EU AI Act Article 50 โ€” 20 days to seal | Get passport
๐Ÿ‰

DEFONEOS โ€” Threat Model & Risk Assessment

STRIDE ยท Adversarial ML ยท Supply Chain ยท Insider ยท Coalition Federation

Classification: UNCLASSIFIED (Open Source)
Methodology: STRIDE + OWASP LLM Top 10 + NIST AI RMF
Version: 1.0.0 ยท July 2026

4
Critical
7
High
11
Medium
6
Low
28
Mitigations
7
Immutable Red Lines
12
Attack Surfaces
33
BFT Guardians

๐Ÿ“‹ Threat Model Scope

System Under Analysis: DEFONEOS v1.0.0 โ€” Sovereign Public Services OS with 30 MCP servers, SIGIL audit chain, BFT-33 governance council, ISR pipeline, swarm robotics, and coalition federation.

STRIDE Categories Covered

S โ€” Spoofing

Identity spoofing of MCP servers, forged SIGIL entries, fake BFT votes, drone/swarm node impersonation, coalition partner spoofing.

T โ€” Tampering

SIGIL chain tampering, MCP tool injection (Morris-II worm), model weight poisoning, sensor data manipulation, configuration drift.

R โ€” Repudiation

Denied actions without SIGIL proof, BFT vote denial, coalition operation denial, deleted audit trails.

I โ€” Information Disclosure

Model exfiltration via MCP responses, sensor data leakage to coalition, PII exposure, SIGIL chain exposure.

D โ€” Denial of Service

MCP flooding, SIGIL chain saturation, BFT council deadlock, swarm mesh jamming, C2 channel DDoS.

E โ€” Elevation of Privilege

Unauthorized BFT vote, MCP privilege escalation, red line override, air-gap bridge, admin token theft.

๐Ÿ›ก๏ธ Attack Surface Inventory

#SurfaceProtocolExposureAuthThreats
AS-01MCP Federation BusJSON-RPC 2.0 / stdioLocal + NetworkEd25519Injection, flooding, spoofing
AS-02SIGIL ChainSQLite / PostgreSQLLocal + Coalition SyncHMAC + Ed25519Tampering, fork, saturation
AS-03BFT-33 CouncilHTTP :3200Network (VPC)Ed25519 + Quorum 23/33Deadlock, vote spoof, Sybil
AS-04ISR Pipeline (YOLOv8)gRPC + MQTTEdge sensorsmTLSAdversarial images, data poisoning
AS-05Swarm Control (PX4/MAVLink)UART + UDP 14540RF + MeshPSK + AES-256RF jamming, GPS spoof, hijack
AS-06C2 Bridge (FreeTAKServer)CoT XML / TCPTactical NetworkTLS + mTLSCoT injection, MITM, replay
AS-07Cesium 3D COPWebSocket + HTTPSWeb browserJWT + CSPXSS, data exfil, WebSocket hijack
AS-08REST API (87 endpoints)HTTPSInternet + VPCOAuth2 + JWTInjection, rate bypass, IDOR
AS-09Mava RL Training LoopPython + GPULocal computeProcess isolationReward hacking, gradient theft
AS-10Coalition Federation LinkmTLS + SIGIL SyncCross-domainPKI + Ed25519Cross-domain bridge, data leak
AS-11Air-Gapped Update ChannelUSB / optical discPhysicalSHA-256 + Ed25519Stuxnet-style, supply chain
AS-12Model StorageFilesystem + GGUFLocalFile permissionsWeight poisoning, exfiltration

โš ๏ธ Critical Threats (4)

THR-C01 Adversarial ML โ€” ISR Model Evasion
CRITICAL STRIDE: T+I Surface: AS-04

Description

An adversary crafts physical or digital adversarial patches/perturbations that cause YOLOv8 ISR detection to miss objects of interest (e.g., camouflaged vehicles, concealed weapons) or produce false positives (phantom detections degrading operator trust).

