Frontier Security Research
After auditing 26 existing concepts + 6 hardening enhancements, we identified eight defense domains that the current architecture does not cover at all. These are entirely new structures that fill critical gaps.
Research status
These build on the Hardening foundations. Prerequisites: E1 → N1, E3 → N2, E5 → N7.
Architectural gaps
| # | Gap | Impact | Solution |
|---|---|---|---|
| G1 | No cryptographic deletion | GDPR Art.17 non-compliance | N1: CGS |
| G2 | No forensic layer | Cannot determine breach scope | N2: FIL |
| G3 | Microarchitectural side channels | Cache timing on LLM inference | N3: SEF |
| G4 | Export re-identification | Graph structure = user fingerprint | N4: GEAP |
| G5 | No supply chain verification | SolarWinds-type vulnerability | N5: VSCA |
| G6 | No formal verification | Bugs break security invariants | N6: FSIE |
| G7 | Cognitive query fingerprint | User identification via NL queries | N7: CQN |
| G8 | No DP budget management | Undefined ε values and exhaustion behavior | N8: DPBC |
N1. Cryptographic Graph Shredding (CGS)
GDPR Article 17 / CCPA deletion requests cannot be satisfied by SQL DELETE alone — WAL logs, FTS5 indices, embedding vectors, and filesystem sectors retain data. CGS makes deletion cryptographically irreversible.
Per-node key derivation
Each node vi gets a unique encryption key derived via HKDF: ki = HKDF(master_key, node_id || epoch). All node data is encrypted with ki using AES-256-GCM. Deletion = destroying the key via SecureZeroMemory(ki). The ciphertext remains on disk but is cryptographically unrecoverable.
Keys are never stored at rest — they are re-derived from the master key on demand. The Key Ledger stores only derivation metadata and key hashes for verification.
Cryptographic deletion proof
After deletion, attempt decryption with the destroyed key → failure is recorded as cryptographic evidence of deletion completeness. Integrates with CAV's Proof of Forgetting.
Novelty: ★★★★ — Crypto-shredding exists at Google/AWS scale, but node-granularity shredding covering embeddings + inference residue in a personal knowledge graph is world-first.
Adversaries: A4 (disk theft), A5 (legal compulsion). Phase: 1–2.
N2. Forensic Integrity Layer (FIL)
The current 7-layer security model (L1–L7) lacks a post-incident analysis layer. After a breach, there is no way to prove "what leaked, when, and to what extent." FIL adds L8 on top of E3 (Immutable Audit Commitment).
L8 architecture
FIL Analyzer processes E3's append-only audit buffer: pattern detection (frequency/timing anomalies), blast radius estimation (SBRC integration), evidence preservation, and optional SIEM export (CEF/JSON format for ArcSight, Splunk, QRadar).
Privacy-preserving forensics
Core principle: record behavioral patterns, never knowledge content. FIL records event types, affected node counts, CSEB rule IDs, decisions, and posture levels — but never records node IDs, content, queries, entities, or URLs.
Novelty: ★★★★★ — Privacy-preserving forensics in a personal browser is world-first.
Adversaries: A2–A5. Phase: 2.
N3. Speculative Execution Firewall (SEF)
Spectre-class attacks are not fully mitigated by Gecko Fission's Site Isolation. When LLM inference and Context Graph reads coexist in the same process, cache timing attacks can leak embedding vectors.
Four mitigation layers
| Layer | Mechanism | When |
|---|---|---|
| Build-time | retpoline, SLH, LVI hardening | All builds |
| Inference isolation | L1/L2 cache flush + memory barrier + COW snapshot | Every inference call |
| High Security mode | Suspend extensions during inference, limit timer resolution, disable SharedArrayBuffer | ASP ≥ Elevated |
| Runtime detection | Cache timing anomaly detector (z-score based) | Continuous |
Novelty: ★★★ — retpoline/SLH are existing, but applying Spectre mitigations specifically to in-browser LLM inference is novel.
Adversaries: A4. Phase: 2–3.
N4. Graph Export Anonymization (GEAP)
When users export or share research sessions, the graph structure itself acts as a fingerprint. Degree distribution, clustering coefficients, and spectral properties are individually unique (Narayanan & Shmatikov, 2009).
Anonymization pipeline
Four-stage structural perturbation applied at export time:
| Stage | Mechanism | Effect |
|---|---|---|
| Edge DP | ε-DP edge flipping (default ε = 1.0) | Hides individual edges while preserving community structure |
| Degree capping | Max degree limit (default 10) | Removes high-degree outlier signal |
| Dummy injection | PKO phantom nodes + random edges (10–20%) | Dilutes structural uniqueness |
| Temporal shuffle | Laplace noise on timestamps | Prevents temporal behavior inference |
AGTR's Topological Invariant Monitor scores graph identifiability before export and auto-adjusts GEAP perturbation intensity.
Novelty: ★★★★ — Graph DP exists academically, but a complete export anonymization protocol for personal knowledge graphs is first.
Adversaries: A1, A3. Phase: 2–3.
N5. Verifiable Supply Chain (VSCA)
Quira embeds llama.cpp, ONNX Runtime, SQLite, and OpenSSL. Without integrity verification, a SolarWinds-style attack compromises all users. VSCA also provides defense against A5 (vendor distrust).
