Security Model & Threat Assumptions
Explicit threat model for Attested Governance Artifacts. What we defend against, what we do not, and the assumptions that underpin our guarantees.
Security Goals
What AGA Proves
AGA provides verifiable execution integrity, tamper-evident enforcement records,
and portable audit evidence.
It generates cryptographic proof that a governed subject operated within authorized constraints. Every enforcement decision is signed, chained, and independently verifiable.
Adversary Model
Assumed Attacker Capabilities
The adversary model assumes an attacker with full access to the local database and network but not the cryptographic signing keys or portal runtime.
AGA provides structural integrity guarantees independent of payload confidentiality. The system is designed so that even with full visibility into stored data and network traffic, an adversary cannot forge valid receipts or tamper with the enforcement chain without detection.
Threats Addressed
What AGA Defends Against
Binary modification
Hash comparison against sealed baseline
Configuration drift
Continuous measurement at policy-defined cadence
Unauthorized dependency changes
Checksum validation of loaded modules
Runtime policy bypass
Portal as mandatory execution boundary
Audit log tampering
Hash-linked receipt chain with structural metadata linking
Evidence fabrication
Merkle checkpoint anchoring to immutable storage
Replay attacks
Timestamped receipts with sequence numbering
Privilege escalation
Two-process separation; subject holds no signing keys
Supply chain model substitution
Sealed reference hash binds identity at build time
Behavioral drift in tool-call patterns
Chi-squared and z-score analysis over sliding windows, generating signed BEHAVIORAL_DRIFT receipts
Policy bypass via indirect execution
Phantom execution with forensic capture detects attempts to circumvent governance controls
Threats Not Addressed
Explicit Exclusions
- Kernel-level or hypervisor compromise of the portal host
- Hardware microcode or firmware attacks
- Adversarial prompt manipulation at the model level (semantic drift at inference time remains outside scope)
- Side-channel attacks on the signing key
- Social engineering of the policy issuer
Note: AGA now addresses behavioral drift at the tool-call level via statistical analysis over sliding windows. Model-level semantic defenses remain complementary but separate. Listing what we do not address is intentional transparency, not a limitation admission.
Trust Assumptions
Foundation of Guarantees
Portal Integrity
The portal must execute within a trusted boundary. If compromised, receipt integrity cannot be guaranteed. For highest assurance, the portal should execute within a TEE, though this is not required for standard operation.
Key Custody
The policy issuer's signing key must be protected. If the signing key is compromised, forged artifacts become possible. Key rotation is supported through the continuity chain mechanism.
Verification Guarantees
Assurance Levels
| Level | Steps | Guarantees |
|---|---|---|
| Offline | Steps 1–3 |
|
| Online | Step 4 |
|
| Full | All steps |
|
Explore the System
See how these security properties are implemented in practice across the governance architecture.
Zero-TOCTOU Guarantee for MCP Agents
For MCP-governed AI agents, the time-of-check-to-time-of-use window is zero by construction. The Portal IS the communication channel. Every tool call passes through the Portal synchronously. The agent cannot invoke a tool without the Portal evaluating it first.
If the Portal is the only path to external resources (enforced by network isolation), and every tool call is synchronously evaluated before forwarding, then the agent cannot perform any unauthorized external action. Internal computation is unconstrained, but internal computation without external action causes no harm. The moment the agent acts, it hits the Portal.
This property is specific to MCP-governed agents where the proxy is the sole communication path. For container and binary subjects, AGA uses periodic measurement with configurable cadence (100ms-5s) and event-driven eBPF probes on the roadmap.
Phantom Mode Limitations
When a quarantine trigger fires, AGA transitions the agent to phantom mode: spoofed success responses, severed real effects, full forensic capture. This captures adversarial intent without alerting the agent.
A sufficiently capable agent could potentially detect phantom mode through timing analysis, response content patterns, or side channels. AGA mitigates this by profiling real response latencies during normal operation and replaying from the recorded distribution during phantom mode. The JSON-RPC envelope structure matches exactly.
The agent would need to specifically allocate reasoning capacity to phantom detection, which requires knowing phantom mode exists. The purpose is to capture intent during the observation window, not to maintain indefinite deception against a determined detection effort.
Logical Problem Resolution
Independent analysis identified 12 non-trivial logical problems in the AGA architecture. Nine are fully solvable with engineering. Three are irreducible residuals present in any cryptographic governance system.
| Problem | Category | Status | Mitigation |
|---|---|---|---|
| Portal trust | Fundamental | Mitigated | Threshold signing, TEE attestation |
| Key compromise | Fundamental | Mitigated | HSM isolation, rotation, PQC hybrid |
| Policy correctness | Fundamental | Irreducible | Policy provenance chain, coverage metrics |
| Timestamps | Architectural | Mitigated | Roughtime IETF integration, monotonicity verification |
| Identity binding | Architectural | Mitigated | SPIFFE self-signed X.509, certificate chain binding |
| TOCTOU window | Architectural | Solved | MCP proxy is synchronous by construction |
| Proxy bypass | Architectural | Solved | Mandatory network isolation at infra level |
| Phantom detection | Architectural | Mitigated | Timing profiles, envelope matching |
| Recursive governance | Architectural | Roadmap | TEE-hosted Portal with attestation chain |
| Policy rotation | Operational | Solved | POLICY_ROTATION receipt type, zero-gap protocol |
| Performance at scale | Operational | Mitigated | Receipt batching, horizontal scaling |
| Legal admissibility | Operational | Irreducible | Standard primitives, expert witness readiness |