hi! I created the Dynamic Tunnel Manager (DTM) out of a personal need to protect applications from local tampering. While I'm not a cybersecurity researcher, I noticed a significant gap in how traditional tunneling solutions handle local application security. Most existing solutions use static configurations that can be easily predicted and manipulated.
The idea for DTM came from a simple question: "What if the target kept moving?" By implementing continuous port rotation and adding AI-powered analysis, I aimed to create a system where potential threats would face a constantly changing landscape. While I've successfully implemented the core tunneling and port rotation features, I'm actively seeking collaboration from the community, especially in:
- AI Integration: The GPT-4 integration needs improvement to provide better security analysis
- State Security: The PGP-based security system requires expertise to properly implement
- Performance Optimization: Ensuring smooth operation with minimal resource usage
I believe in open collaboration and welcome contributions from security experts, developers, and enthusiasts who share the vision of making application security more dynamic and resilient. If you're interested in contributing, especially in the areas marked as TODO, please reach out!
The AI analysis system currently needs improvements:
# Current implementation in ai_analysis.py
async def analyze_application(self, app_info: ApplicationInfo) -> Dict[str, Any]:
"""
Needed improvements:
- Proper error handling for API responses
- Retry mechanism for failed requests
- Rate limiting implementation
- Response validation
- Fallback model support
"""Help Needed:
- Structured JSON response handling
- Retry mechanism for API failures
- Rate limiting implementation
- Response validation and error handling
- Fallback model implementation
The state_security.py module provides robust security features but needs integration:
# Need to integrate with main application
class SecureStateManager:
"""State manager with PGP encryption and verification."""
def __init__(self, pgp: PGPStateEncryption, progress: Optional[Progress] = None):
self.pgp = pgp
self.state_dirs = {
'state': Path("~/.dtm/state").expanduser(),
'backups': Path("~/.dtm/backups").expanduser(),
'certificates': Path("~/.dtm/certificates").expanduser()
}Integration Points Needed:
-
Certificate Management
- Integration with TunnelManager for secure certificate handling
- Implementation of certificate rotation
- Secure cleanup procedures
-
State Management
- Integration with main application state
- Secure configuration storage
- Runtime state protection
-
Memory Security
- Implementation of secure memory allocation
- Platform-specific memory protection
- Anti-dumping mechanisms
-
AI Analysis
# Example of desired AI analysis implementation async def analyze_application(self, app_info: ApplicationInfo) -> Dict[str, Any]: """ Needed: Proper implementation of application analysis - Structured context creation - Reliable API communication - Error handling and retries - Response validation """ pass
-
State Security
# Example of needed state security integration class DTMApplication: async def initialize(self): """ Need to implement: - Secure state initialization - Certificate management - Memory protection - State backup/recovery """ self.state_manager = SecureStateManager(...) await self.state_manager.initialize()
If you have expertise in:
- OpenAI API integration
- Memory security implementation
- PGP-based encryption systems
- Python async programming
Please consider contributing to these critical areas. The core functionality works, but these security enhancements will make the application more robust and secure.
- Update to OpenRouter API implementation
- Implement proper JSON response handling
- Add retry mechanism for API failures
- Enhance analysis context with more detailed application metrics
- Implement rate limiting and error handling
- Add caching for repeated analysis requests
- Improve error messages for failed analyses
- Add fallback model support (Claude-2)
- Implement streaming responses for real-time analysis
- Integrate PGP-based state encryption system
- Implement secure memory management for keys
- Add certificate rotation and verification
- Setup secure backup and recovery mechanisms
- Implement runtime security verification
- Add state integrity checking
A secure and automated system for managing dynamic, encrypted tunnels for network applications with AI-driven optimization and state-based security.
