DocsSecurity

Security Model

Security architecture, authentication mechanisms, and best practices for the CyxWiz platform.

Security Overview

CyxWiz implements multiple layers of security to protect:

User Data

Models, datasets, credentials

Compute Resources

Node hardware from malicious code

Financial Assets

Token balances and transactions

Network Integrity

Communication between components

JWT Authentication

All gRPC communications use JWT (JSON Web Tokens) for authentication.

Token Structure

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "sub": "node_id or user_id",
    "iss": "cyxwiz-central-server",
    "iat": 1702000000,
    "exp": 1702086400,
    "scope": ["job:execute", "metrics:report"],
    "node_id": "uuid-...",
    "session_id": "uuid-..."
  },
  "signature": "..."
}

Token Types

Token Type	Lifetime	Purpose
Session Token	24 hours	Node registration session
Job Token	Job duration	Authorization for specific job
P2P Token	1 hour	Direct Engine-Node communication
Refresh Token	7 days	Obtaining new session tokens

Role-Based Access Control

Role	Permissions
User	Submit jobs, view own jobs, manage wallet
Node	Accept jobs, report progress, claim payments
Admin	Manage nodes, view all jobs, configure system

Encryption

Data at Rest

Database	AES-256 (PostgreSQL TDE)
Model Files	AES-256-GCM
Wallet Keys	Argon2 + AES-256
Logs	Not encrypted (no sensitive data)

Data in Transit

gRPC	TLS 1.3
REST API	HTTPS
IPFS	TLS + Content Hash Verification
Solana RPC	HTTPS

Docker-Based Sandboxing

Server Nodes execute untrusted training code in Docker containers:

# Sandboxed training container
FROM python:3.10-slim

# Non-root user
RUN useradd -m -s /bin/bash trainer
USER trainer

# Limited resources (set via docker run)
# --memory, --cpus

# No network access during training
# --network none

# Read-only filesystem (except /tmp and /output)

ENTRYPOINT ["python", "/job/train.py"]

Container Restrictions

Resource	Limit
Memory	Job-specific (e.g., 16GB)
CPU	Job-specific (e.g., 4 cores)
Disk	50GB per job
Network	Disabled during training
Capabilities	All dropped
Syscalls	Seccomp whitelist

Blockchain Security

Escrow System Flow

1. Job Submission
   User ---> CreateEscrow(amount) ---> Solana
                                          |
                                    Escrow Account
                                    (Locked funds)

2. Job Completion
   Node completes job
   Central Server verifies
   Central Server ---> ReleaseEscrow ---> Solana
                                             |
                                       Node Wallet
                                       (Payment received)

3. Dispute Resolution
   If disputed:
   - Funds remain in escrow
   - Arbitration process
   - Manual resolution

Threat Model

Threat	Mitigation
Malicious Node	Sandboxed execution, verification
Man-in-the-Middle	TLS encryption, certificate pinning
Token Theft	Short expiration, refresh rotation
Replay Attack	Nonce in requests, timestamp validation
DoS Attack	Rate limiting, connection limits
Data Exfiltration	Network isolation, output limits
Payment Fraud	Escrow, multi-sig, verification

Security Boundaries

+----------------------------------------------------------+
|                     Trusted Zone                          |
|                                                           |
|  +------------------+        +------------------+         |
|  | Central Server   |<------>|    Database      |         |
|  +------------------+        +------------------+         |
|           ^                                               |
+-----------|-------------------------------------------------+
            | TLS + JWT
+-----------v-------------------------------------------------+
|                    Semi-Trusted Zone                        |
|                                                             |
|  +------------------+        +------------------+           |
|  |  Server Node     |        |  Engine Client   |           |
|  |  (Authenticated) |        |  (Authenticated) |           |
|  +------------------+        +------------------+           |
|           |                                                 |
+-----------|-------------------------------------------------+
            | Docker Sandbox
+-----------v-------------------------------------------------+
|                    Untrusted Zone                           |
|                                                             |
|  +------------------+                                       |
|  | Training Code    |  <- No network, limited resources    |
|  | (User-provided)  |                                       |
|  +------------------+                                       |
+------------------------------------------------------------+

Audit Logging

All security-relevant events are logged:

Event	Details Captured
Login attempt	User ID, IP, success/failure, method
Token generation	Token type, subject, expiration
Job submission	User ID, job config, payment
Node registration	Node ID, hardware info, location
Payment transaction	Amount, from, to, tx hash
Configuration change	Changed fields, old/new values

Best Practices

For Operators

Rotate JWT signing keys every 30 days
Enable TLS for all connections
Monitor security logs daily
Update dependencies weekly
Backup encryption keys securely
Use strong passwords (16+ chars)
Enable 2FA where supported

For Node Operators

Keep Docker updated (latest stable)
Use dedicated hardware for nodes
Monitor resource usage for anomalies
Secure wallet private keys offline
Enable firewall (only required ports)

For Users

Protect API keys - don't commit to Git
Verify model hashes after download
Review node reputation before submitting
Use escrow for large payments
Keep wallet backups secure