Security Analysis

Executive Summary

CloudCondom proposes a five-layer cryptographic defense stack (Phantom, Veilnet, Cloakfs, Specter, Lockbox) enabling EU companies to deploy workloads on US hyperscalers (AWS, GCP, Azure) while maintaining cryptographic guarantees against CLOUD Act / FISA 702 data access. The core security premise — secrets never stored in Kubernetes, released only after hardware attestation from EU-hosted OpenBao — is architecturally sound but relies on trust assumptions that merit rigorous scrutiny.

This analysis evaluates the threat model, trust boundaries, cryptographic design, attestation reliability, attack surfaces, regulatory compliance, and honest weaknesses of the system.

1. Threat Model Assessment

1.1 Threats Covered

The threat model addresses the primary legal-technical threats facing EU companies on US infrastructure:

Threat	Covered?	Mechanism
CLOUD Act compelled disclosure	Yes	Secrets never in cloud provider's custody; keys in EU-hosted OpenBao
FISA Section 702 surveillance	Yes	Data encrypted with customer-controlled keys; cloud provider sees ciphertext only
National Security Letters (NSLs)	Yes	NSLs compel cloud providers, who hold no plaintext or key material
Hypervisor-level memory inspection	Partial	Requires Specter (TEE layer) to be deployed; without it, memory is exposed
Cluster-admin compromise	Partial	Webhook bypass acknowledged; secrets still external but new pods unprotected
etcd data-at-rest exposure	Yes (managed K8s)	Secrets never enter etcd in the Phantom model

1.2 Threats NOT Covered or Insufficiently Addressed

Supply Chain Attacks

• Container image tampering: If the phantom-proxy or phantom-init sidecar images are compromised at the registry level, the entire trust chain collapses. No image signing/verification (e.g., Sigstore/cosign) enforcement described.
• Dependency poisoning: Go module supply chain attacks could inject key-exfiltrating code into the sidecar. No mention of SBOM generation, dependency pinning, or reproducible builds.
• OpenBao itself: The customer must trust the OpenBao distribution. A compromised OpenBao binary could exfiltrate every secret.

Insider Threat Scenarios

• Malicious CloudCondom employee: An insider who compromises the build pipeline could ship a sidecar that exfiltrates DEKs. The architecture lacks a described code-signing and audit process for the sidecar binary itself.
• Malicious customer DevOps engineer: Can label namespaces with phantom.io/circuit-breaker: "bypass", disabling protection. The circuit breaker bypass mechanism, while auditable, creates a documented path for insiders to circumvent the security layer.
• Social engineering of OpenBao operator: If the EU-hosted OpenBao operator is socially engineered, all secrets for all tenants could be exposed. Multi-party key ceremonies or quorum-based unsealing are not described.

Physical Access Attacks

• Cold boot attacks: Even with TEEs, if an attacker has physical server access, DRAM remanence attacks may recover key material from recently powered-off memory.
• Hardware implants: Nation-state actors with physical access to data center hardware can install interposers (see Battering RAM attack).

Availability / Denial-of-Service

• OpenBao unavailability as a weapon: An attacker who can block egress to the EU-hosted OpenBao effectively denies all secret access after cache TTLs expire. The 15-minute grace period is a design trade-off between security and availability.
• DNS poisoning: If the cloud provider controls DNS resolution, they could redirect OpenBao traffic to a honeypot endpoint. mTLS should prevent this, but the threat is not explicitly addressed.

1.3 Side-Channel Attacks on TEEs

AMD SEV-SNP Known Vulnerabilities (2025–2026)

Vulnerability	Impact	Severity
CounterSEVeillance (NDSS 2025)	Performance counter side-channel leaks secret-dependent control flow. Extracts full RSA-4096 key in <8 minutes.	Critical
StackWarp (CVE-2025-29943)	Hardware flaw in Zen 1–5 CPUs allows admin-privileged attacker to run malicious code within confidential VMs.	High
Ciphertext side-channel (AMD-SB-3021)	Malicious hypervisor combines page swap with ciphertext observation (AES-XEX weakness) to leak guest data.	High
RMPocalypse (CCS 2025)	Race condition in RMP initialization allows hypervisor to manipulate guest memory integrity.	High
Battering RAM (Oct 2025)	$50 DDR4 interposer redirects physical addresses to bypass memory encryption. Requires physical access.	Medium
Heracles (CCS 2025)	Chosen plaintext attack against SEV-SNP.	High

