Security

MIND is designed for safety-critical AI deployments. This page covers the security model, memory safety guarantees, and deterministic execution features.

Memory Safety

MIND inherits Rust-inspired memory safety guarantees, eliminating entire classes of vulnerabilities at compile time:

  • No null pointer dereferences — optional types make nullability explicit
  • No buffer overflows — bounds checking with compile-time shape verification
  • No data races — ownership and borrowing rules are designed to prevent concurrent mutation
  • No use-after-free — deterministic resource management without garbage collection

Deterministic Execution

MIND's strict tier (the default) guarantees bit-exact reproducibility:

  • Integer and Q16.16 fixed-point — byte-identical across substrates (x86 AVX2 == ARM NEON), gated in CI by cross_substrate
  • Scalar IEEE-754 f64/f32 on the strict path — no reassociation, no FMA contraction, -ffp-contract=off pinned; run-to-run bit-identical, verified on x86_64 (AVX2) + ARM64 (NEON), 2026-07-05
  • No non-deterministic optimizations — reordering that affects results is disabled by default
  • Explicit RNG seeding — all random operations require explicit seeds
  • Reproducible builds — same source produces identical binaries

Float vector reductions and transcendentals remain the frontier: they are currently tolerance-gated (1e-4), not bit-identical, across substrates. GPU determinism ships with the commercial runtime and is roadmap. See Determinism for the full tier breakdown.

Audit Trail Support

For regulated industries, MIND provides features to support audit and compliance:

  • Full execution traces available in debug mode
  • Immutable IR representations for model versioning
  • Cryptographic hashing of compiled artifacts
  • Integration points for external logging systems

Compile-time Evidence Chains (RFC 0016)

mindc emits an evidence-chain epilogue on the compiled IR — a tamper-evident trace_hash (crypto-agile post-quantum signing (ML-DSA, FIPS-204) is the next milestone; the commercial mind-runtime signs today) that the artifact was produced from a specific source by a specific toolchain on a specific substrate, without trusting the builder:

  • evidence_chain.determinism — class (e.g. byte-identical-q16)
  • evidence_chain.substrate — target (x86_avx2, arm64_neon, cuda_sm89, …)
  • evidence_chain.toolchain — compiler + flags identity
  • evidence_chain.trace_hashSHA-256 of the canonical mic@3 binary IR (RFC 0016 GAP-1, re-anchored 2026-05-31)
  • evidence_chain.parent — optional pointer to the parent compilation

The chain rides on a MAP epilogue (RFC 0014) attached to either canonical IR serialisation —mic@1 text or mic@3 binary (RFC 0021) — and survives the load → execute → re-emit cycle. See ir-stability.md for the normative carrier contract.

Cryptographic Primitives (Pure MIND)

The standard library includes a crypto / TLS / HTTP primitive stack written entirely in MIND and verified against RFC and NIST known-answer tests:

  • Symmetric & hashing — AES-128-GCM, SHA-256, HKDF, Keccak / SHA-3 + SHAKE (FIPS 202)
  • Public-key — X25519, RSA-PSS-SHA256 verify, ECDSA-P256 verify, ML-KEM-768 (FIPS 203 post-quantum KEM)
  • Certificates — X.509 parsing and signature verification
  • TLS 1.3 — key schedule, record layer, Finished MAC, handshake crypto (RFC 8448 replay-verified)
  • HTTP/2 — HPACK header compression (RFC 7541) and binary framing (RFC 9113)

Honest scope: this is a verified primitive library, not a working TLS client or server yet — there is no socket-driven handshake state machine or certificate-chain path validation, and HPACK is decode-only. The primitives are correctness-first, not speed-optimized.

Threat Model

The MIND security model assumes:

  • Source code and compiler are trusted
  • Runtime environment provides standard OS protections
  • Input data may be adversarial (tensor bounds are checked)
  • Side-channel attacks are out of scope for the base runtime

Sandboxing (Planned)

Future versions will support optional sandboxing for untrusted model execution:

// Planned syntax
@sandbox(memory_limit: 1GB, time_limit: 10s)
fn untrusted_inference(input: Tensor<f32, N, M>) -> Tensor<f32, N, K> {
    // ...
}

Learn More

See the full security specification at mind-spec/security.md.