← Back to reference

Security Whitepaper

Denpex is a security-sensitive product by design: it operates on multi-tenant clusters holding proprietary model weights, training data, and GPU runtime telemetry. This document describes the threat model, controls, and assurance model.

Threat Model

ThreatAdversaryAssetImpactMitigation
TT2Compromised agentCluster credentialsLateral movementWorkload identity (SPIFFE), short-lived tokens
TT3Network attackerTelemetry channelMITMTLS 1.3 only, mTLS agent↔CP
TT4Insider SREAudit logRepudiationHash-chained append-only audit + tamper-evident export
TT5Insider DeveloperAgent binaryPrivilege escalationSigned binaries, SBOM, reproducible builds
TT6Supply chain (crates.io / PyPI)DependencyBackdoorVendored deps + Sigstore-verified SBOM
TT7Privileged client (over-broad RBAC)Tenant boundaryCross-tenant accessPer-tenant auth tokens, RBAC + ABAC, row-level filters

Controls

Cryptography

  • TLS 1.3 only; non-TLS-1.3 connections rejected at boot.
  • mTLS for agent↔CP using rustls + rcgen (dev) / cert-manager (prod).
  • Envelope encryption with customer-managed KMS keys (AWS/GCP/Azure).
  • PKCS#11 for HSM root of trust.
  • FIPS mode disables non-FIPS ciphers (AES-GCM-256 only).

Authentication

  • SAML 2.0 (samael) for enterprise SSO.
  • OIDC (openidconnect) for OAuth2/OIDC.
  • SCIM 2.0 for user/group provisioning.
  • TOTP MFA enrollment.
  • SPIFFE workload identity for service accounts.

Authorization

  • RBAC: 9 roles (PlatformAdmin, ClusterAdmin, MlEngineer, Researcher, SRE, SecurityAuditor, ReadOnlyViewer, TenantAdmin, SupportEngineer).
  • ABAC: dimensions include cluster_id, namespace, slurm_account, job_owner, tenant, model_project, incident_severity, data_sensitivity.
  • Backed by SQLite + a small DSL: allow <action> on <resource> if <expr>.

Audit

  • Append-only with SHA-256 hash chain.
  • Every login, query, trace download, remediation approval, node drain, config change, secret access, export is recorded.
  • denpex-control-plane audit-verify --since 24h walks the chain.

Secrets

  • Vault via vaultrs.
  • Kubernetes secrets via k8s-openapi.
  • External Secrets Operator integration.
  • HSM-backed root of trust via PKCS#11.

Privileges

The host agent runs as a systemd unit with:

  • CAP_BPF, CAP_PERFMON, CAP_SYS_ADMIN, CAP_SYS_PTRACE, CAP_NET_ADMIN (others stripped).
  • No CAP_DAC_OVERRIDE or CAP_CHOWN.
  • A dedicated service user (denpex-agent).

The control plane runs unprivileged; only the local object store and KMS bridges run as root.

Reporting

docs/threat-model.md and docs/compliance-mapping.md describe the formal STRIDE catalog and control mapping respectively.