Security Whitepaper
Denpex is a security-sensitive product by design: it operates on multi-tenant clusters holding proprietary model weights, training data, and GPU runtime telemetry. This document describes the threat model, controls, and assurance model.
Threat Model
| Threat | Adversary | Asset | Impact | Mitigation |
|---|---|---|---|---|
| TT2 | Compromised agent | Cluster credentials | Lateral movement | Workload identity (SPIFFE), short-lived tokens |
| TT3 | Network attacker | Telemetry channel | MITM | TLS 1.3 only, mTLS agent↔CP |
| TT4 | Insider SRE | Audit log | Repudiation | Hash-chained append-only audit + tamper-evident export |
| TT5 | Insider Developer | Agent binary | Privilege escalation | Signed binaries, SBOM, reproducible builds |
| TT6 | Supply chain (crates.io / PyPI) | Dependency | Backdoor | Vendored deps + Sigstore-verified SBOM |
| TT7 | Privileged client (over-broad RBAC) | Tenant boundary | Cross-tenant access | Per-tenant auth tokens, RBAC + ABAC, row-level filters |
Controls
Cryptography
- TLS 1.3 only; non-TLS-1.3 connections rejected at boot.
- mTLS for agent↔CP using rustls + rcgen (dev) / cert-manager (prod).
- Envelope encryption with customer-managed KMS keys (AWS/GCP/Azure).
- PKCS#11 for HSM root of trust.
- FIPS mode disables non-FIPS ciphers (AES-GCM-256 only).
Authentication
- SAML 2.0 (samael) for enterprise SSO.
- OIDC (openidconnect) for OAuth2/OIDC.
- SCIM 2.0 for user/group provisioning.
- TOTP MFA enrollment.
- SPIFFE workload identity for service accounts.
Authorization
- RBAC: 9 roles (PlatformAdmin, ClusterAdmin, MlEngineer, Researcher, SRE, SecurityAuditor, ReadOnlyViewer, TenantAdmin, SupportEngineer).
- ABAC: dimensions include cluster_id, namespace, slurm_account, job_owner, tenant, model_project, incident_severity, data_sensitivity.
- Backed by SQLite + a small DSL:
allow <action> on <resource> if <expr>.
Audit
- Append-only with SHA-256 hash chain.
- Every login, query, trace download, remediation approval, node drain, config change, secret access, export is recorded.
denpex-control-plane audit-verify --since 24hwalks the chain.
Secrets
- Vault via
vaultrs. - Kubernetes secrets via
k8s-openapi. - External Secrets Operator integration.
- HSM-backed root of trust via PKCS#11.
Privileges
The host agent runs as a systemd unit with:
CAP_BPF,CAP_PERFMON,CAP_SYS_ADMIN,CAP_SYS_PTRACE,CAP_NET_ADMIN(others stripped).- No
CAP_DAC_OVERRIDEorCAP_CHOWN. - A dedicated service user (
denpex-agent).
The control plane runs unprivileged; only the local object store and KMS bridges run as root.
Reporting
docs/threat-model.md and docs/compliance-mapping.md describe the formal STRIDE catalog and control mapping respectively.