Threat model
Threats, defense layers, and the shared-responsibility model for the TEE-delegated SWQoS marketplace.
The canonical threat model is PRD §9.9. This page is the public publication of that section, with the operational mapping the design doc §7.8 / §7.10 added inline. Validators, traders, and external security researchers should read this before integrating, signing a bug bounty report, or filing a coordinated disclosure.
Architectural principle: shared infrastructure, not shared trust
Every TEE sits behind a CDN/WAF layer (Cloudflare by default, CloudFront / Fastly as alternates) that the validator provisions and owns. The CDN is industry-standard shared infrastructure: it routes packets, it does not see data, and it is not the marketplace.
The validator's TEE security group accepts inbound 443 traffic from the CDN's published IP ranges only. The TEE never sees direct internet traffic.
Threat matrix
The 14 threats below are the v1 surface. Each is mitigated at a specific layer. Mitigation latency targets are tracked in PRD §9.9 and the design doc §7.8.
| # | Threat | Layer | Mitigation | Residual |
|---|---|---|---|---|
| T1 | DDoS L3/L4: volumetric flood | CDN | Cloudflare / AWS Shield absorbs at the edge (terabit-scale). | Negligible |
| T2 | DDoS L7: valid gRPC at high volume | CDN WAF + proxy | Cloudflare bot management + custom WAF rules + per-IP / per-token rate limits in host-proxy (governor token bucket, handshakes/min cap, sustained throughput cap). | Low |
| T3 | Handshake flood: saturate the enclave | host-proxy | Per-IP handshake quota inspired by Agave DEFAULT_MAX_CONNECTIONS_PER_IPADDR_PER_MINUTE = 8. Back-pressure when enclave queue depth crosses threshold. | Low |
| T4 | Auth brute force: probe bearer tokens | host-proxy | 32-byte random tokens (2^256 space) + Argon2id hash at rest + exponential backoff after 5 fails + temporary IP ban after 20 fails / min. | Negligible |
| T5 | CVE scanning: probe binary surface | Build pipeline | Signed binary (FR-T13), standardized image (everyone runs the same code), CVE monitoring in CI, security patches shipped within 24 h of disclosure. | Low |
| T6 | 0-day in tonic / quinn / rustls | Build pipeline | Same as T5 + bug bounty (FR-O7) incentivises white-hats + automated dependency update pipeline. | Residual (inherent) |
| T7 | Validator misconfig: weak TLS, exposed admin | Install module | Install lockdown (FR-T12): TLS 1.3 only, admin endpoint never publicly exposed, security group locked to CDN. No discretion left to the validator. | Low |
| T8 | Side-channel on enclave: timing / cache | AWS Nitro | Hardware isolation, no shared memory across VMs, minimal public surface. ed25519-dalek is constant-time for private operations. | Accepted for v1 |
| T9 | PCR drift / EIF tampering | KMS policy | KMS key policy bound to current PCRs via kms:RecipientAttestation:ImageSha384. A tampered EIF cannot decrypt the validator identity-key envelope. | Negligible |
| T10 | Marketplace platform compromised | Architecture | The marketplace cannot revoke trader auth at the TEE directly. Sensitive actions go through the validator's mTLS-protected dashboard. Attacker can deface listings only. | Low |
| T11 | Compromised validator AWS account: phishing, leaked IAM key | Validator | Documented best practices: hardware-MFA, IAM least-privilege, alerts on root login. Cannot be enforced platform-side. | Validator-side residual |
| T12 | Validator binary compromised: e.g., supply-chain attack on the build | Centralised | Kill switch (design doc §7.8.1): signed revocation_manifest polled every 1 min, and affected versions halt immediately. Audited build pipeline with SLSA-3 attestation. | Critical investment |
| T13 | CDN provider compromised / globally down | Architecture | Validators can switch CDN provider via Terraform module variable. Documented failover playbook to CloudFront. | Accepted for v1 |
| T14 | Reputational contamination: one validator getting pwned harms the brand | Process | Standardised signed image means a compromise is our bug, not the validator's. Coordinated disclosure + rapid platform-wide patch + transparent post-mortem. | Inherent to federation |
Defense layers, outermost to innermost
A request follows ten layers before reaching the Ed25519 signature that justifies its existence. Any layer can refuse, and the layer that refuses is the layer that owns the breach.
