Security Model
NØNOS implements defense-in-depth with multiple security layers.
Security Layers
┌───────────────────────────────────────┐
│ Layer 5: Application Sandboxing │
├───────────────────────────────────────┤
│ Layer 4: Capability-Based Access │
├───────────────────────────────────────┤
│ Layer 3: Memory Protection │
├───────────────────────────────────────┤
│ Layer 2: Kernel Verification │
├───────────────────────────────────────┤
│ Layer 1: Boot Chain Verification │
└───────────────────────────────────────┘Chain of Trust
Boot Verification
UEFI Secure Boot | Firmware verifies bootloader
Bootloader | Verifies kernel with Ed25519
Kernel | Verifies loaded modules
Modules | Capability tokens for access
Signature Verification
Capability System
What are Capabilities?
Unforgeable tokens that grant specific permissions:
Permission Types
READ
Read access
WRITE
Write access
EXECUTE
Execute permission
GRANT
Can delegate capability
REVOKE
Can revoke capability
Usage
Operations require presenting a valid capability:
No capability → Access denied
Wrong permissions → Access denied
Expired → Access denied
Memory Protection
W^X Policy
W^X PolicyEvery page is either:
Writable (RW) | Can modify, cannot execute
Executable (RX) | Can execute, cannot modify
Never both simultaneously
Address Space Isolation
Address Space IsolationKernel in higher-half (0xFFFFFFFF80000000+)
User space isolated per-process
Guard pages between regions
KASLR
KASLRKernel base address randomized at boot using hardware entropy.
Hardware Security
Supported Features
SMEP
Prevent kernel from executing user pages
SMAP
Prevent kernel from accessing user pages
CET
Control-flow integrity
RDRAND
Hardware random numbers
TPM 2.0
Secure key storage
CPU Mitigations
Spectre/Meltdown mitigations
Retpoline for indirect branches
KPTI (Kernel Page Table Isolation)
Cryptographic Security
Algorithms
Signing
Ed25519
128-bit
Hashing
BLAKE3
256-bit
Encryption
AES-256-GCM
256-bit
Key Exchange
ML-KEM-768
Post-quantum
ZK Proofs
Groth16
128-bit
Key Storage
Keys stored in encrypted vault
Hardware-bound sealing (when TPM available)
Secure key derivation (HKDF)
Zero-Knowledge Proofs
ZK proofs enable:
Privacy-preserving attestation
Proving computation without revealing inputs
Anonymous authentication
See ZK Overview.
Attack Surface
Minimized Codebase
The kernel compiles to approximately 221KB. (Previously 67KB, Oct 2025) While this may seem larger than traditional microkernels, this single binary includes a complete. graphical desktop environment, TLS 1.3 networking stack, three-hop onion routing circuits, post-quantum cryptography primitives (ML-KEM-768, ML-DSA-65), a preemptive scheduler, PS/2 input drivers and a RAM-only encrypted filesystem. For comparison, a minimal Linux kernel typically starts at 5–10MB without any of these integrated features. The size reflects our design philosophy: a single, cohesive binary with no external dependencies rather than a tiny kernel that requires loading megabytes of external modules.
Bootloader
~300KB
Kernel
~221KB
Total
~521KB
Compare to typical OS kernels (minimal range 1-10MB).
Unsafe Code Audit
900+ audited unsafe blocks
All in hardware access / memory management
Zero unsafe in cryptographic code
Security Guarantees
✅ What NØNOS provides:
Verified boot chain
Capability-based access control
Memory safety (Rust)
Post-quantum crypto
ZK attestation
⚠️ What NØNOS does NOT protect against:
Physical access attacks (without TPM)
Side-channel attacks (partially mitigated)
Hardware backdoors
User-provided malicious code (sandboxed)
Incident Response
If a vulnerability is discovered:
Security issues → [email protected] — Github
Responsible disclosure
Patch and coordinated release
Last updated
Was this helpful?