Intel TDX Known Vulnerabilities (2025–2026)

Vulnerability	Impact	Severity
TEE.Fail (Oct 2025)	DDR5 interposer (<$1,000) extracts cryptographic keys from TDX. Researchers forged TDX attestations on Ethereum BuilderNet.	Critical
CVE-2025-30513 (Google-Intel audit)	TOCTOU bug during live migration converts migratable TD to debuggable TD, fully compromising TDX security.	Critical
MKTME cache side-channel	Cache-based side channels allow untrusted VMM to learn memory access patterns of victim TDs.	Medium
T-Time (2026)	Fine-grained timing-based controlled-channel attack exploits page-level memory access patterns.	Medium
Performance counter leakage	VMM differentiates idle/active TD activities via shared core performance counters.	Low-Med

2. Trust Boundary Analysis

2.1 "Webhook = UX, Crypto = Security"

However, this model has a nuanced weakness: the webhook IS part of the security model for newly deployed pods. If the webhook is deleted:

• Existing pods continue to run with their injected sidecars and cached secrets (secure).
• New pods deploy WITHOUT the sidecar, potentially running with no secret protection (insecure).
• If applications fall back to Kubernetes Secrets when the sidecar isn't present, they're fully exposed.

2.2 Actual Trust Boundaries

Trust Requirement	Justification	Risk if Violated
OpenBao operator (customer-controlled)	Holds all KEKs and secrets	Total compromise of all secrets
CloudCondom software (sidecar, webhook, operators)	Executes key retrieval and encryption	Could exfiltrate keys or weaken crypto
AMD/Intel (hardware vendor)	TEE isolation guarantees	Memory access by hypervisor; attestation forgery
Go runtime & dependencies	No backdoors in stdlib or deps	Subtle key leakage via compromised deps
Linux kernel in guest VM	Kernel correctness within TEE	Kernel exploits could expose TEE-protected memory
Cloud provider's network (partially)	Correct routing to EU OpenBao	DoS via egress blocking (not confidentiality breach)

2.3 End-to-End Trust Chain Verification

The attestation report from AMD SEV-SNP or Intel TDX provides a hardware-rooted chain:

1. CPU → VCEK/attestation key → signed measurement report
2. Report includes kernel, initrd, command line hashes
3. OpenBao validates report against expected policy
4. Key released only on match

Gaps in Verification

• Firmware updates: AMD/Intel can push microcode updates that alter TEE behavior. Customers must trust vendors not to ship compromised microcode.
• Cloud provider kernel images: On managed K8s, the customer does not fully control the node OS kernel.
• Runtime integrity: Attestation validates boot-time measurements. It does NOT continuously verify that the running code hasn't been modified post-boot.
• No formal verification: The CloudCondom codebase itself is not formally verified. Critical cryptographic paths should undergo formal verification or independent audit.

3. Cryptographic Design Analysis

3.1 Envelope Encryption (DEK/KEK)

Concerns:

• DEK caching in memory: If the Cloakfs driver crashes and restarts, it must fetch the wrapped DEK from storage metadata and unwrap via OpenBao. If OpenBao is unreachable, the volume is inaccessible.
• DEK version tracking: The system must track which DEK version encrypted each data block. If this metadata is corrupted, data becomes unrecoverable.

3.2 AES-256-GCM vs XChaCha20-Poly1305

Property	AES-256-GCM	XChaCha20-Poly1305
Nonce size	96-bit	192-bit
Nonce collision risk at 2^32 ops	~50% (birthday paradox)	Negligible
Hardware acceleration	AES-NI (fast on x86)	No HW accel
ARM performance (Graviton)	Varies	Competitive on ARM
Safety for random nonces	Dangerous at scale	Safe

3.3 Nonce Management Risks

3.4 Key Rotation Design

Assessment: Well-designed with one gap. The two-phase rotation (rotate KEK → re-wrap DEKs in background) is correct.

Gaps:

• Emergency key revocation: No described "break glass" procedure for rapid KEK compromise response.
• Rotation monitoring: No SLO/SLI described for tracking rotation completion percentage.
• Rotation failure handling: What state are DEKs in if the background reconciler crashes mid-rotation?