[1] Internet
↓
[2] CDN / WAF (Cloudflare / CloudFront / Fastly): DDoS, bot mgmt, geo, WAF rules
↓
[3] AWS Security Group: IP allow-list, CDN ranges only
↓
[4] Host-proxy auth (FR-T3, FR-T4): short-lived ES256 JWT + 9-step verification
↓
[5] Host-proxy rate limits: `governor` token bucket per-IP + per-sub (jwt claim)
↓
[6] Host-proxy gRPC validation: body size cap 1 KB, deadline 100 ms
↓
[7] Nitro Enclave isolation: vsock only, no shared memory, no network outside vsock
↓
[8] Enclave payload validation: `fd_keyguard_payload_matches_tls_cv` matcher;
refuses to sign anything that isn't a TLS 1.3 CertificateVerify
↓
[9] KMS envelope decryption gated on PCR attestation: tampered enclave cannot decrypt
↓
[10] Ed25519 signature (the actual work)
The defense-layer-to-threat mapping (from design doc §7.8) gives the operational view:
| Layer | Threats addressed | Design doc implementation |
|---|---|---|
| 1. Internet | T1, T2 | n/a (public surface). |
| 2. CDN / WAF | T1, T2 | Cloudflare custom rules + Bot Fight Mode (§3.1 Terraform module). |
| 3. AWS security group | T1, T2 | Inbound 443 from Cloudflare prefix list only. Monthly Lambda rotation (§3.1). |
| 4. Host-proxy auth | T4, T5 | 9-step JWT verification (§5.3.3). Argon2id API tokens (§3.5). |
| 5. Host-proxy rate limits | T2, T3 | governor token bucket per-IP + per-sub (jwt claim). |
| 6. Host-proxy validation | T3, T4 | Tonic interceptor: 1 KB body size cap, 100 ms deadline. |
| 7. Nitro isolation | T8 | AWS-provided. vsock-only IPC, no shared network. |
| 8. Enclave payload validation | T4, T5 | fd_keyguard_payload_matches_tls_cv (enclave/src/signer.rs). |
| 9. KMS attestation gating | T9 | KMS key-policy condition kms:RecipientAttestation:ImageSha384 (§7.2.1). |
| 10. Ed25519 sign | n/a | ed25519-dalek v2 in enclave. |
Kill switch (T12)
The marketplace publishes a signed revocation_manifest at
releases.swqos.dev/revocation.json, signed with the K5 cosign key
(design doc §7.1).
{
"revoked_eif_versions": ["1.3.1"],
"action": "halt",
"revoked_at": "2026-04-21T12:00:00Z"
}
- host-proxy polls every 1 min (stricter than the PRD's 5 min).
- If its own release version is in the list → service halts
immediately. Every
SignCertificateVerifyreturns gRPCUNAVAILABLE(14). - Propagation delay: < 1 min worst case.
A mandatory annual end-to-end test pushes a manifest with a dummy EIF version and verifies that staging TEEs halt.
Side-channel posture
- Timing attacks on Ed25519 sign:
ed25519-dalekis constant-time for private operations (audited). No further mitigation. - JWT verification timing: constant-time comparison on the
signature check and sensitive-claim string comparisons
(
subtle::ConstantTimeEq). - Cache attacks in Nitro: AWS guarantees no cross-VM cache sharing. Documented residual risk, accepted for v1.
Shared responsibility
Inspired by the AWS shared-responsibility model. Trader, validator, and platform each own a slice. None can substitute for the others.
