Skip to content

marcmav/bedrock

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

286 Commits
 
 
 
 

Repository files navigation

=======
bedrock
=======

A playbook of the architectural root of my security model. It defines the foundational layers, principles and controls that every system must satisfy before it can be considered trusted.

Scope: Bedrock defines the security architecture for personal computers (The layers I can consistently control on every personal computer I own). Infrastructure outside the host (e.g., routers, cloud infrastructure and hardware security keys) is intentionally out of scope. While some controls also improve privacy, every recommendation in Bedrock is included because it strengthens the system's security.

==========================
The Defense-in-Depth Model
==========================

Security is engineered sequentially from the system's lowest trust boundary outward to my digital identity. If a lower layer is compromised, the structural integrity of every layer above it is void.

[ Layer 5: Alias ] --- Identity
    [ Layer 4: Credentials ] --- Password Manager, Authenticator
        [ Layer 3: Gateway ] --- Browser, Search Engine
            [ Layer 2: Network ] --- Firewall, DNS, VPN
                [ Layer 1: Compute ] --- Operating System
                    [ Layer 0: Core ] --- Firmware, Bootloader


=============
Layer 0: Core
=============

The Core layer represents the lowest trust boundary of a system. It consists of the firmware, which initializes hardware and establishes the initial trust state of the machine, and the bootloader, which is responsible for loading and transferring execution to the operating system. If this layer is compromised, no software control above it can be trusted.

----------
Components
----------

> - Firmware
> - Bootloader

---------
Principle
---------

Physical access to an unprotected Core is equivalent to full system compromise. Every layer above this one assumes the Core has not been tampered with.

---------
Objective
---------

Establish a trustworthy startup chain and ensure that only authorized code executes before the operating system gains control.

--------
Controls
--------

> - Firmware Updates
    Firmware is software. It has vulnerabilities and CVEs and must be updated like any other component in the stack.

> - Firmware Password
    Protects firmware settings from unauthorized modification. (Without it, anyone with physical access can disable Secure Boot, change the boot order and boot from external media).

> - Secure Boot
    Enabling it ensures only cryptographically signed bootloaders are allowed to execute. (Prevents bootkits and rootkits from loading before the OS has a chance to defend itself).

> - Boot Order
    Restrict boot sources to only those required for normal operation. External and network boot should be disabled when not needed. (Disabling USB and network boot eliminates the ability to boot a live OS or run cold boot attacks against the machine)

> - Component Minimization
    Disable firmware-level features and interfaces that are not required for the system's intended purpose. Every enabled component increases the attack surface and should be justified.

> - TPM (Trusted Platform Module)
    If the hardware supports it, the TPM can securely store encryption keys and binds them to the hardware state. (Used in conjunction with full-disk encryption to bind decryption keys to a measured boot state, helping detect unauthorized modifications during startup).

> - Bootloader Updates
    Bootloaders are software and must receive security updates.

> - Bootloader Integrity
    Ensures boot configuration has not been tampered with between boots. (Without it, kernel parameters can be appended at boot to bypass OS-level security controls entirely).

> - Single Trusted Boot Path
    Maintain a single, intentional boot path. Every additional bootloader, operating system, or boot entry increases complexity and attack surface.


================
Layer 1: Compute
================

The Compute layer is the operating system. It is the first software layer with full visibility over hardware resources, user processes and system state. It enforces access controls, manages process isolation and mediates every interaction between software and hardware. If this layer is compromised, no application, credential or identity above it can be trusted.

----------
Components
----------

> - Operating System

---------
Principle
---------

The operating system is the highest-privilege software layer on the machine. Every process, file and network connection is subject to its rules. A compromised Operating System is a compromised machine.

---------
Objective
---------

Deploy a minimal, auditable and actively maintained operating system that enforces strict access controls and exposes the smallest possible attack surface.

--------
Controls
--------

> - Operating System Selection
    Choose an open-source, actively maintained operating system with a transparent security model. Open source enables independent review of the codebase and provides greater visibility into how the system operates.