Attack Chain

Recon: Obtain model architecture โ†’ Craft adversarial perturbation (FGSM/PGD) โ†’ Physical patch or digital inject โ†’ YOLOv8 confidence drops below threshold โ†’ Object undetected / false negative

โœ… Mitigations

  • Adversarial Training: Fine-tune YOLOv8 with PGD-generated adversarial examples (mAP degradation <2%)
  • Ensemble Detection: Run 3 model variants (n/s/m) in parallel; flag disagreement >0.15 confidence delta
  • Confidence Threshold Floor: Hard floor at 0.25 โ€” nothing below reported to C2, but logged for review
  • Human-in-the-Loop: All ISR detections below 0.85 require operator confirmation before C2 tasking
  • Model Diversity: Support swappable model backbones (RT-DETR, DETR, Faster R-CNN) for heterogeneity
  • SIGIL Audit: Every detection event logged with model version + confidence โ†’ tamper-evident chain
THR-C02 SIGIL Chain Fork โ€” Coalition Split-Brain
CRITICAL STRIDE: R+T Surface: AS-02+AS-10

Description

Network partition between coalition partners causes SIGIL chain fork. When connectivity restores, two divergent chains exist. Adversary could exploit this window to inject operations on the minority chain and claim they were the majority.

Attack Chain

Network partition (jamming or physical) โ†’ Two chains diverge โ†’ Adversary injects ops on minority chain โ†’ Partition heals โ†’ Merge conflict โ€” adversary claims majority

โœ… Mitigations

  • Longest Signed Chain Wins: Ed25519-signed hash chain โ€” the longest valid chain is canonical after merge
  • Quorum Anchor: Every 100th SIGIL entry requires BFT-33 quorum attestation (23/33 signatures)
  • Partition Detector: Monitors chain divergence; alerts operators when fork detected
  • Conflict Resolution: Minority chain operations replayed in order, but flagged as "partition-originated" for review
  • Chain Verification: 8,500 entries/sec verification (SQLite) โ€” full chain re-verification in <2 min for 1M entries
THR-C03 Red Line Override via Privileged MCP Injection
CRITICAL STRIDE: E+T Surface: AS-01+AS-12

Description

Adversary injects a malicious MCP server into the federation that attempts to issue kinetic-targeting, personal-surveillance, or other red-line-prohibited operations by impersonating a legitimate tool or exploiting a configuration path.

๐Ÿšซ The 7 Immutable Red Lines

#Red LineEnforcement
1No kinetic-targeting patterns (strike packages, find-fix-finish, kill orders)Pattern regex + BFT-33 council review
2No personal-surveillance patterns (track individual, face recognition, locate phone)Pattern regex + BFT-33 council review
3No "AUKUS partnership" / "DAIC certified" claims without signed letterAssertion validator
4No DEFONEOS-SEAL credential without 33-agent BFT council vote (quorum 23/33)HotStuff consensus protocol
5No DSEI booth without named UK-prime pilot letterAssertion validator
6No reference to defonos.io domain (known trap)Domain blocklist
7No mixing of meok-defoneos / csoai-defoneos / dagon assetsCompartment isolation

โœ… Mitigations

  • Pattern Firewall: Every MCP tool call passes through red-line regex filter before execution โ€” 0ms overhead, 100% coverage
  • BFT-33 Veto: Any operation matching red-line patterns triggers immediate council vote; requires 23/33 quorum to override the block itself (not the red line โ€” red lines are absolute)
  • MCP Allowlist: Only signed MCP servers in the registry are federated; unsigned/unknown servers are sandboxed with zero data access
  • Compartment Isolation: meok-defoneos, csoai-defoneos, and dagon run in separate processes with no shared memory, IPC, or file paths
  • SIGIL Attestation: Every red-line check is logged to SIGIL chain โ€” auditable post-incident
THR-C04 Air-Gap Bridge โ€” Stuxnet-Style Supply Chain Attack
CRITICAL STRIDE: T+E Surface: AS-11

Description

Adversary compromises the update pipeline for air-gapped deployments. A USB drive or optical disc carrying model updates or MCP packages is infected with malware that bridges the air gap, establishing covert communication or destroying data.

