Formal Threat Model
Every defense mechanism in Quira — from capability tokens to emergent security structures — is built on top of this formal threat model. It defines what we protect, who we protect against, and what security guarantees we provide.
Research document
Full formal definitions with proofs and quantitative privacy analysis are in docs/security/threat-model.md (~400 lines). This page is the web-accessible summary.
Knowledge graph definition
Quira's Context Graph is formally defined as a 5-tuple:
G = (V, E, Σ, Φ, Τ)
| Symbol | Definition |
|---|---|
| V | Node set — each node corresponds to one page visit |
| E ⊆ V × V × L | Labeled directed edges (navigation, ai_inferred, user_created) |
| Σ: V → S | Structured attributes per node (title, url, summary, entities, tags, notes, space_id) |
| Φ: V → R384 | Embedding vector per node (384-dimensional) |
| Τ: V → T | Temporal metadata (visit timestamps, dwell time, visit count) |
Compositional sensitivity
Individual data points have low sensitivity. But the aggregated graph is super-additive — the sensitivity of the whole far exceeds the sum of its parts.
| Asset | Sensitivity | Reason |
|---|---|---|
| Individual node summary | Low | Public web content |
| Entity set (union) | Medium | Partial interest profile |
| Navigation edges | High | Complete research path = thought flow |
| Embedding vectors | High | Content inversion attacks possible |
| Temporal metadata | High | Full behavioral timeline |
| Graph topology | Critical | Uniquely identifies a person (cognitive fingerprint) |
| Entire graph G | Critical | Complete representation of personal knowledge |
Adversary model
Five adversary classes, each defined as a triple (Capabilities, Goals, Prior Knowledge). Upper classes subsume lower capabilities.
| Class | Name | Capabilities | Example |
|---|---|---|---|
| A1 | Network Observer | Passive traffic observation (DNS, TLS SNI, packet timing). Cannot read encrypted payloads. | ISP, public WiFi, state surveillance |
| A2 | Malicious Web Content | Arbitrary HTML/CSS/JS in renderer process. Prompt injection, entity poisoning, embedding manipulation, cognitive fingerprinting. | Phishing sites, ad networks, disinfo campaigns |
| A3 | Malicious Extension | WebExtensions API access within declared permissions. Updates can inject code. Can exfiltrate via network. | Supply-chain compromised extensions, acquired extensions |
| A4 | OS-Level Adversary | Filesystem read (direct SQLite access), process memory dump, DMA/cold boot attacks. | Malware, rootkits, physical device theft, forensics |
| A5 | Browser Vendor | Code modification, telemetry addition, update distribution. Mitigated by OSS + reproducible builds. | Acquisition, management change, legal compulsion |
AI-specific attack vectors (A2)
Malicious web content can specifically target Quira's AI pipeline: prompt injection to corrupt summaries (A2.1), entity poisoning with invisible text (A2.2), embedding space manipulation to pollute similarity search (A2.3), and cluster centroid shifting across multiple pages (A2.5). See Threat Protection.
Attack surfaces
| ID | Surface | Adversary | Defense |
|---|---|---|---|
| S1 | Network layer (DNS, TLS) | A1 | Network Firewall |
| S2 | Web content → AI pipeline | A2 | Threat Protection (4-layer defense) |
| S3 | Extension → Context Graph API | A3 | Permission System (capability tokens) |
| S4 | Local filesystem (SQLite DB) | A4 | Privacy Architecture (SQLCipher + TEE) |
| S5 | Embedding vectors | A2-A4 | Independent encryption, TEE inference |
| S6 | IPC channels (Gecko IPDL) | A2 | Capability checks at every IPC boundary |
| S7 | Graph topology metadata | A1-A4 | AGTR + Phantom Knowledge Obfuscation |
| S8 | Temporal metadata patterns | A1-A3 | Batch processing, temporal noise injection |
| S9 | Update/build pipeline | A5 | OSS + reproducible builds + code signing |
| S10 | Inference residues (after node deletion) | A3-A4 | IRD + RSIP + CAV |
Security properties
| Property | Definition | Verification |
|---|---|---|
| Graph Confidentiality | Adversary cannot access nodes/edges/attributes beyond their authorized capability tokens. | Formal (TLA+ model of CGAG) |
| Graph Integrity | No unauthorized modification of graph structure. AI pipeline cannot write without passing validation. | Hash chain (TCV) |
| Deletion Completeness | When a user deletes data, all direct and derived artifacts (embeddings, summaries, inference residues) are purged. | Cryptographic (CAV) |
| Flow Isolation | Data cannot flow between security contexts without explicit user action. IFC labels are monotonic. | Label propagation audit |
| Temporal Decay | Permissions and sessions expire. No permanent grants. | Capability token TTL enforcement |
Attack-defense mapping
Each adversary class maps to specific defense layers:
| Adversary | Primary Defense | Advanced Defense |
|---|---|---|
| A1 (Network) | DoH/DoT, ECH, TLS 1.3, Network Firewall | PQC (ML-KEM hybrid), batch timing |
| A2 (Web Content) | Content Filtering, AI Immune System | KSCI, Adversarial ML, Inverse Sandboxing |
| A3 (Extension) | Capability tokens, Context TCC | CSEB anomaly detection, behavioral monitoring |
| A4 (OS-Level) | SQLCipher, Keychain, TEE | SKV, Context Lockdown, Dead Man's Switch |
| A5 (Vendor) | OSS, reproducible builds, opt-in telemetry | Differential privacy (ε published), CAV |