> - Minimal Installation
    Build the operating system from the smallest practical installation and install only the components required for its intended purpose.

> - Service Minimization
    Disable or remove services that are not required or that won't be used. (Every running service is an attack surface).

> - Full-Disk Encryption
    Protect data at rest from unauthorized access with a strong and unique password at boot required to decrypt it. (Without it, physical access to the drive is sufficient to read all data regardless of OS-level permissions).

> - System Updates
    The operating system and installed software must be updated regularly. (Vulnerabilities lose much of their impact once patched).

> - Secure Software Sources
    Install software from trusted and verifiable sources. Prefer official repositories and cryptographically verified packages. (Avoid unofficial repositories and untrusted installation scripts).

> - Application Minimization
    Install only software that serves a defined purpose. (Unnecessary software increases complexity and attack surface).

> - Least Privilege
    Daily activities should be performed as a standard user. Root privileges should only be used when required.

> - SSH Hardening
    If remote administration is required, use key-based authentication only, disable password authentication and direct root login.

> - Mandatory Access Control
    Enforce process-level access controls beyond standard Unix permissions. (Limits the blast radius of a compromised process).

> - Application Sandboxing
    Isolate high-risk applications from the rest of the system. (A browser should only have access to the network and downloads, a multimedia viewer should only have access to the file it is opening and nothing more).

> - Audit and Hardening Verification
    Periodically run a system hardening audit to identify misconfigurations and gaps.


================
Layer 2: Network
================

The Network layer controls how the machine communicates with external systems. It is the boundary between the local environment and the outside world. A misconfigured or unmonitored network layer exposes every layer above it to remote threats regardless of how well they are hardened.

----------
Components
----------

> - Firewall
> - DNS
> - VPN

---------
Principle
---------

Every connection the machine makes is a potential attack vector. Communication must be explicitly permitted, minimally exposed and cryptographically protected whenever possible.

---------
Objective
---------

Establish a trusted communication path by minimizing network exposure, restricting unnecessary connectivity and ensuring the authenticity and confidentiality of network traffic.

--------
Controls
--------

> - Default Deny Inbound (Firewall)
    Block all inbound connections by default. Only explicitly permitted traffic should reach the machine.

> - Outbound Filtering (Firewall)
    Restrict outbound connections to only what is necessary. Limits the impact of malware attempting to phone home or exfiltrate data.

> - Trusted Resolver
    Route DNS queries through a trusted resolver with a verified no-log policy and support for DoT/DoH and DNSSEC. Prefer providers with transparent privacy practices and independent security audits.

> - DNS over TLS / DNS over HTTPS
    Encrypt DNS queries in transit. Unencrypted DNS exposes every domain you resolve to your ISP and any on-path observer. (Prevents local network observers or ISPs from eavesdropping on your browsing requests or altering DNS responses).

> - DNSSEC Validation
    Validate DNS responses are cryptographically signed and have not been tampered with in transit. (Prevents DNS spoofing and cache poisoning).

> - DNS Content Filtering
    Consider using DNS-based filtering to block known malicious domains, trackers and telemetry at the resolution phase before a connection can even be initiated.

> - DNS Leak Prevention
    Ensure all DNS queries are routed through the configured resolver and not leaking to the ISP or a default system resolver. Verify periodically.

> - VPN
    Route traffic through a trustworthy, audited and open-source VPN provider with a transparent privacy policy, modern cryptography, and independent security audits when operating on untrusted networks. A VPN shifts trust from the ISP or local network to the VPN provider so choose accordingly.

> - Mandatory Network Kill-Switch
    The system transport routing must enforce a strict kill-switch rule. If the encrypted VPN tunnel drops, all clear-text outbound traffic must be instantly blocked by the firewall rather than leaking over the fallback interface.

> - Public Networks
    Treat public networks as hostile. Always use a VPN when accessing untrusted networks and avoid transmitting sensitive information without appropriate encryption.