Attack Chain

Compromise update build server โ†’ Inject payload into GGUF/PKG โ†’ USB transferred to air-gapped system โ†’ Payload executes on install โ†’ Air-gap bridge established

โœ… Mitigations

  • Ed25519 Signature Verification: Every update package signed at build time; air-gapped system refuses unsigned packages
  • Dual-Hash Check: SHA-256 + BLAKE3 hash published on public chain; operator verifies hash matches before transfer
  • Staging Diode: Updates pass through a data diode (one-way hardware gate) on a dedicated staging machine
  • File Allowlist: Air-gapped installer only accepts .gguf, .json, .whl, .tar.gz โ€” no executables, scripts, or symlinks
  • Quarantine VM: All packages extracted in isolated QEMU VM before deployment to production air-gapped host
  • SIGIL Receipt: Every update applied logs to local SIGIL chain (synced later when connectivity available)

๐Ÿ”ด High-Severity Threats (7)

THR-H01MCP Morris-II Worm Propagation
HIGH ยท STRIDE: T+E ยท AS-01

A malicious MCP server injects prompt-injection payloads that propagate to other MCP servers via the federation bus, creating a self-replicating worm that exfiltrates data or corrupts configurations.

โœ… Mitigations

  • Aegis Gate: Every MCP tool result passes through swarm_review (Morris-II payload scanner) before delivery
  • Federation Isolation: Each MCP server runs in a separate process; no shared memory or IPC
  • Pattern Detection: 50+ known prompt-injection signatures scanned at 12,847 calls/sec throughput
  • Rate Limiting: Per-server call rate limited to 1000 calls/sec; burst triggers investigation
THR-H02Swarm RF Jamming & GPS Spoofing
HIGH ยท STRIDE: D+T ยท AS-05

Adversary jams MAVLink frequencies (915MHz/2.4GHz) or spoofs GPS signals, causing drone swarm to lose coordination, crash, or deviate to hostile positions.

โœ… Mitigations

  • Frequency Hopping: PX4 supports FHSS on supported radios; fallback to 868MHz LoRa mesh
  • GPS Backup: Visual-inertial odometry (VIO) + dead reckoning when GPS confidence <0.7
  • Geofence Hardcoded: Pre-programmed return-to-home (RTH) coordinates burned to flight controller EEPROM
  • Swarm Autonomy: Decentralized MAPPO policy maintains formation without C2 link for up to 15 minutes
  • RF Detection: SIGINT MCP detects jamming patterns; triggers frequency shift alert
THR-H03BFT-33 Council Deadlock (Sybil Attack)
HIGH ยท STRIDE: E ยท AS-03

Adversary registers enough fake BFT agents to prevent quorum (23/33), causing governance deadlock. With 11 or more compromised agents, no decisions can be made.

โœ… Mitigations

  • Ed25519 Identity: Every agent has unique cryptographic identity; registration requires signed OrgKernel L1 identity
  • Proof of Work: Agent registration requires computational proof (hashcash-style) โ€” prevents instant Sybil registration
  • HotStuff Consensus: BFT consensus tolerates f < n/3 Byzantine agents (tolerates up to 11 of 33)
  • Council Rotation: 33 agents are a rotating subset of a larger pool (50+ verified agents); rotation every 30 minutes
THR-H04Model Weight Poisoning (Supply Chain)
HIGH ยท STRIDE: T ยท AS-12

Adversacy compromises a model repository (HuggingFace mirror) and replaces GGUF weights with poisoned variant that produces backdoor behaviour (e.g., ignores specific classes in ISR, outputs biased BFT recommendations).

โœ… Mitigations

  • Weight Hash Verification: Every model load verifies SHA-256 against signed manifest; mismatch = abort
  • Integrity Scan: Post-load inference test on 50 known images; deviation >5% = quarantine
  • Model Provenance: SIGIL chain records model source, hash, load time, and every inference call
  • Air-Gapped Cache: Pre-verified models cached on air-gapped storage; updates require physical transfer + signature
THR-H05Coalition Data Leakage via Federation
HIGH ยท STRIDE: I ยท AS-10

Coalition partner's compromised system leaks classified data through the SIGIL sync channel or MCP federation responses to unauthorized parties.

