Defense in Depth

Defense in depth is the principle that no single security layer is sufficient. EnforceCore is designed to be one critical layer in a comprehensive security stack for AI agents.

The 5 Layers of Agent Security

EnforceCore operates at the Runtime Layer, understanding agent semantics that other layers miss.

graph TB
    subgraph "Defense-in-Depth Stack"
        A["๐Ÿ”’ Hardware Layer<br/>TPM ยท SGX ยท TrustZone"]
        B["๐Ÿง OS/Kernel Layer<br/>SELinux ยท AppArmor ยท seccomp"]
        C["๐Ÿ“ฆ Container Layer<br/>Docker ยท Kubernetes ยท gVisor"]
        D["โš™๏ธ Runtime Layer<br/>EnforceCore"]
        E["๐Ÿ’ฌ Prompt Layer<br/>NeMo Guardrails ยท LlamaGuard"]
    end

    A --> B --> C --> D --> E

    style D fill:#2d7d46,stroke:#1a5c30,color:#fff

1. Hardware Root of Trust

  • What it does: Protects against firmware tampering and physical attacks using TPMs and secure enclaves (SGX).
  • EnforceCore's Role: None. We assume the hardware is trusted.

2. OS/Kernel Enforcement

  • Components: SELinux, AppArmor, seccomp-bpf.
  • What it catches: Unauthorized syscalls, file access outside policy boundaries.
  • Limitation: Cannot distinguish between a "good" file write (a report) and a "bad" file write (ransomware) if both are allowed syscalls.
  • EnforceCore's Role: Complementary. The OS constrains the process; EnforceCore constrains the logic.

3. Container Isolation

  • Components: Docker, Kubernetes, gVisor.
  • What it catches: Process escape, resource exhaustion, cross-container network access.
  • Limitation: A containerized agent can still leak PII or delete critical data inside the container.
  • EnforceCore's Role: EnforceCore runs inside the container to police the agent's behavior.

4. Runtime Enforcement (EnforceCore)

  • What it catches:
    • Denied tool calls (e.g., execute_shell).
    • PII in inputs/outputs.
    • Cost and rate limit violations.
    • Business logic violations (e.g., "only allow trading during market hours").
  • Why it's unique: This layer understands Agent Semantics. It knows what a "tool call" is, whereas the OS just sees network packets.

5. Prompt/Content Layer

  • Components: NeMo Guardrails, LlamaGuard, content filters.
  • What it catches: Jailbreak attempts, toxic content, off-topic responses.
  • Limitation: Even if the LLM output is "safe" text, it might trigger an unsafe tool call.
  • EnforceCore's Role: The last line of defense. If prompt injection bypasses the content filter, EnforceCore blocks the resulting malicious action.

Gap Analysis

Where does EnforceCore fit in the threat landscape?

Threat Hardware OS/Kernel Container EnforceCore Prompt
Firmware Rootkit โœ… โŒ โŒ โŒ โŒ
Container Escape โŒ โœ… โœ… โŒ โŒ
Denied Tool Use โŒ โŒ โŒ โœ… โŒ
PII Exfiltration โŒ โŒ โŒ โœ… โŒ
Cost Overrun โŒ โŒ โŒ โœ… โŒ
Prompt Injection โŒ โŒ โŒ Indirectly โœ…
Info

Info: For maximum security, we recommend running EnforceCore agents inside ephemeral containers (e.g., Firecracker microVMs) with strict network policies.