G

Security Model — Gao AI OS

Security Model — Gao AI OS

Threat model, invariant enforcement, and attack surface analysis for Layer 8 of the Gao Internet protocol stack.

Design Principles#

Gao AI OS security is built on three non-negotiable principles:

  1. Explicit authorization over implicit trust — no agent action proceeds without a verifiable, user-signed authorization chain

  2. Minimum capability surface — capability grants are the smallest possible scope for the intended function

  3. Defense in depth — each protection is independent; compromising one layer does not compromise the stack

Threat Model#

In-Scope Threats

Threat

Category

Mitigation

Agent privilege escalation

Execution integrity

CAP token enforces hard ceiling; runtime rejects escalation requests

Malicious agent code injection

Supply chain

Sandbox isolation; no host access; code executed in bounded environment

Policy tampering mid-execution

State integrity

Policy snapshot hashed and locked at execution start

Replay attacks on receipts

Receipt integrity

Receipt IDs are unique UUIDs; execution windows are time-bounded

Cross-domain memory exfiltration

Data isolation

Memory access gated by explicit cross-domain CAP grant

Unauthorized settlement initiation

Financial integrity

All settlements require user-signed L4 transaction; agents cannot sign

CAP token forgery

Identity integrity

CAP tokens are domain-owner signed; validated against on-chain domain state

Governance capture for AI override

Governance integrity

Governance scope explicitly excludes agent policy and receipt modification

Social engineering via agent output

Human factors

Receipt audit trail; escalation contacts for L3 actions

Out-of-Scope Threats

The following are outside the GAR v1 threat model and must be handled at adjacent layers:

  • Compromise of the domain owner’s private key (L5 threat)

  • Smart contract vulnerabilities in the settlement layer (L4 threat)

  • DePIN node collusion (L7 threat)

  • Model-level adversarial inputs (application layer responsibility)

Security Invariants#

These invariants are enforced at the GAR v1 runtime level and cannot be bypassed by any agent, operator configuration, or governance action:

INV-01: Mandatory CAP Validation

PRECONDITION: agent.cap_token exists AND is_valid(cap_token) AND !is_expired(cap_token)  
IF precondition fails → execution ABORTS with failure receipt

INV-02: Policy Snapshot Lock

AT execution_start:  
  policy_snapshot = load_current_policy(agent.domain)  
  policy_hash = hash(policy_snapshot)  
  lock(policy_snapshot)  // immutable for this execution window  
    
AT execution_end:  
  assert receipt.policy_hash == policy_hash

INV-03: Non-Custodial Settlement

agent.initiate_transfer() →   
  submits_request_to(GaoPayment_L4)  // not executed by agent  
  awaits(user_signature)             // required  
  records_settlement_ref(receipt)    // not optional  
    
INVARIANT: agent CANNOT directly sign or broadcast blockchain transactions

INV-04: Receipt Completeness

AT execution_end (regardless of success or failure):  
  emit_receipt(canonical_receipt)    // cannot be suppressed  
    
INVARIANT: silent execution is impossible

INV-05: Tier Non-Escalation

agent.request_tier_escalation() → REJECTED  
// Tier is set at CAP grant time by domain owner  
// Cannot be changed by agent or runtime

INV-06: Memory Boundary Enforcement

agent.read_memory(namespace) →  
  IF namespace.domain != agent.domain:  
    REQUIRES cross_domain_cap_grant  
  ELSE:  
    PERMITTED within agent.memory_scope

INV-07: Execution Window Bounds

MAXIMUM_WINDOW = cap_token.max_execution_duration OR 300s (default)  
IF execution_elapsed > MAXIMUM_WINDOW:  
  TERMINATE execution  
  EMIT partial_receipt

INV-08: Human Authority for Tier 3

IF action.risk_tier == 3:  
  PAUSE execution  
  NOTIFY escalation_contacts  
  AWAIT human_authorization (signed, out-of-band)  
  IF timeout OR denial: ABORT with receipt

