SentinelMark is the core cryptographic trust primitive and forensic telemetry subsystem for the ProofTrace cybersecurity infrastructure platform. It introduces a highly resilient, research-grade implementation of Behavior-Entangled Watermarking (BEW).
By cryptographically fusing long-term static hardware secrets with live, continuous behavioral entropy snapshots, SentinelMark ensures that emitted telemetry cannot be forged, replayed, or fabricated post-compromise.
Valid watermark tokens require the strict mathematical intersection of both the secret key and the instantaneous runtime behavioral state of the host device.
The derivation equation is defined as:
Where:
-
$K_{\text{static}}$ : The long-term static device secret (zeroized securely from stack/heap post-derivation). -
$\text{BehaviorFingerprint}_i$ : A deterministic serialization of the live rolling behavioral entropy snapshot (CPU scheduling jitter, thread allocations, virtual/physical memory boundaries). -
$H_{\text{prev}}$ : The SHA-256 hash commitment linking the current event to its immediate predecessor, establishing an unforgeable, append-only chronological hash chain.
The architecture is fully modularized and split across highly specialized sub-engines built entirely in safe Rust (with strictly audited constant-time FFI primitives).
sentinelmark_core (Rust Core Engine)
+-- behavior -- Runtime behavioral entropy capture (CPU, virtual/physical memory, OS Jitter)
+-- crypto -- Core audited wrappers (HKDF-SHA256, SHA-256 via ring, constant-time comparisons via subtle)
+-- watermark -- BEW Derivation engine enforcing StaticKey drop-zeroization
+-- chain -- Append-only cryptographic hash chain manager & link verifier
+-- telemetry -- Dual-serialization schema (serde JSON + zero-copy rkyv) & pre-image projection logic
+-- verifier -- Remote validation logic incorporating sliding-window replay detection
+-- transport -- Resilient async dispatch queue with immutable envelopes & exponential backoff
verify-py (Python Verification Authority)
+-- api -- FastAPI ingestion endpoints (/ingest, /verify, /health)
+-- schemas -- Pydantic validation mapping exact 256-bit payload constraints
+-- verification -- Constant-time logic recomputing BEW watermarks via OpenSSL C-bindings
+-- trust -- Deterministic scalar trust scoring evaluation engine
- Behavioral Entropy Sampler: Captures live metrics using
sysinfov0.30+ alongside high-resolution OS scheduler jitter measurement. Jitter acts as a stochastic anti-tampering constraint. - Append-Only Hash Chaining: Prevents log reordering, deletion, or insertion attacks. Any structural manipulation permanently corrupts subsequent chain linkages.
- Deterministic Dual-Serialization: Canonical JSON (
serde_json) for human-inspectable REST delivery; zero-copy deserialization archives (rkyv) for extreme throughput benchmarking. - Pre-Image Projection Fix: Eliminates cryptographic circularity by projecting the event schema to exclude
current_hashduring its own pre-image calculation, guaranteeing exact verification determinism.
-
Hardened Replay Protection Engine:
- O(1) Nonce Cache: Eagerly flags exact payload collisions using 256-bit CSPRNG nonces.
-
Timestamp Drift Validation: Enforces tight arrival windows (
$\pm 30\text{s}$ ) to reject delayed re-transmissions and future-skewed packets. -
O(log N) Priority Queue Eviction: Maintains a self-pruning
BTreeSetkeyed by timestamp to automatically garbage collect stale nonces, eliminating arbitrary memory expansion (OOM resilience).
-
Async Telemetry Transport Layer:
-
Immutable Envelopes: Pre-serializes canonical payloads at the exact moment of event finalization. Retries never invoke
serderoutines, protecting nonces and timestamps from shifting across TCP reattempts. -
Resilient Worker Queue: Non-blocking
tokio::sync::mpscqueue decoupling generation loops from network bottlenecks. -
Deterministic Backoff: Applies base-multiplied exponential retry delays strictly on transient backend status codes (
5xx,429).
-
Immutable Envelopes: Pre-serializes canonical payloads at the exact moment of event finalization. Retries never invoke
-
Phase 3 — Stateful Python Verification Authority (
verify-py):- 4-Stage Forensic Pipeline: Structural → Cryptographic Integrity → Replay Validation → Behavioral Authenticity. Each stage fails fast and persists the rejection verdict before aborting.
-
SQLite Audit Ledger: Append-only
TelemetryLogtable — every ingest attempt (verified or rejected) is permanently recorded. NoUPDATE/DELETEon forensic evidence. -
Crash-Resilient Nonce Cache:
NonceCachebacked by SQLite WAL-mode replaces the ephemeral in-memory set, closing the process-restart replay window permanently. -
Cross-Language Binary Parity:
struct.pack("<IQQIQQ")in Python maps exactly to Rust's.to_le_bytes()field-by-field serialization for deterministicBehaviorFingerprint_icomputation. -
Constant-Time Watermark Verification:
hmac.compare_digest()via OpenSSL C-bindings neutralizes timing oracle attacks againstK_static. -
Statistical Behavioral Authenticity Engine: Z-score analysis (
Z = |x - μ| / σ) over a 50-event rolling window detects entropy collapse (σ ≈ 0) and distribution-shift anomalies in CPU, memory, and jitter metrics. -
Adversarial Attack Simulation Framework: Scripted replay, forgery, and entropy-collapse simulations in
benchmarks/attacks/generating CSV results for IEEE figure reproduction.