- SSL/TLS Tunneling: Automated tunnel creation with certificate management
- Dynamic Port Rotation: Automatic port changes every 10 seconds
- Traffic Isolation: Secure encapsulation of application traffic
- State Security: PGP-based encryption for all state data
- Group Process Analysis: Automatic analysis of all instances of the same application
- Real-time traffic pattern analysis
- Security risk assessment
- Behavioral anomaly detection
- Automatic threat response
- Performance optimization recommendations
- OpenRouter API integration with GPT-4
- Grouped application analysis for better context
- Automatic application discovery
- Real-time connection monitoring
- Process state tracking
- Dynamic resource allocation
- Multi-instance process handling
- Rich CLI interface with live updates
- Process status visualization
- Security metrics display
- Interactive controls
- Scrollable process list with pagination
- AI analysis results view with pagination
- Intuitive navigation between views
- Group process analysis display
↑/↓: Scroll through processes→: Switch to AI Analysis viewT: Toggle auto-tunnelingR: Force port rotationQ: Quit
←: Switch back to Main view↑/↓: Scroll through analysesP: Analyze process (includes all instances)ESC: Cancel inputQ: Quit
↑/↓: Navigate through processesENTER: Select process for analysisESC: Cancel selection
- Default port range: 5000-6000
- Rotation interval: 10 seconds
- Configurable in
config/config.json
- Certificate directory:
config/certificates/ - State directory:
~/.dtm/state/ - Backup directory:
~/.dtm/backups/
- Model: GPT-4 via OpenRouter
- Analysis interval: 60 seconds
- Security threshold: 0.7
- Configurable in
config/config.json
- Implemented pagination for process list
- Added scrolling functionality with visual indicators
- Improved navigation between views using arrow keys
- Enhanced process selection interface
- Added group process analysis for better context
- Integrated OpenRouter API for improved analysis
- Added support for analyzing multiple instances of the same application
- Enhanced analysis context with application state information
- Improved error handling and retry mechanisms
- Enhanced certificate management
- Improved state security implementation
- Added group-based security analysis
- Enhanced memory protection mechanisms
- Improved UI responsiveness
- Enhanced process monitoring
- Optimized memory usage
- Reduced API calls through grouped analysis
- Clone the repository:
git clone https://github.com/yourusername/dynamic-tunnel-manager.git
cd dynamic-tunnel-manager- Create and activate a virtual environment:
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate- Install dependencies:
pip install -r requirements.txt- Configure OpenRouter API:
Create
config/config.jsonwith your OpenRouter API key:
{
"openrouter": {
"api_key": "your-api-key-here",
"base_url": "https://openrouter.ai/api/v1",
"model": "openai/gpt-4",
"fallback_model": "anthropic/claude-2"
}
}- Start the Dynamic Tunnel Manager:
python main.py-
Use arrow keys to navigate:
- Right arrow (→) to switch to AI Analysis
- Left arrow (←) to return to Main view
- Up/Down arrows (↑/↓) to scroll through lists
- Enter to select a process for analysis
-
The application will automatically analyze all instances of the same process when selected.
The state security system provides multiple layers of protection:
-
PGP Encryption Layer
- Runtime key generation
- Secure key storage
- State encryption/decryption
- Certificate management
-
Memory Protection
- Secure memory allocation
- Runtime memory locking
- Key isolation
- Anti-dumping mechanisms
-
State Verification
- Hash-based integrity checking
- State backup management
- Atomic state updates
- Recovery mechanisms
-
Certificate Management
- Automatic certificate rotation
- Secure storage
- Verification chains
- Backup management
- Runtime memory protection
- State integrity verification
- Secure key management
- Atomic state operations
- Automatic backup creation
- Platform-specific security
- Certificate rotation
- Secure cleanup procedures
- Python 3.9+
- OpenRouter API key (for AI analysis)
- GnuPG (for state security)
- Required Python packages (see
requirements.txt)
pytest tests/- Never store sensitive data in plaintext
- Use atomic operations for state changes
- Implement proper cleanup procedures
- Follow secure coding practices
- Regular security audits
- Application logs:
logs/dtm.json - Structured JSON format
- Security event tracking
- Performance metrics
- Error tracking
- Fork the repository
- Create feature branch
- Implement changes
- Add tests
- Submit pull request
MIT License - see LICENSE file for details
For support:
- Check documentation
- Search existing issues
- Create new issue
This tool handles sensitive security operations. Always:
- Keep your API keys secure
- Regularly update dependencies
- Monitor security advisories
- Follow security best practices
- Regularly rotate certificates
The state security system implements a zero-trust architecture where no data is permanently stored on disk in its original form. All state data, including certificates and configurations, exists only in secure, isolated memory during runtime.
