Overview
L3 (High-Assurance) deployment provides the highest level of security for AI assistants in regulated industries, organizations handling sensitive IP, or environments requiring formal verification.
Target Environment
| Characteristic | L3 Requirement |
|---|---|
| Network | Controlled, monitored |
| Users | Enterprise scale |
| Data sensitivity | Regulated (HIPAA, PCI, FedRAMP) |
| Deployment | Hardened infrastructure |
| Assessment | Third-party required |
Prerequisites
- Complete L2 deployment
- Security team involvement
- Formal verification tooling
- Hardware Security Module (HSM) access (recommended)
- Third-party assessment planned
Additional L3 Controls
Configuration Tamper Detection (CP-04)
# Configuration integrity monitoring
integrity:
enabled: true
check_on_startup: true
continuous_monitoring: true
monitored_files:
- path: "/etc/ocsas/config.yaml"
alert_on_change: true
block_on_change: true
- path: "/etc/ocsas/permissions.yaml"
alert_on_change: true
block_on_change: true
- path: "/etc/ocsas/policies/"
recursive: true
alert_on_change: true
baseline:
path: "/var/lib/ocsas/integrity-baseline.json"
update_requires_approval: true
response:
on_violation:
- action: "alert"
channels: ["siem", "pagerduty"]
- action: "block_startup"
- action: "quarantine_session"
Artifact Signing (SC-03)
# Artifact signing verification
signing:
verification:
enabled: true
required: true # MUST for L3
methods:
- type: "sigstore"
rekor_url: "https://rekor.sigstore.dev"
trusted_identities:
- email: "release@ocsas.dev"
issuer: "https://accounts.google.com"
- type: "pgp"
keyserver: "hkps://keys.openpgp.org"
trusted_keys:
- id: "ABCD1234"
fingerprint: "1234567890ABCDEF..."
artifacts:
plugins:
signature_required: true
updates:
signature_required: true
dependencies:
signature_required: false # Use integrity hashes
Security Invariants (FV-01)
# Security invariant definitions
invariants:
filesystem:
- id: "INV-FS-001"
name: "Sandbox Boundary"
expression: "resolved_path.is_relative_to(sandbox_root)"
on_violation: "terminate"
- id: "INV-FS-002"
name: "No Symlink Escape"
expression: "symlink_target.is_relative_to(sandbox_root)"
on_violation: "terminate"
permissions:
- id: "INV-PERM-001"
name: "No Root"
expression: "os.geteuid() != 0"
on_violation: "terminate"
- id: "INV-PERM-002"
name: "Capability Bound"
expression: "current_caps.issubset(granted_caps)"
on_violation: "terminate"
session:
- id: "INV-SESS-001"
name: "Session Isolation"
expression: "session.id == request.session_id"
on_violation: "terminate"
# Continuous verification
monitoring:
enabled: true
interval_ms: 1000
on_check_failure: "terminate"
Policy Enforcement (FV-02)
# Policy enforcement validation
policies:
engine: "opa" # Open Policy Agent
path: "/etc/ocsas/policies"
validation:
enabled: true
test_on_load: true
coverage_minimum: 95
enforcement:
mode: "strict"
log_decisions: true
default_deny: true
# Policy test suite
tests:
path: "/etc/ocsas/policy-tests"
run_on_startup: true
run_on_policy_change: true
fail_on_test_failure: true
# Bypass resistance
bypass_tests:
enabled: true
patterns:
- "path_traversal"
- "null_byte"
- "unicode_normalization"
Network Traffic Analysis (NS-04)
# Network monitoring
monitoring:
network:
enabled: true
# Destination tracking
destinations:
track_all: true
allowlist:
- "*.ocsas.dev"
- "api.openai.com"
alert_on_unknown: true
block_unknown: false # Alert only, then investigate
# Volume monitoring
volume:
track_per_destination: true
thresholds:
single_request_mb: 10
hourly_mb: 100
daily_mb: 500
# Pattern detection
patterns:
