Technical Document

6-Layer Security
Architecture

Defense-in-depth for local LLM inference

← Back to Security & Compliance
Document
KW-SEC-001
Classification
Public Technical Reference
Architecture
6-Layer Defense-in-Depth
Scope
Local LLM Inference Engine
Overview

Architecture Summary

Kwyre implements a 6-layer defense-in-depth security model for local LLM inference. Each layer operates independently — compromising one layer does not disable the others. The stack is designed so that even a fully compromised server process cannot exfiltrate data, tamper with model weights, or persist conversation history. 
+------------------------------------------------------+
|  Layer 6: Intrusion Watchdog                         |
|    Monitors processes + network, auto-wipes on alert |
+------------------------------------------------------+
|  Layer 5: Secure Conversation Buffer                 |
|    RAM-only storage, cryptographic wipe on close     |
+------------------------------------------------------+
|  Layer 4: Model Weight Integrity                     |
|    SHA256 verification of model files at startup     |
+------------------------------------------------------+
|  Layer 3: Dependency Integrity                       |
|    SHA256 manifest of all Python packages at startup |
+------------------------------------------------------+
|  Layer 2: Process Network Isolation                  |
|    iptables / Windows Firewall per-process rules     |
+------------------------------------------------------+
|  Layer 1: Localhost-Only Binding                     |
|    Server binds to 127.0.0.1, unreachable from LAN  |
+------------------------------------------------------+
Defense Layers

The 6-Layer Stack

Rendered outermost (L6) to innermost (L1). Each layer operates as an independent control.

L6
🔎
Intrusion Watchdog
Background thread scans every 5 seconds for debuggers, traffic analyzers, and unexpected outbound connections — auto-wipes sessions on detection.
L5
🧠
Secure Conversation Buffer
Conversations exist only in RAM — never serialized to disk. Cryptographic wipe on session close, idle timeout, and server shutdown.
L4
🔒
Model Weight Integrity
SHA256 hashes of model config files verified at every startup — detects substitution, tampering, or silent corruption of inference weights.
L3
📦
Dependency Integrity
SHA256 manifest of all installed Python packages verified at every startup — detects supply-chain tampering, version drift, and unexpected packages.
L2
🛡
Process Network Isolation
OS-level outbound network rules scoped to the Kwyre process — a fully compromised server cannot exfiltrate data over the network.
L1
🌐
Localhost-Only Network Binding
Server binds exclusively to 127.0.0.1 at the OS socket level — unreachable from any other machine on the network, regardless of firewall config.
Technical Detail

Layer-by-Layer Breakdown

L1

Localhost-Only Network Binding

FILE: server/serve_local_4bit.pyBIND_HOST = "127.0.0.1"

The HTTP server binds exclusively to the loopback interface. This is enforced at the OS socket level — no configuration, reverse proxy, or firewall rule can make the server respond to requests from other machines on the network.

Verification Command
netstat -an | findstr 8000  → shows 127.0.0.1:8000 only
L2

Process Network Isolation

FILE: security/setup_isolation.sh

Even if the server process is fully compromised — for example, via a dependency supply-chain attack — it cannot exfiltrate data because outbound network access is blocked at the OS level.

  • Linux / WSL2: iptables OUTPUT rules scoped to a dedicated kwyre system user UID
  • Windows: New-NetFirewallRule blocking outbound from the specific Python executable

The server runs as the kwyre user, which has no shell, no home directory, and no outbound network capability.

L3

Dependency Integrity

FILE: security/verify_deps.py

Generates and verifies SHA256 hashes of all installed Python packages' RECORD files. Run once on a clean install to generate the manifest, then verified at every startup.

Detects:

  • Version changes (pip upgrade / downgrade)
  • File tampering (modified package code)
  • Unexpected packages not present in the original manifest
L4

Model Weight Integrity

FILE: server/serve_local_4bit.pyverify_model_integrity()

SHA256 hashes of model configuration files are computed on a verified clean install and hardcoded into the server. At every startup, hashes are recomputed and compared.

Files covered:

  • config.json
  • tokenizer_config.json
  • generation_config.json
  • tokenizer.json

Detects: model substitution, config tampering, and file corruption introduced between installs.

L5

Secure Conversation Buffer

FILE: server/serve_local_4bit.pySecureConversationBuffer, SessionStore
  • Conversations exist only in RAM — never serialized to disk
  • Each session gets a 256-bit random key (for future encryption-at-rest if needed)
  • Idle sessions are reaped after 1 hour
  • On wipe: content overwritten with random bytes before deallocation
  • On server shutdown: all sessions wiped before process exit via SIGTERM handler
L6

Intrusion Watchdog

FILE: server/serve_local_4bit.pyIntrusionWatchdog

Background thread scanning every 5 seconds for anomalies. Requires 2 consecutive detections to confirm a violation — avoiding false positives from benign system activity.

Scans for:

  • Unexpected outbound connections from the server process (via psutil)
  • Suspicious processes running on the system: debuggers, traffic analyzers, memory inspectors

Detected tools include: x64dbg, WinDbg, Ghidra, IDA, Wireshark, Fiddler, mitmproxy, Burp Suite, Process Hacker, Cheat Engine.

On confirmed violation:

  • All active sessions are immediately wiped
  • Event is logged (metadata only — no conversation content)
  • Server process is terminated
Threat Model

Threats & Mitigations

Each row maps a concrete attack vector to the layers that address it.

Threat Mitigated By
Network interception (MITM) L1L2No network traffic exists to intercept
Remote access to inference L1Localhost binding blocks all remote connections
Data exfiltration via compromised dependency L2L3Outbound blocked + dependency hashes verified
Model substitution / poisoning L4SHA256 weight verification at startup
Conversation persistence / disk forensics L5RAM-only with cryptographic wipe
Active debugging / memory inspection L6Watchdog detects and terminates
Server crash without cleanup L5OS reclaims RAM on process exit — no disk artifacts
Scope Boundary

What This Architecture Does NOT Protect Against

Application-level security has inherent limits. The following threats require hardware-level controls.

⚠ Out of Scope — Hardware-Level Threats
  • Physical access to the machine while the server is running (cold boot attacks, DMA)
  • Kernel-level rootkits that hide processes from psutil
  • A determined attacker with root / admin access to the host OS
  • Side-channel attacks on GPU memory

These threats require hardware-level controls — TPM, Secure Boot, encrypted RAM — which are outside the scope of application-level security. Kwyre's architecture addresses the software attack surface only.

Related Documents

Compliance & Architecture Docs

Compliance Guide

SOC 2 Type II Readiness

How Kwyre's architecture maps to SOC 2 Trust Service Criteria — CC6, CC7, and A1.

→ soc2.html
Data Residency

Data Residency & Air-Gap Guarantees

Technical proof that no data crosses a network boundary under any operating condition.

→ data-residency.html