domains

same gap, different manifestations

every domain that signs or authorizes has the same gap: what you intend vs what gets signed. the attacks look different. the invariants look different. the error costs are different. the gap is the same.

attack taxonomy

these five categories show up across domains (see the deep dive on /problem).

  • payload substitution
  • look-alike attacks
  • policy drift
  • context injection
  • parameter tampering

container signing

strongest evidence (sigstore CVEs), natural beachhead

the gap

digest substitution, base image swap, registry manipulation

attack patterns

  • ci artifact swapped between build and sign
  • base image replaced with malicious version
  • registry returns different digest than requested
  • tag moved to different image

invariant examples

  • digest == ci_output_digest
  • base_image in approved_list
  • registry in allowlist
  • sbom_present and sbom_matches

integration points

  • cosign pre-sign hook
  • slsa provenance consumer
  • registry admission controller
  • ci/cd pipeline gate

error cost profile

c_fp (dev) low (rebuild)
c_fp (prod) medium (delayed release)
c_fn extreme (supply chain compromise)
bias permissive in dev, conservative in prod

rationale: production releases are high-leverage attack surface

protocol implications: Invariant Lifecycle critical for keeping base image lists current; Appeal and Resolution for urgent releases

financial transactions

high regulatory demand, shows enterprise readiness

the gap

field manipulation, counterparty swap, amount tampering

attack patterns

  • counterparty account modified between approval and submission
  • amount changed after review
  • quote/order ID substituted
  • currency or decimal manipulation

invariant examples

  • counterparty in verified_list
  • amount <= approved_limit
  • quote_id == expected_quote_id
  • currency == expected_currency

integration points

  • swift gpi pre-submission
  • core banking pre-authorization
  • payment processor webhook
  • treasury management pre-sign

error cost profile

c_fp high (blocked business, regulatory scrutiny)
c_fn extreme (irreversible loss, fraud liability)
bias conservative with fast appeal path

rationale: both costs high; need blocking but also rapid resolution

protocol implications: Appeal and Resolution critical with strict targets; audit logging mandatory for compliance

firmware updates

shows understanding of extreme c_fn domains

the gap

rollback attacks, device class mismatch, version manipulation

attack patterns

  • firmware downgrade to vulnerable version
  • update for wrong device class/model
  • version number spoofed to appear current
  • update package repackaged with malicious payload

invariant examples

  • version >= current_version
  • device_class == expected_class
  • manifest_signature_valid
  • rollback_index > previous_rollback_index

integration points

  • suit manifest verification
  • uefi pre-update hook
  • ota server pre-sign
  • secure boot chain

error cost profile

c_fp medium (delayed update, support burden)
c_fn extreme (bricked device, physical safety)
bias very conservative

rationale: irreversible damage from c_fn vastly outweighs c_fp inconvenience

protocol implications: Degraded Mode Policy must be fail-closed; override requires strong authentication

ai/ml model deployment

current market attention, growing attack surface

the gap

model substitution, weight poisoning, provenance manipulation

attack patterns

  • model replaced with backdoored version
  • weights modified during transfer
  • provenance metadata spoofed
  • model card doesn't match actual model

invariant examples

  • model_digest in approved_list
  • provenance_chain_valid
  • training_data_attestation_present
  • model_card_hash == expected

integration points

  • mlflow pre-registration
  • model registry admission
  • inference endpoint pre-load
  • huggingface download verification

error cost profile

c_fp (dev) low (retrain, experiment)
c_fp (prod) medium (delayed deployment)
c_fn high (model poisoning, inference manipulation)
bias permissive in dev, conservative in prod

rationale: production model compromise can affect all downstream predictions

protocol implications: Invariant Lifecycle critical as models evolve; experimental phase for new model approvals

crypto transactions

original beachhead, but now one of many domains

the gap

address poisoning, memory injection, parameter tampering

attack patterns

  • look-alike address substitution
  • agent memory injection (elizaos, autogpt)
  • amount manipulation
  • contract address substitution

invariant examples

  • recipient in allowlist
  • similarity_to_known < threshold
  • amount <= limit
  • contract_address == expected

integration points

  • wallet pre-sign hook
  • agent action validator
  • mpc ceremony pre-sign
  • hardware wallet confirmation

error cost profile

c_fp (low value) medium (user friction)
c_fp (high value) high (blocked business)
c_fn extreme (irreversible loss)
bias configurable by value tier

rationale: user risk tolerance varies; high-value needs conservative

protocol implications: Error Cost Framework drives tiered thresholds; Appeal and Resolution for time-sensitive trades

document signing

shows breadth, lower priority

the gap

content substitution, metadata tampering, version swap

attack patterns

  • document content modified after review
  • metadata (date, author) manipulated
  • different version signed than approved
  • template injection in generated documents

invariant examples

  • content_hash == approved_hash
  • template_id == expected_template
  • metadata_fields in expected_range
  • version == approved_version

integration points

  • esignature pre-sign
  • document management pre-approve
  • pdf generation post-render
  • contract management workflow

error cost profile

c_fp medium (delayed signing, workflow disruption)
c_fn medium (fraud, but often legally recoverable)
bias balanced

rationale: consequences often reversible through legal channels

protocol implications: standard protocol application; Appeal and Resolution for urgent documents

domain comparison

domain primary attack c_fp c_fn bias key protocol
container digest substitution low/medium extreme context-dependent Invariant Lifecycle
fintech counterparty swap high extreme conservative + fast appeal Appeal and Resolution
firmware rollback attack medium extreme very conservative Degraded Mode Policy
ai/ml model substitution low/medium high context-dependent Invariant Lifecycle
crypto address poisoning medium/high extreme tiered by value Error Cost Framework
document content swap medium medium balanced Appeal and Resolution

the protocols define how 1seal behaves under uncertainty across all these domains

operational protocols → ← the problem