> - Network Monitoring
    Periodically audit active connections and listening ports to identify unexpected outbound traffic or exposed services.

> - Minimize Exposed Services
    Disable or avoid exposing network services that are not explicitly required. (Every listening service increases the remote attack surface).

> - Secure Protocols
    Prefer protocols that provide authentication and encryption by default. Avoid deprecated or insecure protocols whenever modern alternatives exist.


===============
Layer 3: Gateway
===============

The Gateway layer is the point where the machine crosses into the open internet. It consists of the browser and search engine, the two primary interfaces through which external content is requested, rendered and interacted with. If this layer is misconfigured or untrusted, adversarial content reaches the machine regardless of how well the layers below it are hardened.

----------
Components
----------

> - Browser
> - Search Engine

---------
Principle
---------

The browser is the largest attack surface on a modern machine. It executes arbitrary remote code, renders untrusted content and manages persistent state across sessions. Every extension, setting and permission granted is a trust decision.
---------
Objective
---------

Deploy a hardened browser that minimizes exposed attack surface, enforces strict identity compartmentalization and safely mediates interactions with untrusted web content.

--------
Controls
--------

> - Browser Selection
    Use an open-source browser with a transparent security model, an active security patch cadence and advanced process isolation. (Avoid closed-source browsers that enforce opaque profiling or aggregate user tracking data).

> - Browser Hardening
    Apply a hardened browser configuration that minimizes telemetry, reduces browser fingerprinting and disables unnecessary features.

> - HTTPS Enforcement
    Enforce HTTPS-only mode. Refuse to load resources over unencrypted connections.

> - Permission Minimization
    Deny browser access to camera, microphone, location and notifications by default. Grant permissions only when explicitly required and revoke immediately after.

> - Extension Minimization
    Install only extensions that serve a defined security or privacy purpose. (Every extension runs with elevated browser privileges and is a potential attack vector).

> - Content Blocking
    Block advertisements, trackers and known malicious scripts at the browser level by default as a second layer of defense after DNS filtering, enabling them only in explicit cases. (Reduces both privacy exposure and the likelihood of malicious script execution).

> - URL Tracking Stripping
    Strip tracking parameters from URLs before requests are made. (Prevents the linkage of distinct browsing sessions across different services).

> - Cookie Management
    Limit persistent cookies and regularly clear browsing data. Isolate website state to reduce cross-site tracking.

> - Identity Compartmentalization
    Separate browsing activities into distinct browser profiles or containers according to their trust tier. (This reduces credential exposure, limits session leakage and confines the impact of browser compromise).

> - First-Party Isolation & Partitioning
    Enforce strict state partitioning and cookie isolation. Cookies, local storage and caches must be separated by the top-level domain. (Prevents tracking networks from profiling activities across different websites).

> - Search Engine Selection
    Use an independent, non-profiling search engine that does not build a behavioral profile or correlate queries to an identity.

> - Search Isolation
    Search queries must not be tied to an authenticated account or a persistent identity. Avoid signing into any account within the primary browsing context.

> - Download Verification
    Treat every downloaded file as untrusted until its integrity and origin have been verified.

--------------
Profile Tiers
--------------

Browser activity is separated into distinct profiles according to trust level and purpose. Each tier operates under a different set of permissions, extensions and hardening settings. A session in a lower-trust tier must never share state, cookies or identity with a higher-trust tier.

[ Tier 0: Root ]
    [ Tier 1: Professional ]
        [ Tier 2: Personal ]
            [ Tier 3: Disposable ]


> - Tier 0: Root
    Used exclusively for sensitive authenticated sessions such as banking, government services, password manager and primary email.
    Maximum hardening. No general browsing. No extensions beyond essentials.

> - Tier 1: Professional
    Used for operational workflows, technical research, professional accounts and trusted learning resources.
    Strict hardening. No extensions beyond essentials.

> - Tier 2: Personal
    Used for daily personal tasks, general media consumption and streaming.
    Moderate hardening. Standard extension set active.