| Layer | Owner | Responsibility |
|---|---|---|
| Solana network security | (out of scope) | n/a |
| AWS Nitro Enclave hardware | AWS | Hardware isolation, attestation primitives. |
| Nitro Enclave EIF image | Platform | Build, sign, distribute, patch CVEs, audit. |
| host-proxy binary | Platform | Build, sign, distribute, patch CVEs, audit. |
| Terraform install module | Platform | Hardening defaults, CDN provisioning, KMS policy template. |
| AWS account & IAM | Validator | Root MFA, IAM least-privilege, billing controls. |
| AWS resources (EC2, KMS, S3, …) | Validator | Operational ownership and deletion authority. |
| CDN account (Cloudflare, …) | Validator | Account creation and billing. Defaults configured by our Terraform module. |
| Validator identity key | Validator | Original envelope and KMS encryption. The key never leaves the enclave at runtime. |
| Trader bearer token | Marketplace | Generation, hashing (Argon2id), rotation. |
| Trader IP whitelist | Marketplace + Trader | Trader supplies the list. Marketplace pushes it to the validator. |
| Trader's outbound transaction content | Trader | The TEE never sees the transaction. The trader fully owns this layer. |
| Per-validator monitoring | Validator + Platform | Validator owns the data. Platform aggregates anonymised health for the public status page. |
| Marketplace platform (listings, billing) | Platform | Uptime, security, support. |
Trust boundaries
The eleven trust boundaries (design doc §7.6) make the cryptographic contract between actors explicit.
| # | Boundary | Cryptographic mechanism |
|---|---|---|
| TB1 | Validator ↔ marketplace (register) | Signed challenge (K1) + Solana RPC stake-table verification. |
| TB2 | Validator-CLI ↔ marketplace (steady state) | K8 API key + TLS. |
| TB3 | Trader ↔ marketplace (web) | Clerk session + 2FA (FIDO2). |
| TB4 | Trader SDK ↔ marketplace | K7 API key over TLS. |
| TB5 | Trader SDK ↔ TEE (host-proxy) | K2-signed ES256 JWT over TLS over CDN. |
| TB6 | host-proxy ↔ enclave | vsock in cleartext: confidentiality and integrity rely solely on Nitro hypervisor isolation. By design. |
| TB7 | Enclave ↔ KMS (boot only) | NSM attestation document, signed by AWS, verified by KMS. |
| TB8 | EIF release ↔ validator enclave | K5-signed manifest. |
| TB9 | host-proxy binary ↔ validator EC2 | K6 cosign signature verified by host-proxy at its own boot (FR-T12). |
| TB10 | Trader wallet → validator payout wallet + platform wallet (atomic split payment) | On-chain transaction (built server-side from a Solana Pay transaction request) with two transfer legs and a marketplace-minted memo. No shared secret: the settlement worker matches the memo and verifies over RPC that BOTH legs credited at least their frozen share before confirming. |
| TB11 | Marketplace probe ↔ TEE | K3-signed JWT. |
Pre-GA hardening checklist
Before declaring GA, every item below must be true (PRD §9.9 + design doc §7.10):
- External security audit completed (FR-O6), with critical findings remediated and others documented.
- Penetration test against reference TEE deployment + marketplace platform.
- Bug bounty program live with ≥ 1 vendor. See bug bounty.
- SLSA Level 3 attestation on host-proxy + EIF + marketplace release binaries (or documented gap with mitigation).
- Kill-switch tested end-to-end (signed remote-revoke halts every TEE within 5 min).
- Incident response runbook approved by external counsel.
- CDN provisioning works against at least 2 providers (Cloudflare
- CloudFront), with documented failover.
- Status page live, monitoring fully wired.
- Threat model published publicly: this page.
Documented gaps relative to PRD §9.9
The PRD-canonical text uses placeholder language for a handful of items that operators must close at GA. They are flagged here for transparency rather than silently dropped:
- External audit firm + report URL: TBD. Will be linked in the Pre-GA checklist above once contracted.
- Bug bounty vendor + rewards table: see bug bounty. The program launches once the account is provisioned with a vendor (HackerOne preferred per design doc §7.10).
- SLSA-3 verification example:
.github/workflows/release.ymlemits SLSA-3 provenance on every release. The verification command is documented in the bug bounty page until a dedicated release-verification page lands.
References
- PRD §9.9: canonical threat matrix and defense layers.
- Design doc §7: cryptographic key inventory (K1-K11), trust boundaries, threat mitigation mapping, side-channel notes.
- Design doc §7.8.1: kill switch.
- Design doc §7.10: pre-GA hardening checklist.
- Security overview: trust boundaries summary.
- Security whitepaper: long-form attestation and key-lifecycle write-up.