Security Model
NØNOS implements a multi-layered security model where each layer provides independent guarantees.
Security Layers
┌─────────────────────────────────────────────────────────────┐
│ Layer 5: APPLICATION SANDBOXING │
│ Process isolation, capability-limited access │
├─────────────────────────────────────────────────────────────┤
│ Layer 4: CAPABILITY-BASED ACCESS CONTROL │
│ Unforgeable tokens, cryptographic binding │
├─────────────────────────────────────────────────────────────┤
│ Layer 3: MEMORY PROTECTION │
│ W^X, KASLR, guard pages, SMEP/SMAP │
├─────────────────────────────────────────────────────────────┤
│ Layer 2: KERNEL VERIFICATION │
│ Ed25519 signatures, BLAKE3 hashing │
├─────────────────────────────────────────────────────────────┤
│ Layer 1: BOOT CHAIN VERIFICATION │
│ UEFI Secure Boot, hardware root of trust │
└─────────────────────────────────────────────────────────────┘Each layer is independent. Compromising one layer doesn't automatically compromise others.
Layer 1: Boot Chain Verification
Layer 1: Boot Chain VerificationComponents
UEFI Secure Boot, Firmware verifies bootloader
TPM 2.0, Hardware-backed measurements (optional)
Measured Boot, PCR values for attestation
Guarantees
Bootloader authenticity verified by firmware
Tampered bootloader won't execute
Boot measurements available for remote attestation
Layer 2: Kernel Verification
Layer 2: Kernel VerificationComponents
Ed25519 Signatures. Fast, secure digital signatures
BLAKE3 Hashing. Modern cryptographic hash
Multi-Key Support. Primary, backup, and recovery keys
Verification Flow
Guarantees
Kernel authenticity verified before execution
Tampering detected and prevented
Key rotation supported without firmware update
Layer 3: Memory Protection
Layer 3: Memory ProtectionHardware Features
W^X (Write XOR Execute)
No page is both writable and executable
KASLR
Kernel address randomized each boot
SMEP
Kernel can't execute user pages
SMAP
Kernel can't access user data
CET
Control-flow integrity
Guard Pages
Stack overflow detection
Memory Layout
Guarantees
Code injection prevented (W^X)
Return-oriented programming mitigated (KASLR, CET)
Kernel/user separation enforced by hardware
Layer 4: Capability-Based Access Control
What are Capabilities?
Capabilities are unforgeable tokens that grant specific permissions:
Properties
Unforgeable. Cryptographic tag prevents fabrication
Specific. Each token grants exactly what it specifies
Transferable. Tokens can be delegated (if permitted)
Revocable. Tokens can expire or be revoked
Access Control Flow
Comparison to Traditional Unix
root can do anything
No bypass, need valid token
UID determines access
Token determines access
Permissions checked once
Token verified every time
Privilege escalation possible
Token forgery cryptographically impossible
Layer 5: Application Sandboxing
Layer 5: Application SandboxingProcess Isolation
Separate address spaces
No shared memory without explicit capability
System calls filtered by capability
Resource Limits
CPU time quotas
Memory limits
File descriptor limits
Network access control
Cryptographic Foundations
Algorithms Used
Ed25519
Signatures
128-bit
BLAKE3
Hashing
256-bit
AES-256-GCM
Encryption
256-bit
ML-KEM-768
PQ Key Exchange
NIST Level 3
ML-DSA-65
PQ Signatures
NIST Level 3
Groth16
ZK Proofs
128-bit
Key Management
Threat Model
In Scope (Protected Against)
Software attacks (malware, rootkits, exploits)
Boot-time attacks (bootkits, evil maid)
Privilege escalation
Code injection
Supply chain compromise (detectable)
Network attacks
Partially Mitigated
Side-channel attacks (timing, cache)
Cold boot attacks
DMA attacks (without IOMMU)
Out of Scope
Physical access with unlimited time
Hardware implants
Compromised CPU/firmware
Rubber-hose cryptanalysis
Security Guarantees Summary
Boot Integrity
Only signed kernel executes
Memory Safety
No code injection possible
Access Control
Cryptographically enforced
Least Privilege
Capabilities grant minimum needed
Audit Trail
All capability usage logged
Quantum Resistance
PQ algorithms available
Last updated
Was this helpful?