> - Tier 3: Disposable
    Used for investigating unknown links, testing untrusted web applications, and performing general and transient clear-net lookup.
    Moderate Hardening. No persistent state.

(Will document further more)


====================
Layer 4: Credentials
====================

The Credentials layer protects the secrets that authenticate identity across every service, account and system. It consists of the password manager and Multi-factor authenticator, the two mechanisms responsible for generating, storing and producing proof of identity on demand. If this layer is compromised, every account and service above it is accessible to the adversary regardless of how well the layers below it are hardened.

----------
Components
----------

> - Password Manager
> - Authentication

---------
Principle
---------

Credentials are proof of identity, their confidentiality determines the security of every account they protect. A weak, reused or exposed credential collapses the boundary between the adversary and everything you have access to.

---------
Objective
---------

Establish a centralized, encrypted and recoverable credential management system that minimizes secret exposure while enforcing strong, multi-factor authentication across every supported service.

--------
Controls
--------

> - Password Manager Selection
    Use an open-source, audited password manager. If using a local file-based database, it must be strongly encrypted and synchronized only via end-to-end encrypted local channels. If using a cloud vault, it must use zero-knowledge local encryption before transmission with end-to-end encryption.

> - Strong Password Generation
    All passwords must be randomly generated by the password manager. (Human-chosen passwords are predictable).

> - Master Password Strength
    The password manager master password must be the strongest credential in the entire stack. It must be long, random and memorized, never written in plaintext or stored digitally outside the vault.

> - Unique Passwords
    Every account must have a unique password. (Credential reuse means a single breach propagates access across every service sharing that password).

> - Automated Clipboard Purging
    The password manager utility must be configured to automatically clear copied credentials from the system clipboard after a short period. (Reduces the window of exposure for local background processes to sniff copied credentials).

> - Vault Lifecycle & Lock Timing
    The vault must automatically lock itself after a brief period of system inactivity or whenever the host machine suspends. It must never remain unlocked in the background indefinitely.

> - Multi-Factor Authentication
    Enable MFA wherever supported. Authentication should require something more than a password alone.

> - TOTP Authenticator Selection
    Use an open-source, locally encrypted TOTP application with no cloud dependency.

> - TOTP Over SMS
    Use time-based one-time passwords (TOTP) as the second factor wherever possible. (SMS-based 2FA is vulnerable to SIM swapping and interception and must be avoided).

> - Passkeys
    Prefer passkeys where supported. Hardware-backed, phishing-resistant authentication reduces reliance on passwords while maintaining strong security guarantees.

> - Authentication Decoupling
    Consider storing TOTP secrets separately from the primary password vault for high-value accounts. (This reduces the impact of a single vault compromise).

> - 2FA Coverage
    Every account that supports a second factor must have one enabled. Prioritize accounts that protect email, financial services, primary identity and the password manager itself.

> - Vault Access Hardening
    Access to the password manager must itself be protected by a second factor. (The vault is the single point of failure for the entire credentials layer).

> - Recovery Codes
    Store recovery codes offline in a secure location. They are equivalent to authentication credentials and must receive the same protection.

> - Secret Sharing
    Credentials must never be transmitted through insecure communication channels. Share secrets only through encrypted mechanisms when absolutely necessary.

> - Credential Verification
    Credentials must never be entered on a domain that has not been independently verified. (Use the password manager's domain matching capabilities to reduce the risk of credential submission to fraudulent websites).

> - Credential Rotation
    Rotate credentials immediately after suspected compromise or unauthorized disclosure. (Routine password rotation without evidence of compromise is generally unnecessary).

> - Credential Auditing
    Periodically review stored credentials for duplicates, weak passwords and accounts that are no longer required.

> - Breach Monitoring
    Monitor accounts against known breach databases to identify exposed credentials before they are exploited.


==============
Layer 5: Alias
==============


About

The starting point of a personal secure system

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors