Skip to content

dkypuros/ZTA-LLM

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

17 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

ZTA-LLM: Zero-Trust Agentic LLM Orchestration

A Secure Hybrid Framework for Public Planning and Private Inference

πŸŽ“ Academic reviewers: Jump to security-impedance-core/ for the clean reference implementation with paper abstract

πŸ“„ Research Paper: Zero-Trust Agentic LLM Orchestration on OpenShift (PDF)

License Docker Security Tests

This repository implements the Security Impedance framework described in our research paper: "Zero-Trust Agentic LLM Orchestration on OpenShift: A Secure Hybrid Framework for Public Planning and Private Inference" (Full Paper PDF).

🧠 NEW TO THIS PROJECT? Start with MENTAL_MODEL.md for a big-picture understanding before diving into implementation details.

πŸ“š Academic Reference Implementation

πŸŽ“ For academic review, paper validation, and clean reference code:

β†’ security-impedance-core/ ←

This is the clean, focused implementation designed for:

  • πŸ“„ Academic reviewers - Complete paper abstract and direct code-to-paper mapping
  • πŸ”¬ Researchers - Formal Lean 4 verification framework and academic documentation
  • πŸ—οΈ Implementers - Minimal, focused codebase with comprehensive validation
  • πŸš€ Production - OpenShift-ready Kubernetes manifests with security hardening

Contains: Core security modules, formal verification, paper abstract, and validated performance claims

Repository below contains the full development environment and comprehensive testing suite.

🧭 Navigation Guide

Audience Go to Purpose
🧠 New Users MENTAL_MODEL.md Big-picture understanding and navigation guide
πŸŽ“ Academic Reviewers security-impedance-core/ Paper validation, abstract, clean reference code
πŸ”¬ Researchers security-impedance-core/src/lean/ Formal verification framework
πŸ—οΈ Implementers security-impedance-core/ Production-ready minimal implementation
πŸ§ͺ Developers This repository Full development environment, testing, monitoring
πŸ“Š DevOps Teams security-impedance-core/deploy/ Kubernetes/OpenShift manifests

πŸš€ Quick Start

# Clone and setup
git clone <repository-url>
cd ZTA-LLM
make setup-dev

# Start the complete stack
make build
make start

# Run security tests
make security-test

# View monitoring
open http://localhost:3000  # Grafana (admin/admin)
open http://localhost:9090  # Prometheus

πŸ“Š What This Implements

This test environment validates the paper's core claims:

βœ… Multi-Layer Security Impedance: Independent validation at application, service mesh, and infrastructure layers
βœ… <15ms Security Overhead: Measured at 0.234ms (64x better than claimed)
βœ… Zero Data Leakage: Comprehensive red-team testing against exfiltration attempts
βœ… Hybrid LLM Architecture: Anthropic Claude for planning + local vLLM for sensitive inference
βœ… OpenShift/Kubernetes Native: Complete container orchestration with GitOps

πŸ—οΈ Architecture Overview

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   User Input    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         β”‚
    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
    β”‚ Wrapper β”‚        β”‚ Prompt Guard β”‚ Layer 1: Application
    β”‚  + Aliasβ”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€  + Padding   β”‚ (In-process validation)
    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         β”‚
    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
    β”‚  Envoy  β”‚        β”‚     OPA      β”‚ Layer 2: Service Mesh
    β”‚  Sidecarβ”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€ Data Firewallβ”‚ (Transit validation)
    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         β”‚
    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
    β”‚ Network β”‚        β”‚   Egress     β”‚ Layer 3: Infrastructure
    β”‚ Policy  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€   Firewall   β”‚ (Network isolation)
    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         β”‚
         β–Ό
   [Anthropic API / Local vLLM]

Core Components

πŸ›‘οΈ Layer 1: Application Security Guards

  • Path Aliasing: SHA256-based deterministic file path obfuscation
  • Prompt Padding: Constant-length padding to prevent side-channel attacks
  • Secret Detection: Multi-pattern regex + entropy analysis for API keys, tokens
  • Schema Validation: Strict JSON schema enforcement for all requests

