Security (16 Layers)

Defense-in-depth, WASM, Audit chain, Taint Tracker

Security (16 Layers)

Getting Started

Security: 16 Defense-in-Depth Layers

This page is primarily based on the official Security Architecture documentation (docs/security).

OpenFang's security model emphasizes defense-in-depth:

No single mechanism is fully trusted.
Protection is achieved by layering multiple, mutually independent systems.
Each layer is designed to be as testable and independently verifiable as possible.

16 Security Systems (Official List)

#	System	Primary Threat mitigation	Owning Crate (from docs)
1	Capability-Based Security	Unauthorized operations	openfang-types
2	WASM Dual Metering	Infinite loops / CPU DoS	openfang-runtime
3	Merkle Audit Trail	Audit log tampering	openfang-runtime
4	Taint Tracking	Prompt injection / Data exfiltration	openfang-types
5	Ed25519 Manifest Signing	Supply chain attacks / Manifest tampering	openfang-types
6	SSRF Protection	SSRF / Metadata probing	openfang-runtime
7	Secret Zeroization	Key leakage via memory forensics	runtime/channels
8	OFP Mutual Auth	Unauthorized peer connections	openfang-wire
9	Security Headers	XSS / Clickjacking	openfang-api
10	GCRA Rate Limiter	API abuse / DoS	openfang-api
11	Path Traversal Prevention	Directory traversal	openfang-runtime
12	Subprocess Sandbox	Secret leakage to subprocesses	openfang-runtime
13	Prompt Injection Scanner	Malicious skill prompts	openfang-skills
14	Loop Guard	Runaway tool loops	openfang-runtime
15	Session Repair	Corrupted dialogue history structures	openfang-runtime
16	Health Endpoint Redaction	System information disclosure	openfang-api

Core Mechanism Breakdown (The "Kernel Vibe")

Capability-based security (Permissions as Data Structures)

Permissions are not "enforced by convention"; they are explicit collections of the Capability enum.
Tool invocation, network connections, agent spawn/kill, shell execution, and OFP operations can all be gated.
validate_capability_inheritance() ensures a child's capabilities are a strict subset of its parent's, blocking privilege escalation.

WASM Dual Metering (Fuel + Epoch)

Fuel metering: Instruction counting; execution traps when the deterministic budget is exhausted.
Epoch interruption: Wall-clock time watchdog; execution is interrupted upon timeout.
Combining these covers both deterministic abuse (tight infinite loops) and non-deterministic evasion (hanging on host I/O calls).

SSRF Protection (Includes DNS Rebinding Countermeasures)

Blocks requests to localhost, cloud metadata domains, and 169.254.169.254 explicitly.
Performs post-DNS-resolution checks against all resolved IP addresses to block private ranges, preventing DNS rebinding attacks.

Merkle Hash-Chain Audit Trail

Each audit record includes the hash of the preceding record, forming a tamper-evident chain.
verify_integrity() allows full-chain recalculation and verification.

Taint Tracking

Data is tagged with taint labels based on its source (e.g., ExternalNetwork, UserInput, Secret, PII).
At sinks (like shell, net_fetch, agent_message), checks are performed to block high-risk flows.
Declassification requires an explicit action (making security decisions traceable).

Subprocess Sandbox (env_clear)

Environment variables are wiped before executing skills or shell commands, then selectively injected via an allowlist.
This prevents sensitive information (like LLM keys) from being "accidentally inherited" by an external subprocess.

Threat-Mechanism Cheat Sheet (Doc Summary)

Threat	Primary Mitigation Mechanism
Unauthorized file/network/tool access	Capability gates + Path validation + SSRF Protection
Manifest tampering	Ed25519 manifest signing
Data exfiltration via prompt injection	Taint tracking + Prompt injection scanner
Audit record modification	Merkle hash-chain
Infinite loops in tool code	WASM dual metering + Tool timeout
API throttling/abuse	GCRA rate limiter
Leakage of system details via health/status	Health redaction + Auth

Page Table of Contents