3.5 Sealed Cache Key Derivation

Key = HMAC-SHA256(cluster_key, pod_uid || pod_namespace)

The use of pod UID (stable across container restarts) rather than SA token (rotates ~1h) is correct. However:

• cluster_key is a single point of failure: If compromised, all sealed caches in the cluster can be decrypted.
• No key stretching: HMAC-SHA256 is fast. HKDF (RFC 5869) would be more appropriate.

4. TEE / Confidential Computing Assessment

4.1 Attestation Reliability

4.2 Attestation Gaps Across Providers

Provider	Attestation Model	Gap
GKE	AMD SEV-SNP + Intel TDX via Google Attestation API	Best integration. Customer relies on Google's attestation validation service — a US-controlled intermediary.
AKS	AMD SEV-SNP via Azure Attestation	Kata CC sunsetting March 2026. Attestation granularity is VM-level, not workload-level.
EKS	Nitro Enclaves only	Fundamental gap: 1 enclave per EC2 instance. Attestation tied to AWS KMS. Circular trust problem.

4.3 Continuous vs Point-in-Time Attestation

What's described is closer to "periodic re-validation of boot-time attestation" than true continuous attestation. Boot-time attestation does NOT prevent:

• Post-boot exploitation of the guest kernel from within the TEE
• Memory corruption attacks that don't modify the kernel image
• Application-level vulnerabilities within the protected workload

4.4 Attestation Policy Drift

When the cloud provider updates node OS images, attestation measurement registers change. If the OpenBao policy isn't updated in sync:

• Too strict: Legitimate pods fail attestation → operational outage
• Too loose: Policy accepts a wide range of measurements → reduced security guarantee

5. Attack Surface Analysis

5.1 What Can a Malicious Cloud Provider Still Do?

Attack	Possible?	Mitigation
Read etcd contents	Yes, but nothing useful (no secrets)	Phantom eliminates this vector
Read process memory (no TEE)	Yes — full access to all decrypted secrets	Specter (TEE) required; without it, complete bypass
Read process memory (with TEE)	Partial — side-channel attacks possible	TEE raises bar significantly but not absolute
Block egress to OpenBao	Yes — DoS on secret delivery	Grace period buys 15 min; then visible failure
Modify network traffic	No (if mTLS to OpenBao)	mTLS prevents MITM
Inject code into containers	Yes (no TEE) / Difficult (with TEE)	TEE attestation detects modified images at boot
Live-migrate VM to debug mode	Possible (Intel TDX CVE-2025-30513)	Requires patched TDX firmware
Observe timing/access patterns	Yes — traffic analysis reveals operational patterns	Veilnet helps but can't hide volume/timing
Comply with court order to backdoor	Yes — provider can push compromised firmware	Beyond CloudCondom scope; needs hardware trust anchor

5.2 What Can a Compromised Cluster-Admin Do?

Attack	Impact	Detection
Delete MutatingWebhookConfiguration	New pods deploy without sidecar	Drift detection alert (immediate)
Label namespace with circuit-breaker bypass	Protection disabled for namespace	Audit log shows label change
Create pods in kube-system	Pods bypass webhook	Excluded namespaces should be monitored
Modify Phantom CRDs/ConfigMaps	Could weaken protection policies	RBAC + admission control
Access sealed cache tmpfs via kubectl exec	Could read encrypted sealed cache file	Encrypted with pod-specific key
Exfiltrate via kubectl exec into running pod	Full secret access if pod has decrypted secrets in memory	Cannot prevent if admin has exec access

5.3 Node Compromise

5.4 TOCTOU Issues

1. Attestation-to-key-release gap: Between when OpenBao validates the attestation report and when the key is used, the environment could change (Intel TDX CVE-2025-30513 live migration).
2. Webhook classification-to-injection gap: Between when the webhook classifies a pod as "needs protection" and when the sidecar is actually running.
3. Cache TTL TOCTOU: A secret could be rotated in OpenBao but the stale version remains served from cache for up to 5 minutes (hot) or 1 hour (sealed). There should be a "force-evict" mechanism.

6. Regulatory Compliance Mapping

6.1 GDPR Article 32 — Security of Processing

CloudCondom's position: Strong. The five-layer stack represents "state of the art" technical measures: encryption of data at rest (Cloakfs), in transit (Veilnet), and in use (Specter); external key management under customer control; hardware-backed attestation; continuous monitoring (eBPF).