-
Phase 3.1 — Protocol Hardening & Causal Ordering:
-
Monotonic Sequence Architecture: Fuses a strict
sequence_number($u64$ ) into the event derivation and pre-image hashing to ensure chain integrity survives distributed network jitter and out-of-order packet delivery. -
Forensic Schema Normalization: Flattens raw payloads into explicitly indexed relational columns (
current_hash,prev_hash,cpu_usage,memory_usage,timing_jitter), eliminating synchronous O(N) JSON deserialization overhead during hot-path verification. -
Bit-Perfect Deterministic Scoring: Operates exclusively on scaled integer math (
trust_score_x1000) within the evaluation layer, neutralizing cross-platform IEEE 754 floating-point non-determinism. - Volumetric Stress Benchmarks: Evaluates DB insertion locks and sliding-window pruning logic under extreme adversarial concurrency (10,000+ flood events/sec).
-
Monotonic Sequence Architecture: Fuses a strict
- Constant-Time Verification: All security-critical array and digest comparisons pass directly through
subtle::ConstantTimeEqto completely neutralize timing side-channel attacks. - Key Material Zeroization: Static secret arrays implement
zeroize::ZeroizeOnDropensuring sensitive key material is wiped directly from register arrays and stack pointers immediately upon scope exit. - Immutability Boundaries: Payloads are locked into immutable arrays prior to dispatch. Network transport cannot modify context states.
- Rust Toolchain
1.75or higher — forcore-rs. - Python
3.10+andpip/poetry— forverify-py. - Platform compilation tools (Windows MSVC, Linux GNU, or macOS LLVM).
cd core-rs
cargo test --workspace # Run all 36 unit + integration tests
cargo bench # Run Criterion benchmarkscd verify-py
pip install fastapi uvicorn pydantic cryptography sqlalchemy numpy scipy
pip install pytest pytest-asyncio httpx # Dev dependencies
# Run test suite (17 tests covering all 7 attack vectors)
python -m pytest tests/ -v
# Start the verification server
uvicorn app.main:app --host 0.0.0.0 --port 8000 --reloadcd verify-py
python benchmarks/attacks/sim_replay.py # ATK-01: Replay attack
python benchmarks/attacks/sim_entropy_collapse.py # ATK-02: Forgery attack
python benchmarks/attacks/sim_latency.py # Crypto latency baseline
# Results written to benchmarks/results/use sentinelmark_core::{
behavior::BehaviorSnapshot,
chain::{ChainManager, GENESIS_HASH},
telemetry::TelemetryEvent,
watermark::{StaticKey, WatermarkEngine},
};
// 1. Initialize Long-Term Secrets
let secret_key = StaticKey::from_bytes([0xAA; 32]);
let mut engine = WatermarkEngine::new(secret_key);
let mut chain = ChainManager::new();
// 2. Generate and Watermark Telemetry Payload
let payload = serde_json::json!({"action": "kernel_auth", "user_id": 1024});
// Bind device ID, monotonic sequence number, previous hash linkage, and payload
let mut event = TelemetryEvent::new("device-host-001", 1, GENESIS_HASH, payload).unwrap();
// Derive BEW Watermark binding current behavior digest, previous hash, and unique nonce
let snapshot = BehaviorSnapshot::capture().unwrap();
let behavior_digest = snapshot.to_digest();
let watermark = engine.derive(&behavior_digest, &event.prev_hash, &event.nonce).unwrap();
event.set_watermark(watermark.into_bytes());
// 3. Finalize Hash Linkage
event.finalize().unwrap();
chain.append(&event).unwrap();
// Payload is ready for immutable transport dispatch!Want to see SentinelMark in action? Follow these exact steps in your terminal to reproduce the security guarantees, attack prevention, and performance metrics.
cd core-rs
cargo checkWhat this proves: Zero memory safety issues or undefined behavior. The Rust compiler enforces our security guarantees at compile time.
cd core-rs
cargo test --workspaceWhat this proves: All core cryptographic unit tests pass (hash chain integrity, watermark derivation, replay detection).
cd ../verify-py
python -m pytest tests/ -vWhat this proves: The system correctly handles every major attack scenario:
- Forged Watermarks: Rejected in constant-time (neutralizing timing oracles).
- Replay Attacks: Penalized trust scores and rejected duplicate nonces.
- Timestamp Skew: Rejects events outside the 60-second valid window.
- Entropy Collapse: Flags synthetic/repetitive behavior as compromised.
cd verify-py
python benchmarks/attacks/sim_volumetric_replay.pyWhat this proves: Simulates an adversary flooding the server with 10,000 events (50% replays).
- Performance: Reaches ~1,794 events/sec verified throughput on SQLite WAL.
- Accuracy: Exactly 5,000 replays correctly identified and rejected with zero false positives.
Bibek Das
- B.Tech Scholar, Electronics and Communication Engineering (ECE)
- Guru Nanak Institute of Technology
- Email: bibekdas1055@gmail.com
- GitHub: @Be-bibek
This project is open-sourced under the Apache License 2.0. See the LICENSE file for complete details and patent grant conditions.