- The paper introduces Trust Boundary Semantic Gaps (TBSG), showing that correct syntactic validation can still lead to security failures due to semantic misalignments.
- It develops the MDTBSG model with four dimensions—Identity, Spatial, Temporal, and Interpretation—and validates these through a detailed analysis of 75 notable security incidents.
- The proposed TBSAM framework offers a systematic four-stage process for identifying and mitigating semantic gaps, thereby enhancing robust Security-by-Design practices.
Trust Boundary Semantic Gaps: Multi-dimensional Analysis and Mitigation for Security-by-Design
Problem Definition and Motivation
The paper introduces the concept of a Trust Boundary Semantic Gap (TBSG), formalizing a recurring design-level class of security failures in which an artifact traverses a trust boundary, passes correctly implemented syntactic validation (encompassing signature, protocol, and format validation), but this validation is insufficient for the receiving domain’s actual security requirements. The essence of TBSG is the semantic misalignment between properties established by the validation gate—what is actually checked—and the implicit or explicit assumptions upon which subsequent processing relies.
Through a large-scale incident analysis covering 75 security failures from 2014 to 2025 across diverse domains (cloud, supply chain, network appliances, OS, web infrastructure), the authors provide strong evidence for the systematic nature of TBSG-induced failures. Incidents such as SolarWinds/SUNBURST, Log4Shell, and Capital One are examined to highlight not code bugs or missing checks, but successful boundary-level validation that is semantically decoupled from actual security guarantees required on the receive side.
Traditional threat modeling (e.g., STRIDE), supply-chain frameworks (e.g., SLSA), and input validation guidance do not explicitly capture what is left unestablished by correctly specified and implemented syntactic mechanisms. The critical design question is thus “After a syntactic pass, what does the receiving domain still lack for security?” The paper's treatment positions TBSG not as a particular implementation flaw but as a general mismatch in assurance composition at system boundaries.
The MDTBSG Model: Four Semantic Gap Dimensions
The core outcome is the Multi-Dimensional Trust Boundary Semantic Gap (MDTBSG) model, decomposing residual semantic gaps at trust boundaries into four orthogonal dimensions:
- Identity: The originator of the artifact or principal cannot be assured by syntactic validation alone (e.g., valid signature or credential does not guarantee intended actor, supporting various confused deputy and credential misuse attacks).
- Spatial: Syntactic conformance of routing/destination does not guarantee restricted reach/effects (e.g., a valid path or URL may access resources out-of-scope for the intention; SSRF, lateral movement, namespace crossing).
- Temporal: Validation at check-time does not ensure validity at use-time (e.g., TOCTOU, delayed activation, stale session/revocation; window of validity is uncoupled from enforcement).
- Interpretation: Syntactically valid artifact induces semantics or behaviors not anticipated (e.g., data triggers executable behavior, parser differentials, cross-language ambiguities; core to class II LangSec).
Empirical analysis shows high prevalence: Identity (85.3%), Spatial (82.7%), Interpretation (78.7%), Temporal (53.3%) across incidents, with many crossing boundaries exhibiting multi-dimensional gaps.
The TBSAM Framework: Systematic Gap Identification and Mitigation
To operationalize the MDTBSG model into engineering practice, the Trust Boundary Semantic Analysis and Mitigation (TBSAM) framework is proposed. TBSAM is a structured design-time four-stage methodology, aligned (but non-redundant with) established threat modeling workflows. The stages are:
- Boundary Record Construction: For each trust boundary, explicit enumeration of crossing artifact, enforced syntactic validation, and intended security requirements.
- Dimension Assignment: Identification (per artifact/boundary) of which MDTBSG dimensions exhibit insufficient established assurance upon validation success.
- Priority Propagation: Each gap is assigned (P1) root, (P2) amplification/secondary, or (P3) propagated—tracing gaps back to the primary boundary where they are introduced. This step decouples local from inherited vulnerabilities, enabling focus on true design roots.
- Mitigation Mapping: For each prioritized gap, architectural controls are mapped (e.g., hardware-backed attestations, provenance tracking, allowlists, interpretation-parsing hardening, scope enforcement, temporal binding). The mapping is decoupled by dimension, not simply by threat category.
TBSAM is not an automated or runtime mechanism, but is designed for use by security architects during system development or postmortem analysis. It requires rigorous documentation and explicitness in trust assumptions and is specifically constructed to complement—not replace—methods such as STRIDE, SLSA, or ZTA.
Case Study: Deconstruction of SolarWinds/SUNBURST
The SolarWinds/SUNBURST supply-chain compromise is analyzed in detail using TBSAM. The stepwise breakdown reveals:
- The build environment (TB2) is the origin of the “Interpretation” dimension TBSG: compilation and code signing are strictly syntactic—neither establishes functional semantics corresponding to the intended code base.
- Downstream boundaries (distribution to customer systems) only re-establish the same insufficient assertion (signature/integrity), so the “Interpretation” gap propagates forward.
- Similarly, temporal gaps expand in scope (e.g., window between build, signing, customer deployment, C2 beaconing onset).
- Proper placement of controls (e.g., source-to-binary attestation, reproducible builds, provenance-based artifact trust) at the root origin boundary (build output) interrupts propagated gaps more effectively than accumulating syntactic checks downstream.
The cross-boundary analysis demonstrates how correct assignment of gap origin, propagation, and dimension concretely guides both placement and nature of architectural mitigations.
Comparisons and Theoretical Implications
TBSAM is contrasted with STRIDE, SLSA, and semantic-gap analysis methods. The latter enumerate per-element threat categories or integrity levels or focus on setting-specific representation mismatches, but typically lack propagation-aware, per-assertion tracing across trust boundaries. TBSAM achieves a different analytical axis: it is assertion-centric and boundary-compositional, not threat-centric or implementation-centric.
This decouples the defense-in-depth perspective: strict syntactic validation remains necessary but not sufficient. Making trust-boundary assumptions explicit shifts system security engineering toward properties that more closely approximate end-to-end security by design. The model also integrates well with ZTA’s removal of implicit trust—clarifying design-phase assumptions that affect enforcement policies.
Limitations and Future Work
The TBSAM process is semiautomated, dependent on modeler accuracy and explicitness in system design artifacts. Ambiguity in boundary identification, requirement elicitations, or propagation assignments can limit practical effectiveness. The four MDTBSG dimensions, while strongly empirically established, are not asserted closed; less visible incidents or novel architectures may require refinement or extension of the taxonomy.
Pathways for future work include tool support for boundary extraction from machine-readable artifacts, integration with attack-tree/abuse-case modeling for dimension assignment, and empirical assessment in live system development processes.
Conclusion
The paper delivers a formal, evidence-driven treatment of semantic assurance gaps at trust boundaries and advances both a diagnostic model (MDTBSG) and a prescriptive design framework (TBSAM) for their analysis and mitigation. The systematic boundary-by-boundary, multi-dimensional analysis elucidates structural weaknesses in modern system architectures across domains, moving beyond absence-of-check reasoning to assertion composition and propagation.
Making trust-boundary security assumptions explicit during design, and ensuring that architectural controls follow the provenance of semantic risk rather than the locus of observed effect, is a critical advancement for achieving true Security-by-Design. The methodology's ability to complement classical threat modeling and supply-chain assurance practices, while also providing dimension-targeted mitigation guidance, positions it as a foundational contribution to practical and theoretical security architecture in modern distributed systems.