exfiltration:
- type: "high_entropy"
threshold: 0.9
- type: "base64_large"
threshold_kb: 50
c2:
- type: "beaconing"
interval_variance: 0.1
# Alerting
alerts:
siem:
enabled: true
format: "cef"
webhook:
enabled: true
url: "${SECURITY_WEBHOOK}"
Formal Proof of Isolation (FV-03)
# Formal verification evidence
formal_verification:
enabled: true
properties:
- id: "PROOF-001"
name: "Session Memory Isolation"
proof_method: "model_checking"
tool: "TLA+"
evidence: "/var/lib/ocsas/proofs/session_isolation.pdf"
last_verified: "2026-01-15"
- id: "PROOF-002"
name: "Sandbox Boundary"
proof_method: "smt_solving"
tool: "Z3"
evidence: "/var/lib/ocsas/proofs/sandbox_boundary.log"
last_verified: "2026-01-15"
# Verification on build
ci_verification:
enabled: true
fail_on_proof_failure: true
L3 Infrastructure Requirements
Hardware Security
# HSM integration (recommended)
hsm:
enabled: true
type: "pkcs11" # or "cloud_kms"
# For PKCS#11
pkcs11:
library: "/usr/lib/softhsm/libsofthsm2.so"
slot: 0
pin_env: "HSM_PIN"
# Key management
keys:
signing:
label: "ocsas-signing-key"
type: "RSA-4096"
encryption:
label: "ocsas-encryption-key"
type: "AES-256"
Audit Logging
# L3 audit logging
logging:
enabled: true
level: "debug" # More verbose for L3
# Tamper-evident logging
integrity:
enabled: true
method: "hash_chain"
algorithm: "SHA-256"
# Centralized logging
siem:
enabled: true
type: "splunk" # or "elastic", "sentinel"
endpoint: "${SIEM_ENDPOINT}"
tls: true
# Retention
retention:
days: 365 # 1 year minimum for L3
archive: true
archive_location: "s3://logs-archive/"
# Events to log
events:
- "authentication"
- "authorization"
- "file_access"
- "command_execution"
- "network_connection"
- "configuration_change"
- "policy_decision"
- "invariant_check"
Container Hardening
# Container security (if using containers)
container:
# Read-only root filesystem
read_only_root: true
# No privileged mode
privileged: false
# Drop all capabilities
capabilities:
drop: ["ALL"]
add: [] # Add only if absolutely needed
# Security options
security_opt:
- "no-new-privileges:true"
- "seccomp:seccomp-profile.json"
- "apparmor:ocsas-profile"
# Resource limits
resources:
limits:
cpu: "1"
memory: "1Gi"
requests:
cpu: "0.5"
memory: "512Mi"
# Network policy
network_policy:
ingress:
- from:
- podSelector:
matchLabels:
app: ocsas-gateway
egress:
- to:
- podSelector:
matchLabels:
app: ocsas-api
Validation
# Full L3 compliance check
./ossasai-audit.sh --level L3 --verbose
# Formal verification
./ossasai-audit.sh --verify-proofs
# Policy validation
./ossasai-audit.sh --validate-policies
# Expected: All 23 L3 controls pass
Third-Party Assessment
L3 requires third-party assessment:
- Engage assessor qualified for your regulatory requirements
- Provide evidence package per evidence collection
- Support assessment with access and documentation
- Address findings before claiming compliance
- Obtain attestation from assessor
L3 Compliance Statement
# OSSASAI L3 Compliance Statement
compliance:
organization: "Example Corp"
product: "AI Coding Assistant Enterprise"
version: "3.0.0"
ocsas_version: "1.0.0"
assurance_level: "L3"
assessment:
date: "2026-01-15"
assessor: "Security Auditors Inc."
methodology: "OSSASAI v1.0 L3 Assessment"
report_id: "OSSASAI-2026-001"
controls:
total: 23
implemented: 23
with_exceptions: 0
formal_verification:
proofs_provided: true
proofs_verified: true
tools_used: ["TLA+", "Z3", "mypy"]
attestation:
attester: "Chief Information Security Officer"
assessor_signature: true
date: "2026-01-15"
validity_period_months: 12