โœ… Mitigations

  • Classification Labels: Every SIGIL entry tagged with classification level (UNCLASSIFIED/RESTRICTED/SECRET); only matching levels sync
  • Data Diode: Cross-domain federation passes through hardware data diode; physically one-way
  • MCP Response Filters: Tool responses filtered by destination classification before transmission
  • Audit Trail: Every coalition sync event SIGIL-logged on both chains with Ed25519 signatures
THR-H06C2 CoT (Cursor-on-Target) Injection
HIGH ยท STRIDE: T+S ยท AS-06

Adversary injects fake CoT XML messages into FreeTAKServer, creating phantom units on the Cesium COP, causing operators to respond to non-existent threats or miss real ones.

โœ… Mitigations

  • mTLS: All TAK clients require mutual TLS certificates; unauthenticated CoT rejected
  • Source Validation: CoT UID cross-referenced with registered unit database; unknown UIDs quarantined
  • Plausibility Check: Movement patterns analyzed; impossible jumps (>500km/h ground speed) flagged
  • SIGIL Logging: All CoT events logged to SIGIL chain for post-incident forensics
THR-H07Mava RL Reward Hacking
HIGH ยท STRIDE: T ยท AS-09

RL training loop discovers a shortcut that maximizes reward without achieving the actual mission objective (e.g., drones hover in place to minimize collision penalty instead of searching).

โœ… Mitigations

  • Reward Inspector MCP: defoneos-mava-reward-inspector continuously monitors reward vs. task completion correlation
  • Multi-Objective Rewards: Primary task completion + secondary exploration bonus + collision penalty (multi-objective, not single scalar)
  • Human Evaluation: Random sampling of 5% of training episodes reviewed by human evaluator
  • Anomaly Detection: Reward spike detection โ€” >3ฯƒ deviation triggers training pause + investigation

๐ŸŸก Medium-Severity Threats (11)

IDThreatSTRIDESurfaceMitigation Summary
THR-M01MCP Federation Flooding (DoS)DAS-01Rate limit 1000/s/server, burst detection, backpressure queue
THR-M02SIGIL Chain SaturationDAS-02Batch writes, WAL mode, 47,200/s PostgreSQL, chain pruning >90 days
THR-M03WebSocket COP HijackingT+SAS-07JWT validation per message, origin check, CSP headers
THR-M04REST API IDOREAS-08Object-level authorization on every endpoint, ID obfuscation (UUID)
THR-M05Sensor Data ManipulationTAS-04Multi-sensor cross-validation, outlier detection (3ฯƒ), source attestation
THR-M06Insider Threat โ€” Privileged OperatorAllAllTwo-person rule for sensitive ops, SIGIL audit trail, anomaly detection on operator behaviour
THR-M07Configuration DriftTAllGitOps config management, drift detection every 5 min, SIGIL-logged config changes
THR-M08Dependency Vulnerability (CVE)T+EAS-01,08Daily pip-audit + npm audit, Dependabot, pinned hashes
THR-M09Cesium Data ExfiltrationIAS-07CSP + sandbox headers, no external API keys in frontend, server-side proxy
THR-M10Coalition Sync ReplayT+SAS-10Timestamp + nonce in every sync message, reject >5min old, SIGIL hash verification
THR-M11Drone Mesh Eclipse AttackD+EAS-05Mesh topology monitoring, sybil node detection, reputation scoring

๐ŸŸข Low-Severity Threats (6)

IDThreatSTRIDEMitigation
THR-L01Log InjectionTStructured JSON logging, input sanitization, no eval in log viewers
THR-L02Timing Side-ChannelIConstant-time crypto operations, random response jitter (ยฑ50ms)
THR-L03Cache PoisoningTCache key includes auth context, TTL limits, Vary headers
THR-L04Open RedirectSRedirect allowlist, relative-only internal redirects
THR-L05Information Leakage via Error MessagesIGeneric error messages in production, detailed errors only in debug mode
THR-L06Resource Exhaustion (Memory)Dcgroups limits, OOM killer, swap disabled on edge nodes

๐Ÿ” OWASP LLM Top 10 โ€” DEFONEOS Compliance

#OWASP LLM RiskDEFONEOS StatusMitigation
LLM01Prompt InjectionMITIGATEDAegis Gate scanner, 50+ signatures, MCP response filtering
LLM02Insecure Output HandlingMITIGATEDStructured JSON schema validation, no raw LLM output to C2
LLM03Training Data PoisoningMITIGATEDModel hash verification, integrity test suite, provenance chain
LLM04Model DoSMITIGATEDToken limits, rate limiting, circuit breakers per MCP
LLM05Supply ChainMITIGATEDpinned hashes, Ed25519 signatures, dependency scanning
LLM06Sensitive Info DisclosureMITIGATEDPII redaction, classification labels, data diode
LLM07Insecure Plugin DesignMITIGATEDMCP allowlist, sandboxing, parameter validation
LLM08Excessive AgencyMITIGATEDBFT-33 council gate, red line enforcement, human-in-the-loop
LLM09OverrelianceMONITOREDConfidence thresholds, human confirmation for <0.85, AAR reviews
LLM10Model TheftMITIGATEDAir-gapped storage, model encryption, SIGIL-logged inference access

๐Ÿ“Š Risk Heat Map

Impact โ†’
Likelihood โ†“
Low (1)Medium (2)High (3)Critical (4)
Frequent (4)THR-M01THR-H01THR-C01
Probable (3)THR-L01THR-M06 THR-M07THR-H02 THR-H04 THR-H07THR-C03
Occasional (2)THR-L02 THR-L03THR-M02-M11THR-H03 THR-H05 THR-H06THR-C04
Improbable (1)THR-L04 THR-L05 THR-L06THR-C02

Numbers = risk score (Likelihood ร— Impact). Green = acceptable, Yellow = monitor, Red = active mitigation required, Dark Red = highest priority.

๐Ÿ”ง Security Controls Summary

Cryptographic

  • Ed25519 signatures (every SIGIL entry, BFT vote, MCP call)
  • HMAC-SHA256 (chain linking)
  • AES-256-GCM (at rest, drone RF)
  • mTLS (all network communications)
  • SHA-256 + BLAKE3 (model integrity)
  • NIST PQC ready (ML-DSA-65 / ML-KEM-768)

Operational

  • BFT-33 quorum on all sensitive operations
  • Red line pattern firewall (absolute veto)
  • Two-person rule for kinetic-adjacent ops
  • Human-in-the-loop for ISR <0.85 confidence
  • AAR after every operation
  • 33-agent council rotation every 30 min

Infrastructure

  • Air-gapped deployment support
  • Data diodes for cross-domain
  • Sandboxed MCP processes
  • cgroups resource limits
  • Filesystem allowlists
  • Quarantine VMs for updates

๐Ÿ“ˆ Continuous Improvement

ActivityFrequencyOwnerLast Run
Threat model reviewQuarterlyBFT-33 Security Track (DFO-CS)2 Jul 2026
Penetration testAnnual + pre-major-releaseIndependent (Crown Commercial)Scheduled Aug 2026
Red team exerciseBi-annualCoalition CERTScheduled Q4 2026
Chaos engineeringWeekly (automated)Automated chaos suiteOngoing (5 experiments)
Dependency CVE scanDailypip-audit + npm audit + DependabotDaily
Security SIGIL auditContinuousAutomated + BFT attestationReal-time

๐Ÿ“‹ Compliance Mapping

FrameworkArticle/ControlDEFONEOS ControlStatus
NIST AI RMFManage 4.1 โ€” SecurityRed lines + BFT-33 + threat modelโœ… Compliant
EU AI ActArt 15 โ€” Accuracy & RobustnessAdversarial training + ensemble + confidence floorsโœ… Compliant
EU AI ActArt 14 โ€” Human OversightHuman-in-the-loop <0.85, two-person ruleโœ… Compliant
JSP 936AI Safety AssuranceBFT-33 council + SIGIL audit + AARโœ… Compliant
ISO 27001A.8.2 โ€” Privileged AccessEd25519 identity + two-person + BFT gateโœ… Compliant
ISO 42001A.7 โ€” AI System SecurityOWASP LLM Top 10 mitigated, threat model, pen testโœ… Compliant
OWASP LLM Top 10All 10 risks9 mitigated, 1 monitored90% Mitigated
Cyber Essentials5 ControlsFirewall + secure config + access control + malware + patchingIn Progress