EnforceCore EnforceCore

Defense in Depth

Defense in depth is the principle that no single security layer is sufficient. EnforceCore is designed to be one critical layer in a comprehensive security stack for AI agents.

The 5 Layers of Agent Security

EnforceCore operates at the Runtime Layer, understanding agent semantics that other layers miss.

graph TB
    subgraph "Defense-in-Depth Stack"
        A["🔒 Hardware Layer<br/>TPM · SGX · TrustZone"]
        B["🐧 OS/Kernel Layer<br/>SELinux · AppArmor · seccomp"]
        C["📦 Container Layer<br/>Docker · Kubernetes · gVisor"]
        D["⚙️ Runtime Layer<br/>EnforceCore"]
        E["💬 Prompt Layer<br/>NeMo Guardrails · LlamaGuard"]
    end

    A --> B --> C --> D --> E

    style D fill:#2d7d46,stroke:#1a5c30,color:#fff

1. Hardware Root of Trust

  • What it does: Protects against firmware tampering and physical attacks using TPMs and secure enclaves (SGX).
  • EnforceCore's Role: None. We assume the hardware is trusted.

2. OS/Kernel Enforcement

  • Components: SELinux, AppArmor, seccomp-bpf.
  • What it catches: Unauthorized syscalls, file access outside policy boundaries.
  • Limitation: Cannot distinguish between a "good" file write (a report) and a "bad" file write (ransomware) if both are allowed syscalls.
  • EnforceCore's Role: Complementary. The OS constrains the process; EnforceCore constrains the logic.

3. Container Isolation

  • Components: Docker, Kubernetes, gVisor.
  • What it catches: Process escape, resource exhaustion, cross-container network access.
  • Limitation: A containerized agent can still leak PII or delete critical data inside the container.
  • EnforceCore's Role: EnforceCore runs inside the container to police the agent's behavior.

4. Runtime Enforcement (EnforceCore)

  • What it catches:
    • Denied tool calls (e.g., execute_shell).
    • PII in inputs/outputs.
    • Cost and rate limit violations.
    • Business logic violations (e.g., "only allow trading during market hours").
  • Why it's unique: This layer understands Agent Semantics. It knows what a "tool call" is, whereas the OS just sees network packets.

5. Prompt/Content Layer

  • Components: NeMo Guardrails, LlamaGuard, content filters.
  • What it catches: Jailbreak attempts, toxic content, off-topic responses.
  • Limitation: Even if the LLM output is "safe" text, it might trigger an unsafe tool call.
  • EnforceCore's Role: The last line of defense. If prompt injection bypasses the content filter, EnforceCore blocks the resulting malicious action.

Gap Analysis

Where does EnforceCore fit in the threat landscape?

Threat Hardware OS/Kernel Container EnforceCore Prompt
Firmware Rootkit
Container Escape
Denied Tool Use
PII Exfiltration
Cost Overrun
Prompt Injection Indirectly
Info

Info: For maximum security, we recommend running EnforceCore agents inside ephemeral containers (e.g., Firecracker microVMs) with strict network policies.