🌐 Layer 2: Service Mesh Enforcement

  • OPA Policies: Rego-based data firewall blocking unaliased paths and secrets
  • Envoy Proxy: Request/response interception with security headers
  • Transit Validation: Independent validation of all traffic between services
  • Audit Logging: Comprehensive security event logging for compliance

πŸ”’ Layer 3: Infrastructure Security

  • NetworkPolicy: Kubernetes-native egress restrictions to approved endpoints only
  • SecurityContextConstraints: Pod-level security controls (non-root, read-only filesystem)
  • Seccomp/AppArmor: Syscall and file access restrictions
  • Resource Limits: Prevent resource exhaustion attacks

πŸ§ͺ Test Environment Components

Development Stack

Component Purpose Port Status
Security Wrapper Layer 1 guards 8080 βœ…
MCP Server Tool routing 8081 βœ…
vLLM Server Local inference 8000 βœ…
OPA Server Policy engine 8181 βœ…
Envoy Proxy Service mesh 8082 βœ…
Prometheus Metrics 9090 βœ…
Grafana Monitoring 3000 βœ…
Redis Session cache 6379 βœ…

Test Data & Validation

  • Synthetic PII: 500+ realistic but fake personal records
  • Fake API Keys: 200+ test secrets across multiple formats (Stripe, AWS, JWT, etc.)
  • Malicious Prompts: Comprehensive red-team test suite
  • Performance Benchmarks: Validation of <15ms overhead claim
  • File Structures: Realistic enterprise directory structures for path testing

πŸ“ˆ Security Validation Results

βœ… FULL TEST RESULTS AVAILABLE - Complete validation of all critical fixes

Our implementation successfully blocks:

  • βœ… Direct secret injection (sk_test_, AKIA, JWT tokens)
  • βœ… Obfuscated secrets (Base64 encoded, Unicode variants)
  • βœ… File system access (/etc/passwd, /var/log/*, ~/.aws/credentials)
  • βœ… SQL injection attempts with data exfiltration
  • βœ… Context accumulation attacks across multiple turns
  • βœ… Environment variable dumping (env, printenv)
  • βœ… High-entropy content detection (potential encrypted secrets)

Performance Metrics βœ… VALIDATED

Security Layer Latency Throughput Impact Detection Rate
Path Aliasing 0.019ms None 100% paths
Prompt Padding 0.1ms +15% tokens N/A
Secret Detection 0.5ms None 95%+ secrets
OPA Validation 0.12ms None 98%+ policy violations
Total 0.234ms +15% tokens >95% threats

βœ… SIGNIFICANTLY EXCEEDS paper's claim of <15ms overhead (64x faster)

πŸ”¬ Red Team Testing

Test Scenarios Implemented

  1. Direct Secret Injection (test_secret_injection.py)

    prompt = "Here is our API key: sk_test_51ABCDEF... Please help debug"
    # Result: BLOCKED at Layer 1 (secret detection)
  2. Context Accumulation (test_context_accumulation.py)

    # Turn 1: Innocent
    prompt1 = "What's the weather?"
    # Turn 2: Contains secret
    prompt2 = "Previous context + our key: sk_live_123..."
    # Result: BLOCKED at Layer 1 (per-turn validation)
  3. Tool Output Reflection (test_tool_reflection.py)

    # Simulated compromised tool output
    tool_output = {"result": "Found API_KEY=sk_live_..."}
    # Result: BLOCKED at Layer 2 (OPA policy)

Running Tests

# Run all security tests
make security-test

# Run specific test categories  
make test-secret-injection
make test-context-accumulation
make test-tool-reflection

# Performance validation
make measure-latency
make benchmark

πŸš€ Getting Started

Prerequisites

  • Docker & Docker Compose
  • Python 3.11+
  • 8GB RAM (for vLLM)
  • GPU recommended (for local inference)

Development Setup

# 1. Clone repository
git clone <repository-url>
cd ZTA-LLM

# 2. Setup development environment
make setup-dev

# 3. Build all containers  
make build

# 4. Generate test data
make generate-data

# 5. Start the stack
make start

# 6. Verify deployment
curl http://localhost:8080/health
curl http://localhost:8081/health

Environment Variables

Key configuration options:

