Cryptographic Scope Isolation for Endpoint and Supply Chain Security

TLDR

Over the past decade, enterprise security investment shifted heavily toward cloud infrastructure, identity management, and SaaS protection, while workstation-level data protection received comparatively less attention. Primary protection was delegated to operating system vendors, while emerging cybersecurity solutions prioritized cloud and browser-based operations. However, at the dawn of the AI era, workstation-to-internet interactions have scaled drastically. As API requests, software installs, web crawling, and third-party software reliance have become commonplace, software supply chain attacks and credential-based compromises have accelerated significantly in recent years, driven by increased dependency complexity, continuous integration and continuous delivery automation, and AI-assisted workflows.

Traditional endpoint security models are increasingly ineffective against modern software supply chain and credential theft attacks. Most enterprise workstations routinely process sensitive credentials, tokens, and proprietary data outside tightly controlled environments.

This paper proposes a new paradigm: Cryptographic Scope Isolation (CSI). CSI is a security model that cryptographically binds sensitive data access to authorized hardware identities and constrained execution contexts. Rather than relying exclusively on preventing compromise, CSI assumes endpoint compromise is possible and focuses on reducing the operational value of stolen data.

1. Introduction

Modern enterprise security often prioritizes the cloud, identity, and Software as a Service controls while underestimating risks originating from developer endpoints and local execution environments. Over the last decade, high-value data - API keys, access tokens, database credentials, and proprietary code - increasingly resides within local development environments to enable rapid building, continuous integration and continuous delivery pipelines, and local AI agent processing.

Unmanaged data and excessive third-party application permissions have created a pervasive attack surface. Exposed credentials now create critical supply chain compromises. As AI-assisted tooling gains direct access to local filesystems, terminals, and development environments, malicious activity increasingly resembles legitimate software behavior. Perimeter-oriented controls are insufficient; sensitive data must instead become cryptographically bound to trusted silicon and constrained execution contexts.

2. Failure of Preventive Defense

Current endpoint security relies almost entirely on "Preventive Defense" - Endpoint Detection and Response or Extended Detection and Response platforms. These systems primarily rely on behavioral heuristics, telemetry correlation, and signature-based analysis to determine whether system activity is malicious.

This approach becomes significantly less reliable in modern development environments. When an engineer types npm install, or an AI assistant reads an .env file to format a query, the behavior looks entirely normal to the operating system. If a compromised package is buried in that npm install, the endpoint detection platform allows the read, and the keys are exfiltrated.

This failure is evident in recent massive compromises. In the Vercel 2026, Mercor 2026, and Bybit 2025 incidents, attackers did not need to exploit advanced cloud security; they utilized exposed, unmanaged endpoint credentials and session tokens to bypass perimeters entirely. Preventive defense failed because once the attacker was "inside", the data was plaintext.

3. Exploring the Options

To solve the workstation exfiltration problem, the industry has historically attempted three alternative approaches, all of which address only part of the problem:

Centralized Secrets Management: While highly effective for production infrastructure, centralized secrets managers fail on local workstations. In practice, development workflows frequently require temporary local access to sensitive credentials or tokens, creating a parallel attack surface outside centralized enforcement.
Legacy Data Loss Prevention: Data Loss Prevention tools scan outbound traffic for known patterns such as API keys or credential formats. These controls can often be bypassed through encryption, protocol tunneling, or use of approved communication channels.
Hardware-Backed Digital Rights Management: Traditional file-locking systems historically required tightly controlled application ecosystems to access protected content. This limits compatibility with modern developer tooling such as git, diff, package managers, and custom runtimes.

4. The Solution: CSI

Instead of preventive defense, we propose CSI. The goal is not to prevent an attacker from stealing information, but to ensure that if information is stolen, it remains cryptographically inaccessible outside explicitly authorized environments.

This is achieved by cryptographically locking file access directly to authorized hardware and verifying the specific process requesting access. This renders stolen data and tokens mathematically unusable anywhere else. Only authorized devices with validated hardware identity can decrypt protected content.

By tying decryption to a hardware root of trust such as a Trusted Platform Module or Secure Enclave and validating the active user's process lineage, the system creates distributed cryptographic identity and trust management for information flowing within an organization. Data is end-to-end encrypted and decrypts only in transient memory for authorized users and explicitly permitted execution contexts.

Threat Model

CSI is designed to mitigate threats originating from compromised software execution paths, endpoint credential theft, and unauthorized remote access to sensitive information.