-
Secure Memory Allocation
- Platform-specific secure memory pages are allocated
- Memory is locked to prevent swapping to disk
- Anti-dumping mechanisms prevent memory extraction
-
Runtime Password Generation
# Example of runtime password generation password = [ random(uppercase), random(lowercase), random(digits), random(special) ] + random(all_chars, length=28) shuffle(password) # Cryptographically secure shuffle
-
Key Isolation
- Private keys are generated in isolated memory blocks
- Keys never touch disk storage
- Memory is protected from other processes
- Automatic cleanup on process termination
-
Initial State
Runtime Start ├── Generate Runtime ID (32 bytes random) ├── Create Secure Memory Store └── Initialize PGP State Encryption -
Memory Protection
Secure Memory ├── Platform Detection │ ├── Windows: Basic Memory Mapping │ └── Unix: MAP_PRIVATE | MAP_ANONYMOUS ├── Memory Locking │ ├── mlock() on Unix │ └── VirtualLock() on Windows └── Anti-Dumping Mechanisms -
Key Management
Key Lifecycle ├── Runtime Password Generation ├── Private Key Generation in Memory ├── Public Key Derivation └── Secure Key Storage in Memory
- All sensitive data exists only in memory
- No sensitive data is written to disk
- Encrypted backups use different keys
- Automatic memory wiping on exit
-
Memory Layer
- Fernet symmetric encryption
- Runtime-generated keys
- Memory-only key storage
-
State Layer
- PGP asymmetric encryption
- Runtime-generated keypair
- Zero-disk-exposure
Certificate Lifecycle
├── Generation
│ ├── In-Memory Generation
│ ├── Runtime Encryption
│ └── Encrypted Storage
├── Usage
│ ├── Decrypt in Secure Memory
│ ├── Use for Tunneling
│ └── Immediate Cleanup
└── Rotation
├── New Certificate Generation
├── Atomic Replacement
└── Old Certificate Cleanup
- Backups are always encrypted
- Different encryption keys than runtime
- Atomic write operations
- Secure cleanup of old backups
Recovery Flow
├── Backup Verification
├── Secure Memory Allocation
├── Encrypted State Loading
└── State Verification
Current Implementation:
config/certificates/
├── cert.pem # Unencrypted, vulnerable to tampering
└── key.pem # Sensitive key material exposed on disk
The current system stores SSL/TLS certificates and private keys in plaintext, making them vulnerable to:
- Direct file manipulation
- Key extraction
- Certificate tampering
- Unauthorized copying
Current State Storage:
- Configuration stored in plaintext JSON
- No runtime state protection
- Predictable file locations
- No integrity verification
Current Memory Handling:
- Keys loaded directly into process memory
- No protection against memory dumps
- Swappable memory pages
- No secure cleanup procedures
class CertificateManager:
async def store_certificate(self, cert_id: str, cert_data: bytes, metadata: Dict[str, Any]):
# Double encryption for certificates
fernet = Fernet(Fernet.generate_key())
memory_encrypted = fernet.encrypt(cert_data)
# PGP encryption for storage
encrypted_cert = await self.state_manager.encrypt_state({
"data": b64encode(memory_encrypted).decode(),
"hash": cert_hash,
"encrypted": True
})- ✅ Certificates never exist unencrypted on disk
- ✅ Double-encryption protection
- ✅ Runtime-only key access
- ✅ Automatic rotation and cleanup
class SecureMemoryStore:
def __init__(self):
if platform.system() == 'Windows':
self._secure_memory = mmap.mmap(-1, 4096)
else:
self._secure_memory = mmap.mmap(
-1, 4096,
flags=mmap.MAP_PRIVATE | mmap.MAP_ANONYMOUS,
prot=mmap.PROT_READ | mmap.PROT_WRITE
)- ✅ Platform-specific memory protection
- ✅ Anti-dumping mechanisms
- ✅ Memory page locking
- ✅ Secure key isolation
class SecureStateManager:
async def save_state(self, state_data: Dict, filename: str):
# Encrypt state data
encrypted_data = await self.encrypt_state(state_data)
# Atomic write with backup
temp_file = self.state_dirs['state'] / f"{filename}.{os.urandom(8).hex()}.tmp"
target_file = self.state_dirs['state'] / filename- ✅ All state data encrypted
- ✅ Atomic file operations
- ✅ Automatic backups
- ✅ Integrity verification