SLSA Level 3 + Sigstore
| Component | Implementation |
|---|---|
| SBOM | CycloneDX manifest of all dependencies with SHA-256 hashes |
| Signing | Sigstore keyless signing + Rekor CT log |
| Reproducible builds | Byte-identical binary from any third party given the same commit |
| LLM runtime verification | llama.cpp/ONNX version pinning + source hash verification at build time + binary hash at load time |
Novelty: ★★★ — SLSA/Sigstore are established, but SBOM covering in-browser LLM runtimes is first.
Adversaries: A5. Phase: 1–2.
N6. Formal Security Invariant Engine (FSIE)
CBS capability token decisions, IFC label propagation, and CTA trust judgments can all be broken by implementation bugs. FSIE uses TLA+ formal verification to prove that security invariants hold mathematically.
TLA+ specification
The Context Graph Access Gateway (CGAG) state machine is specified in TLA+ with four key invariants:
| Invariant | Statement |
|---|---|
| INV-1 | Revoked tokens always result in DENY |
| INV-2 | During Lockdown, all access is DENY |
| INV-3 | Extensions cannot access nodes outside their scope |
| INV-4 | KPC-Sealed nodes are accessible only via SKV |
Property-based testing
10K+ randomized request sequences per CI run verify that the Rust implementation matches the TLA+ specification. TLC model checker runs on every PR.
Novelty: ★★★★ — AWS uses TLA+ for SDN/S3, but applying it to a browser capability model is first.
Adversaries: All classes (prevents implementation bugs). Phase: 1.
N7. Cognitive Query Normalization (CQN)
NL query linguistic patterns (vocabulary, syntax, abbreviation frequency) identify users with >95% accuracy (Narayanan & Shmatikov, 2008 stylometry). CQN extends E5's basic canonicalization into a full cognitive fingerprint defense system.
Query stylometry attack
Linguistic fingerprint features: vocabulary distribution, syntax tree depth, abbreviation rate, query length distribution, and topic transition patterns — the last being the most powerful identifier.
Advanced normalization
Beyond E5's basic pipeline, CQN adds: (1) domain-adaptive synonym dictionaries via local LLM, (2) ML-based style neutralization transforming queries into "style-neutral form", (3) probabilistic query batching with dummy injection, (4) topic transition smoothing inserting bridge queries to prevent pattern detection from sudden topic jumps.
All normalization happens on-device. Only normalized queries leave the device.
Novelty: ★★★★★ — Systematic query linguistic fingerprint erasure exists in no browser or search engine.
Adversaries: A1, A5. Phase: 2.
N8. DP Budget Controller (DPBC)
Existing concepts (AGTR, CSELP) say "inject DP noise" but leave ε values, cumulative budget tracking, and exhaustion behavior undefined. DP guarantees degrade cumulatively — without budget management, DP is security theater.
Budget model
Default monthly budget: ε = 1.0 (between Apple's 2–8 and Google RAPPOR's ln(3) ≈ 1.1). Composition tracking via zCDP (zero-Concentrated DP) for the tightest guarantees (ρi = εi²/2).
| Budget used | Behavior |
|---|---|
| < 70% | Allow (normal operation) |
| 70–90% | Throttle (auto-reduce ε, notify user) |
| 90–100% | Warning (opt-in confirmation required) |
| ≥ 100% | Deny (data collection stops until next month) |
Privacy budget UI
Real-time budget gauge at quira://settings/privacy/budget showing consumption by component (AGTR, CSELP, GEAP), remaining ε, and reset date. All noise injection happens on-device — the server never knows ε.
Novelty: ★★★★ — No browser integrates a privacy budget UI managing cross-component zCDP budgets.
Adversaries: A1, A5. Phase: 2.
Priority map
| ID | Structure | ★ | Phase | Adversaries |
|---|---|---|---|---|
| N1 | CGS — Cryptographic Graph Shredding | ★4 | 1–2 | A4, A5 |
| N2 | FIL — Forensic Integrity Layer | ★5 | 2 | A2–A5 |
| N3 | SEF — Speculative Execution Firewall | ★3 | 2–3 | A4 |
| N4 | GEAP — Graph Export Anonymization | ★4 | 2–3 | A1, A3 |
| N5 | VSCA — Verifiable Supply Chain | ★3 | 1–2 | A5 |
| N6 | FSIE — Formal Security Invariant Engine | ★4 | 1 | All |
| N7 | CQN — Cognitive Query Normalization | ★5 | 2 | A1, A5 |
| N8 | DPBC — DP Budget Controller | ★4 | 2 | A1, A5 |
Coverage improvement
| Adversary | Before | +E1–E6 | +N1–N8 | Gain |
|---|---|---|---|---|
| A1 — Network | 40% | 50% | 70% | +30% |
| A2 — Web Content | 80% | 85% | 90% | +10% |
| A3 — Extension | 75% | 80% | 90% | +15% |
| A4 — OS-Level | 60% | 70% | 85% | +25% |
| A5 — Vendor | 30% | 40% | 65% | +35% |
New attack vectors
| Vector | Adversary | Defense |
|---|---|---|
| A4.4 Embedding Inversion via Disk Theft | A4 | N1 (CGS) + E1 |
| A4.5 Spectre-BHB on LLM Inference | A4 | N3 (SEF) |
| A5.3 Binary Supply Chain Tampering | A5 | N5 (VSCA) |
| A5.4 Query Stylometry Identification | A5 | N7 (CQN) + E5 |
| A-cross Audit Log Tampering | All | N2 (FIL) + E3 |
| A-cross Graph Re-identification | A1, A3 | N4 (GEAP) |
| A-cross DP Budget Exhaustion | A1, A5 | N8 (DPBC) |
| A-cross Security Invariant Violation | All | N6 (FSIE) |