Gap: GDPR Article 32 also requires "regular testing, assessing and evaluating the effectiveness." CloudCondom should include penetration testing frameworks and compliance audit tooling as part of the product.

6.2 GDPR Articles 44-49 — International Transfers

Schrems II supplementary measures: The EDPB recommendations specifically mention encryption as a valid supplementary measure, provided the keys remain under the data exporter's control and are not accessible to authorities of the third country.

• Keys in EU-hosted OpenBao under customer control: Aligns
• Cloud provider cannot decrypt: Aligns
• Cloud provider cannot comply with CLOUD Act order for plaintext: Aligns
• US government compelling cloud provider to install backdoor: Gray area — TEE provides defense, but TEE vulnerabilities mean the guarantee is not absolute

6.3 Schrems II / EU-US Data Privacy Framework Status

6.4 NIS2 Directive

NIS2 (effective October 2024) classifies cloud computing services as "essential" or "important" entities with mandatory risk management measures, incident reporting within 24/72 hours, supply chain security requirements, and fines up to €10M or 2% of global turnover.

Gap: CloudCondom should provide NIS2-specific audit reports and incident response integration (SIEM export, automated incident classification).

6.5 DORA (Digital Operational Resilience Act)

DORA (effective January 2025) specifically targets the financial sector: mandatory ICT risk management, critical third-party oversight, threat-led penetration testing every 3 years, incident reporting within 4/72 hours.

Critical gap: DORA requires demonstrable ability to exit cloud providers. CloudCondom should provide documented migration procedures and key portability between providers.

6.6 Compliance Summary

Regulatory Requirement	Satisfied?	Confidence
GDPR Art. 32 (security of processing)	Yes	High
GDPR Art. 44-49 (international transfers + supplementary measures)	Likely yes	Medium-High
Schrems II supplementary measures	Strong alignment	Medium-High
NIS2 technical measures	Partially (needs audit/reporting)	Medium
DORA ICT risk management	Partially (needs TLPT, exit procedures)	Medium

7. Honest Weaknesses

This section transparently identifies the limits of CloudCondom's security model. Building trust requires acknowledging what the system cannot do.

7.2 What a Sophisticated Nation-State Attacker Can Do

A well-resourced nation-state attacker (e.g., NSA-level) with legal authority (CLOUD Act warrant) AND technical capability:

1. Compel cloud provider to update hypervisor with a targeted exploit for the specific TEE version running the target workloads.
2. Exploit known TEE side-channels (CounterSEVeillance for AMD, T-Time for Intel) to extract key material from within the TEE.
3. Use Battering RAM-style physical interposers on the target server's DDR5 bus to extract attestation keys and forge attestation reports.
4. Block egress to OpenBao (network-level) while simultaneously exploiting the grace period.
5. Serve modified attestation validation responses if they can compromise the provider's attestation API.

7.3 Where the Protection Model Fundamentally Breaks

1. Compromised hardware vendor: If AMD or Intel ships compromised silicon, all TEE guarantees are void. This is an axiomatic trust assumption that cannot be verified.
2. Compromised OpenBao: If the EU-hosted OpenBao instance is compromised, all secrets are exposed. OpenBao is the single most critical component.
3. Zero-day in the sidecar: An RCE vulnerability in the phantom-proxy sidecar gives the attacker access to all decrypted secrets in that pod's memory.
4. Application collusion: If the application intentionally exfiltrates its own secrets (malicious dependency, supply chain compromise), CloudCondom cannot detect or prevent this.

8. Comparison to Alternatives

8.1 Full Sovereign Cloud

Aspect	Sovereign Cloud	CloudCondom on US Cloud
CLOUD Act exposure	None	Residual (TEE side-channels, hardware trust)
Performance/scale	Limited (EU providers smaller)	Full hyperscaler scale
Cost	Higher (less competition)	Hyperscaler pricing + license
Service breadth	Narrower	Full hyperscaler ecosystem
Regulatory certainty	High	Medium-high (untested legal argument)

Verdict: Sovereign cloud is more secure against legal compulsion. CloudCondom is a pragmatic alternative when sovereign cloud is operationally unacceptable.