Application Start
├── Generate Runtime ID (32 bytes random)
├── Initialize Secure Memory
│ ├── Allocate Protected Pages
│ └── Lock Memory (prevent swapping)
├── Generate Runtime Keys
│ ├── Create PGP Keypair
│ └── Store in Secure Memory
└── Initialize State Manager
├── Load Encrypted State
├── Verify Integrity
└── Setup Certificate Manager
-
Certificate Protection
- Before: Plaintext files on disk
- After: Double-encrypted, memory-only access
-
Memory Security
- Before: Standard process memory
- After: Protected pages, anti-dumping
-
State Management
- Before: Plaintext JSON files
- After: PGP-encrypted, integrity-verified
-
Key Management
- Before: Static keys on disk
- After: Runtime-generated, memory-only
-
Zero Disk Exposure
- No sensitive data written unencrypted
- All state changes atomic and verified
- Secure backup management
-
Memory Protection
- Platform-specific security
- Memory page locking
- Anti-dumping mechanisms
- Secure cleanup
-
Runtime Security
- Dynamic key generation
- Continuous verification
- Automatic rotation
- Secure cleanup
To fully implement these security features:
- Replace current certificate handling
- Integrate secure memory store
- Implement state manager
- Add runtime security checks
- Update backup procedures
- Memory dumping attempts
- Cold boot attacks
- DMA attacks
- Swap file analysis
- Process memory inspection
-
Memory Protection
- Secure memory allocation
- Page locking
- Memory wiping
- Anti-dumping techniques
-
Runtime Protection
- Process isolation
- Privilege separation
- Resource cleanup
- Signal handling
- Type hints required
- Docstrings mandatory
- Unit tests for all features
- Integration tests for security features
- Regular dependency updates
- Code review requirements
- Security audit logging
- Performance monitoring
- Function documentation
- Security considerations
- Implementation notes
- Usage examples
- Threat models
- Security assumptions
- Implementation details
- Recovery procedures
- Security-first approach
- Code review process
- Testing requirements
- Documentation updates
- Security issue template
- Bug report format
- Feature request format
- Pull request guidelines
main: Stable releasesdevelop: Developmentfeature/*: New featuressecurity/*: Security updateshotfix/*: Critical fixes
- Security audit
- Integration testing
- Documentation update
- Version tagging
- Release notes
- GPT-4 integration fixes
- State security implementation
- Memory protection enhancements
- Certificate management updates
- Additional AI models support
- Enhanced threat detection
- Performance optimizations
- Extended platform support
-
Enhanced AI Analysis
- Multiple AI model support
- Custom model training
- Behavioral learning
- Pattern recognition
-
Advanced Security
- Hardware security module support
- TPM integration
- Secure enclave usage
- Enhanced memory protection
-
Performance Optimization
- Resource usage reduction
- Startup time improvement
- Memory footprint reduction
- Operation speed increase
-
User Experience
- Web interface option
- Mobile monitoring
- Remote management
- Custom dashboards
- CPU usage tracking
- Memory utilization
- Network performance
- Security overhead
- Port rotation speed
- Encryption performance
- Memory protection impact
- Overall system load
- Required ports
- Protocol requirements
- Security rules
- Network isolation
- Bandwidth control
- Connection limits
- Traffic prioritization
- Load balancing
- CPU: Dual-core
- RAM: 4GB
- Storage: 1GB
- Python 3.9+
- CPU: Quad-core
- RAM: 8GB
- Storage: 5GB
- SSD recommended
-
Certificate Problems
- Generation failures
- Rotation issues
- Permission errors
- Storage problems
-
Memory Issues
- Allocation failures
- Protection errors
- Cleanup problems
- Resource leaks
-
State Management
- Encryption errors
- Backup failures
- Recovery issues
- Integrity problems
MIT License - See LICENSE file for details.
- OpenRouter API
- Python Cryptography Community
- Security Researchers
- Open Source Contributors
Last Updated: January 2024