Home · docs · threat model
spec · provider-adversary model
Threat model
Umbra assumes the provider owns the Mac, has root, and may be actively hostile to prompt privacy. The product promise is that prompts and outputs are not logged or persisted, inference runs in-process, and trust comes from attestation rather than operator promises.
Actors
Consumer
Sends prompts and requests a minimum trust_level. Their data is the protected asset.
Coordinator
Routes, meters, and verifies providers from an attested confidential VM.
Provider
Runs public GGUF models on Apple Silicon. Assumed adversarial with physical custody.
Apple
Trusted for Secure Enclave keys, SIP, Managed Device Attestation, and APNs code identity.
Access Paths
| Attack vector | Defense |
|---|---|
| Debugger or memory reader | Hardened Runtime, no get-task-allow, and startup anti-debug checks. |
| Intercept local inference traffic | No local inference server, socket, subprocess, or IPC: libllama is linked in-process. |
| Modified provider binary | Code signing, SIP, APNs code-identity, and 5-minute freshness challenges. |
| Fake model weights | Catalog entries pin the public repo, revision, quant, and GGUF SHA-256 digest. |
| Provider logs prompts | Prompt/output buffers are memory-only and zeroized after each request; logging them is a P0 bug. |
Trust Tiers
| Tier | Guarantee |
|---|---|
standard | Catalog and provider account controls only. |
hardware | Secure Enclave identity, MDM posture, Apple MDA chain, and freshness checks. |
code_attested | hardware plus APNs code-identity for the audited provider binary. |
Residual Risk
The model excludes unpatched kernel or Secure Enclave vulnerabilities, Apple attestation CA compromise, and destructive physical memory probing. Those are explicit assumptions rather than hidden guarantees.
The implementation details live in umbra/docs/threat-model.md, umbra/docs/SPEC.md, and the provider/coordinator attestation code. This page is the routable web summary.