8.2 BYOK with Cloud KMS

Aspect	BYOK + Cloud KMS	CloudCondom
Key control	Customer provides key, but cloud KMS holds it in use	Key never enters cloud KMS
CLOUD Act exposure	High (provider has key in memory)	Low (key in EU-hosted OpenBao)
Operational simplicity	High (native integration)	Medium (requires sidecar, external OpenBao)
Vendor lock-in	Moderate	Low (OpenBao is portable)

9. Security Recommendations

9.1 Strengthen Immediately

1. Image signing and verification: Implement Sigstore/cosign for all container images. Enforce signature verification in the webhook before injection.
2. Nonce-misuse resistance: Default to AES-256-GCM-SIV for Cloakfs. If GCM is used, implement deterministic nonces.
3. Emergency secret revocation: Implement a "force-evict" push mechanism from OpenBao to sidecars that immediately clears all caches.
4. Per-node cluster key derivation: Replace single cluster_key with HKDF-derived per-node keys: node_key = HKDF(cluster_key, node_uid, "phantom-v1").
5. EKS security disclaimer: Clearly document that Specter/attestation on EKS provides weaker guarantees.

9.2 Add

1. SBOM generation and dependency scanning: Integrate SBOM generation (SPDX/CycloneDX) into the build pipeline.
2. Formal cryptographic audit: Commission an independent audit by a recognized firm (NCC Group, Trail of Bits, Cure53).
3. TEE vulnerability tracking: Maintain a public-facing page documenting known TEE vulnerabilities and mitigation status. Update within 72 hours of new CVE.
4. Incident response playbooks: Pre-built playbooks for OpenBao compromise, TEE vulnerability disclosure, webhook deletion, legal compulsion notification.
5. Multi-party OpenBao unsealing: Recommend Shamir secret sharing for unseal keys with quorum requirements.
6. Runtime integrity monitoring: Integrate dm-verity or IMA within the TEE for true continuous attestation.
7. Canary secrets: Inject honeypot secrets that trigger immediate alerts if accessed or exfiltrated.

9.3 Security Certifications to Pursue

Certification	Priority	Rationale
SOC 2 Type II	High	Table-stakes for enterprise sales; covers security, availability, confidentiality
ISO 27001	High	Required by many EU enterprises; demonstrates ISMS maturity
ISO 27017	Medium	Cloud-specific security controls; differentiator
ISO 27018	Medium	PII protection in public clouds; relevant to GDPR
CSA STAR Level 2	Medium	Cloud Security Alliance certification
BSI C5	High (German)	Essential for German banking/government
EUCS	Watch	Still under development; will be important when finalized

Low-Hanging Fruit: Cumulative Score Impact

Improvement	Score Impact	Effort	Timeline
AES-256-GCM-SIV	+0.20	1–2 days	Month 1
Supply Chain Security (Sigstore + SBOM + SLSA 3)	+0.20	1 week	Month 1–2
Emergency Secret Revocation	+0.15	2–3 weeks	Month 3–4
Certifications (SOC 2, ISO 27001, BSI C5)	+0.15	12–24 months	Month 3–24
Zero-Knowledge Control Plane	+0.15	4–6 weeks design	Month 2–4
Runtime Integrity Verification	+0.05	3–5 days	Month 2
Security Transparency Report	+0.10	1 day (policy)	Month 1
Total	+1.00

10. Security Verdict

Security Soundness Score: 7.5 / 10

Would I Recommend This to a CISO at a European Bank?

Key Strengths

1. Architecturally honest: Trust model correctly identifies where security lies (crypto + attestation) vs. convenience (webhook). Rare and valuable.
2. Defense-in-depth: Five independent layers; compromise of any single layer does not yield full compromise.
3. Regulatory alignment: Designed specifically for GDPR/Schrems II/CLOUD Act, not bolted on after the fact.
4. Operational pragmatism: Sidecar injection minimizes application changes, lowering adoption barriers.
5. Fail-visible design: Circuit breaker, grace period alerts, drift detection prioritize visibility over silent failure.

Key Weaknesses

1. TEE dependency for runtime protection: Without TEE, cloud provider has full memory access. TEEs have numerous known vulnerabilities.
2. Hardware trust assumption: Both AMD and Intel are US companies. Fundamental promise relies on US-manufactured hardware.
3. EKS feature gap: Nitro Enclaves' architectural differences create uneven security posture across providers.
4. OpenBao single point of failure: All secrets flow through OpenBao. Its compromise is total compromise.
5. Untested legal standing: No court or DPA has ruled this approach satisfies Schrems II supplementary measures.

Is This "Security Theater" or Genuine Protection?