The architecture assumes that attackers may:

Execute malicious code through compromised dependencies or software supply chain attacks.
Obtain access to endpoint-resident credentials, session tokens, or API keys.
Exfiltrate encrypted files from local disks, cloud storage, or collaboration platforms.
Operate through otherwise legitimate user workflows or trusted software execution chains.
Abuse AI-assisted tooling with filesystem or terminal access.

The architecture does not assume:

That operating systems remain uncompromised indefinitely.
That endpoint prevention systems can reliably distinguish malicious behavior from legitimate automation.
That perimeter or identity controls alone can prevent credential replay.

CSI is not intended to fully mitigate:

Malicious actions performed by already-authorized users.
Physical attacks against actively unlocked devices.
Runtime memory extraction on fully compromised kernels or hypervisors.
Availability attacks such as ransomware or destructive deletion.
Denial-of-service conditions affecting peer synchronization or key distribution.

Instead, the architecture focuses on reducing the operational value of stolen data by cryptographically constraining where and how decryption can occur.

Threats Mitigated

This architecture significantly reduces the impact of:

Stolen credential replay attacks.
Session pivot attacks and OAuth token theft.
Server and storage breaches where exfiltrated data remains encrypted.
Insider key extraction attempts where hardware-backed keys cannot be exported.
AI agent prompt injection escalating into unauthorized data access.
Unauthorized use of compromised software dependencies executing outside approved process lineage.

5. Operational Steps & Technical Architecture

To achieve CSI without disrupting workflows, the system implements the following steps:

Step 1: Zero-Trust Data at Rest

Files are immediately encrypted on disk using AES-256-GCM. Sensitive plaintext is minimized on persistent storage and encrypted immediately at rest.

Step 2: Hardware-Bound Identity

Keys are never stored in software. A Master Data Key is wrapped and can only be unwrapped by the physical Trusted Platform Module or Secure Enclave of an explicitly enrolled device. If the Bybit 2025 supply chain attackers had stolen files protected by this mechanism, their remote servers would still lack the authorized hardware required to unwrap the protected key material.

Step 3: Process Lineage Verification

When an application requests to read a file, a kernel-level hook such as eBPF or WinFsp traces the process tree. Decryption is granted only if the process originates from a hardware-authenticated human session. This explicitly blocks background agents and malicious dependencies. For example, the open-source supply chain attacks seen in the Vercel 2026 and Mercor 2026 incidents involving the compromised LiteLLM project would have faced significantly reduced ability to access usable plaintext data.

Step 4: Decentralized Peer Mesh

Trust is maintained via a Sigchain - an append-only cryptographic ledger synchronized across peers. There is no centralized key server storing organizational plaintext secrets. Enrollments, revocations, and key rotations are handled directly between authorized endpoints.

Tradeoffs and Limitations

CSI introduces meaningful security advantages, but these guarantees come with operational and architectural tradeoffs.

Key limitations include:

Dependence on trusted hardware such as Trusted Platform Modules and Secure Enclaves.
Increased operational complexity around device enrollment, recovery, and key rotation.
Additional performance overhead from encryption and process validation.
Potential workflow disruption if hardware validation or peer synchronization fails.
Limited protection against attackers with authorized access to an unlocked device.

Architecture Diagram

The architecture separates trust establishment, encrypted storage, execution validation, and organizational synchronization into distinct layers. This separation minimizes single points of compromise while preserving compatibility with existing enterprise workflows.

6. Conclusion

Security architectures require a shift from "keeping the attacker out" to "starving the attacker once they are in." As workstation attack surfaces continue to expand via AI agents and complex open-source dependencies, heuristic prevention alone is unlikely to provide sufficient protection against evolving supply chain and credential theft attacks.

CSI fundamentally re-engineers data security. By anchoring trust in physical silicon, validating process lineage, and relying on a decentralized peer mesh, organizations can substantially increase assurance that exfiltrated data remains cryptographically inaccessible outside explicitly authorized environments.

7. Case Studies in Preventive Defense Failure

The following incidents illustrate a recurring pattern: attackers increasingly succeed by abusing trusted software execution paths, endpoint-resident credentials, or authenticated sessions rather than defeating cryptographic primitives directly.

Vercel (April 2026): Security incident related to supply chain vulnerabilities.
Mercor (March 2026): Cyberattack tied to the compromise of the open-source LiteLLM project, demonstrating the danger of third-party dependencies executing on local environments.
Bybit (2025): Supply chain security failure resulting in severe credential and token extraction.