---

### Sandbox Architecture

┌─────────────────────────────────────────────┐
│ Host Runtime │
│ │
│ ┌───────────────────────────────────────┐ │
│ │ GAR v1 Supervisor │ │
│ │ (policy gate, CAP validation, log) │ │
│ │ │ │
│ │ ┌─────────────────────────────────┐ │ │
│ │ │ Agent Sandbox │ │ │
│ │ │ │ │ │
│ │ │ - No filesystem access │ │ │
│ │ │ - No raw network sockets │ │ │
│ │ │ - No host process access │ │ │
│ │ │ - No direct blockchain calls │ │ │
│ │ │ - Memory: domain-scoped only │ │ │
│ │ │ │ │ │
│ │ │ Tool calls → Supervisor → L3 │ │ │
│ │ └─────────────────────────────────┘ │ │
│ └───────────────────────────────────────┘ │
└─────────────────────────────────────────────┘


Agent code runs in an isolated environment. The supervisor mediates all external interactions. Agents cannot directly access:

-   The host filesystem
    
-   Raw TCP/UDP sockets
    
-   Other agents’ memory
    
-   Wallet signing functions
    
-   Smart contract interfaces
    

---

### Governance Security Boundary

Governance is explicitly scoped to prevent it from becoming an attack vector against deployed agents.

**Governance MAY modify:**

-   Protocol-wide risk tier definitions and parameter ranges
    
-   Fee structures and routing defaults
    
-   Standard interface specifications with version migration windows
    

**Governance MUST NOT and technically cannot:**

-   Alter individual CAP token grants or agent-level policies
    
-   Modify completed receipts or any entry in the receipt ledger
    
-   Access domain-scoped memory or user assets
    
-   Override settlement finality
    

These restrictions are enforced at the runtime level, not merely by policy. No governance proposal can instruct GAR v1 to modify a completed receipt  the ledger is append-only and the receipt emitter rejects modification requests regardless of their source.

---

### Receipt Integrity

Receipts are the primary audit mechanism. Their integrity is protected by:

Protection

Mechanism

Forgery prevention

Runtime signature using GAR keypair

Tamper detection

Content hash in signature payload

Replay prevention

Unique receipt ID + timestamp

Post-emission immutability

Written to append-only ledger

Cross-version auditability

`runtime_version` field enables version-specific verification

Receipt verification is public and requires no trusted third party.

---

### Known Limitations

The following limitations are acknowledged and documented:

1.  **Model-level prompt injection**  adversarial inputs to the underlying AI model are not filtered at the runtime level. Operators should implement input validation at the application layer.
    
2.  **Domain owner key compromise**  if a domain owner’s private key is compromised, an attacker can issue new CAP tokens. Mitigation: guardian-configurable recovery (L5), hardware wallet recommendations.
    
3.  **Receipt ledger availability**  in the event of a ledger outage, receipt emission retries up to 3×. Extended outages require operator intervention. The receipt ledger uses append-only storage with on-chain anchoring; the anchored hash remains verifiable on-chain independently of Gao Labs infrastructure, but full receipt payload retrieval depends on ledger availability.
    
4.  **Time-of-check to time-of-use (TOCTOU) on policy**  there is a small window between policy check and sandbox entry. This window is minimized but not zero. Mitigation: policy changes take effect at next execution, not retroactively.
    

---

### Responsible Disclosure

Security vulnerabilities in GAR v1 or the Seal SMB Framework can be reported to the Gao Internet security team. See Official Links for contact information.

All confirmed vulnerabilities are disclosed in the public security changelog with severity classification, patch timeline, and affected version range.

---

_This security model covers GAR v1 (Gao Agent Runtime) and the Seal SMB Agent Framework. Adjacent layer security models are documented separately for Gao Domain (L5), Gao Payment (L4), and Gao Network (L6)._