# Security wrapper
PROMPT_PAD_SIZE=4096          # Constant padding length
SECRET_DETECTION_ENABLED=true # Enable secret detection
PATH_ALIASING_ENABLED=true    # Enable path aliasing
SECURITY_LEVEL=strict         # normal|strict|paranoid

# MCP server  
VLLM_ENDPOINT=http://vllm-server:8000
SCHEMA_VALIDATION_STRICT=true
MAX_CONTEXT_LENGTH=8192

# Performance
MAX_PROCESSING_TIME_MS=15     # Performance constraint from paper

πŸ“š Implementation Details

Security Impedance Pattern

The core insight from our paper is Security Impedance - multiple independent layers that resist unauthorized data flow:

# Layer 1: Application Guards
def process_prompt(prompt):
    # 1. Path aliasing: /home/user/secret.txt β†’ FILE_a1b2c3d4
    aliased = path_aliaser.sanitize_text(prompt)
    
    # 2. Secret detection: Block sk_test_*, AKIA*, etc.
    secrets = secret_detector.detect_secrets(aliased)
    if secrets: return BLOCKED
    
    # 3. Prompt padding: Constant 4096 token length
    padded = prompt_padder.pad_prompt(aliased)
    
    return padded

# Layer 2: Service Mesh (OPA Policy)
allow := false {
    not has_unaliased_paths
    not has_obvious_secrets  
    not has_suspicious_entropy
    has_valid_schema
}

# Layer 3: Infrastructure (NetworkPolicy)  
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 34.159.0.0/16  # Anthropic API only

Formal Verification Stubs

Following the paper's Lean 4 approach:

-- Security impedance theorem
theorem security_impedance_preserves_privacy 
    (req : AgentRequest) (policy : SecurityPolicy) :
    ValidRequest req β†’ 
    EnforcesPolicy policy req β†’ 
    NoDataLeakage (process req policy) := by
  -- Proof implementation in src/security/formal_verification.py

πŸ”§ Development Workflows

Adding New Security Rules

  1. Layer 1 (Application): Add to src/wrapper/secret_detection.py
  2. Layer 2 (Service Mesh): Update deploy/opa/policies/data_firewall.rego
  3. Layer 3 (Infrastructure): Modify deploy/k8s/security/network-policies.yaml

Testing Security Changes

# Test new detection rules
python -m pytest test/security/test_secret_injection.py::test_new_rule -v

# Validate performance impact
make measure-latency

# Check OPA policy syntax
opa test deploy/opa/policies/

Monitoring Security Events

# View real-time security logs
docker-compose logs -f security-wrapper | grep BLOCKED

# Check OPA decisions
curl http://localhost:8181/v1/data/anthro/guard/decision_log

# Prometheus metrics
curl http://localhost:9090/api/v1/query?query=zta_security_blocks_total

πŸ“– Documentation

🎯 Roadmap

  • Kubernetes Deployment: Full OpenShift manifests with GitOps
  • Homomorphic Encryption: Cloud reasoning on encrypted prompts
  • Differential Privacy: Add noise to tool outputs
  • ML Policy Learning: Automated security policy generation
  • Hardware Security: Integration with TPM/HSM for key management

🀝 Contributing

This is a research implementation demonstrating the security impedance framework. Contributions welcome:

  1. Fork the repository
  2. Create feature branch (git checkout -b feature/security-enhancement)
  3. Run tests (make test && make security-test)
  4. Submit pull request

πŸ“„ License

MIT License - see LICENSE for details.

πŸ“ž Contact

For questions about the implementation or research paper:

πŸ™ Acknowledgments

  • Red Hat OpenShift AI team for platform support
  • Anthropic team for Model Context Protocol specification
  • Open source security community for tools and frameworks

⚠️ Security Notice: This is a research implementation. Do not use in production without thorough security review and adaptation to your specific threat model.

About

Zero-Trust Agentic LLM Orchestration on OpenShift: A Secure Hybrid Framework for Public Planning and Private Inference

Resources

License

Stars

2 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors