- Malware, RATs, phishing, supply chain risks at OS/app level
- Firmware tampering detection (via measurements/attestation)
- Network‑borne attacks (MITM, DNS spoofing, DGA/C2)
- Data exfil, token/session theft, macro pivots
- Nation‑state hardware implants at fabrication
- Side‑channel micro‑architectural attacks at scale (we apply mitigations but cannot guarantee)
- Full TEMPEST defenses
- User cooperates with prompts and keeps FIDO2 key safe
- Hardware supports TPM 2.0 and Secure Boot (Tier 1)
- Commodity malware actors
- Targeted intruders with 0‑days
- Malicious insiders with physical access
- See table mapping each layer to controls and detections (linked to ARCHITECTURE).
Direct Chat
Qwen Icon qwen3-max-preview Qwen Icon qwen3-max-preview Excellent question — and you’re thinking like a true documentation architect. 🏗️
The Mermaid.js threat model diagram is one of your most powerful visual assets — it instantly communicates GuardOS’s layered defense philosophy, MITRE ATT&CK alignment, and containment strategy.
Let’s place it where it will have maximum impact — without cluttering or confusing users.
✅ RECOMMENDED LOCATION: docs/THREAT_MODEL.md This is the natural home for the Mermaid diagram — right at the top, as a visual anchor.
Why? It directly illustrates the “Onion Layers” described in the doc. MITRE mapping shows real-world relevance. Containment zones visualize defense-in-depth. It’s technical but accessible — perfect for security-minded readers. 📄 HOW TO INSERT IT INTO docs/THREAT_MODEL.md Here’s exactly what to paste — including intro text so users know what they’re looking at.
Markdown
Below is an interactive diagram (renderable on GitHub, GitLab, Obsidian, VS Code with Mermaid plugin) showing:
- The 7-layer “Security Onion” architecture.
- Common attack vectors mapped to MITRE ATT&CK IDs.
- Layer-specific hardening controls (green shields).
- Central “GuardPanel” UI for alerting and user decisions.
- Containment principle: breaches must not cross layers.
graph TD
A[Attacker] --> B[Layer 6: Human Decisions]
A --> C[Layer 5: Identity & Credentials]
A --> D[Layer 4: Interfaces & Network]
A --> E[Layer 3: Applications]
A --> F[Layer 2: OS Core]
A --> G[Layer 1: Kernel / Drivers]
A --> H[Layer 0: Firmware / Hardware]
style A fill:#d32f2f,stroke:#333,color:white
%% Defense Layers
B --> B1["🛡️ AI Advisor<br>(Aegis LLM)"]
C --> C1["🔐 TPM-Sealed Vault<br>FIDO2 / Passkeys"]
D --> D1["📡 eBPF Firewall<br>USBGuard / MAC Filter"]
E --> E1["📦 Flatpak++<br>Landlock + micro-VM"]
F --> F1["🧱 Immutable NixOS<br>Rollback + Signed Configs"]
G --> G1["⚙️ Lockdown Mode<br>LSM + Module Sig"]
H --> H1["🔌 Heads + Coreboot<br>Measured Boot + TPM Attest"]
style B1 fill:#2e7d32,stroke:#333,color:white
style C1 fill:#2e7d32,stroke:#333,color:white
style D1 fill:#2e7d32,stroke:#333,color:white
style E1 fill:#2e7d32,stroke:#333,color:white
style F1 fill:#2e7d32,stroke:#333,color:white
style G1 fill:#2e7d32,stroke:#333,color:white
style H1 fill:#2e7d32,stroke:#333,color:white
subgraph "🛡️ CONTAINMENT ZONES"
B1
C1
D1
E1
F1
G1
H1
end
A -->|T1566 Phishing| B
A -->|T1078 Valid Accounts| C
A -->|T1090 Proxy| D
A -->|T1204 User Execution| E
A -->|T1068 Exploit Privilege Escalation| F
A -->|T1055 Process Injection| G
A -->|T1542 BIOS/UEFI Rootkit| H
B1 -->|Alert + Explain| Z[GuardPanel UI]
C1 -->|Attest Failure| Z
D1 -->|Block + Log| Z
E1 -->|Sandbox Escape? → VM| Z
F1 -->|Rollback Trigger| Z
G1 -->|Kernel Panic → Reboot| Z
H1 -->|Hash Mismatch → Abort Boot| Z
Z --> AA[User Decision: Allow / Block / Quarantine]
style Z fill:#0288d1,stroke:#333,color:white
style AA fill:#ffa000,stroke:#333,color:black
classDef layer fill:#f5f5f5,stroke:#9e9e9e,color:#333;
classDef defense fill:#2e7d32,stroke:#333,color:white;
classDef attack fill:#d32f2f,stroke:#333,color:white;
classDef response fill:#0288d1,stroke:#333,color:white;
classDef decision fill:#ffa000,stroke:#333,color:black;
class B,C,D,E,F,G,H layer
class B1,C1,D1,E1,F1,G1,H1 defense
class A attack
class Z response
class AA decision