Source-Shielded Updates (SSU)
- Source-Shielded Updates (SSU) are a family of mechanisms that use trusted layers to shield state updates, ensuring integrity, provenance, and controlled adaptation.
- They integrate cryptographic, hardware, or algorithmic methods to sanitize, authenticate, and freeze updates across operating systems, embedded devices, and language models.
- Empirical results demonstrate that SSU approaches improve performance retention and safety by balancing source protection with adaptive target gains in diverse domains.
Source-Shielded Updates (SSU) represent a family of system and algorithmic mechanisms designed to ensure update integrity, source knowledge retention, and controlled adaptation by interposing a trusted layer—either cryptographic, hardware, or algorithmic—between the source of authoritative state (code or parameters) and the update process. SSU approaches have emerged across distinct technological domains, including operating system integrity enforcement, low-end embedded system security, and the mitigation of catastrophic forgetting in continued LLM adaptation. In all cases, the defining characteristic is an explicit shield over the provenance or impact of updates, confining change propagation to verified, authorized, or importance-ranked pathways.
1. Architectural Foundations Across Domains
The core SSU framework manifests in several technological contexts, most notably:
- Integrity-Enforced Operating Systems: Ozga et al. establish the Trusted Software Repository (TSR) as a proxy sitting between untrusted package sources and the OS under IMA/TPM monitoring. TSR sanitizes, signs, and canonizes updates within an SGX enclave, ensuring that only deterministically verified post-installation filesystem states are achievable and recognizable by external verifiers (Ozga et al., 2021).
- Embedded Devices: CASU (Compromise Avoidance via Secure Updates) introduces hardware-protected code regions and update tokens. Runtime software immutability is enforced by hardware monitors, while updates require authentication via cryptographic tokens derived from a hardware-bound secret key (Nunes et al., 2022).
- Continual Adaptation of LLMs: SSU arises as a parameter-freezing methodology in LLM training, where parameters essential for source capabilities are identified and shielded—typically at the column granularity—prior to adaptation to prevent catastrophic forgetting (Yamaguchi et al., 4 Dec 2025).
In all designs, SSU mechanisms intercept the update process, apply source-focused constraints (sanitization, immutability, or masking), and re-expose the transformed update stream or adapted state to downstream consumers or adversarial environments.
2. Methodologies for Source Protection
Operating Systems (TSR Model)
- Trusted Proxying: All package metadata and content flows through TSR, which fetches from a mirror quorum (2f + 1 model), ensuring consensus on package state despite a fraction f of potentially adversarial mirrors.
- In-Enclave Sanitization: Packages are extracted and installation scripts are analyzed. Unsafe scripts are either rewritten to achieve deterministic results (e.g., canonical user and group creation) or the package is rejected if determinization is infeasible.
- Predictive Signing: For each predicted file and config blob, TSR computes an ECDSA signature, writing it to PAX headers. This enables fine-grained, file-level attestation by the IMA stack (Ozga et al., 2021).
Embedded Systems (CASU)
- Memory-Region Enforcement: Updates are only allowed via an authenticated protocol; unauthorized writes or executions to/from protected regions induce an immediate system reset, enforced by a hardware FSM.
- Authenticated Updates: Update payloads carry an HMAC-based AuthToken and are only accepted by a ROM-resident routine if authenticated and monotonic in version.
- Continuous Integrity: With runtime writes disabled post-update, software state remains immutable between updates, obviating the need for frequent remote attestation (Nunes et al., 2022).
LLM Adaptation (SSU for Catastrophic Forgetting)
- Static Importance Scoring: Using a source-language calibration set, importance scores for each parameter are computed (e.g., via the Wanda metric: ), ranking columns of linear layers by their contribution to source performance.
- Column-Wise Freezing: The most important columns (e.g., top 50%) are statically frozen before target-language continual pre-training. This mask is fixed—target-side gradients are zeroed for shielded parameters, ensuring that source-specific knowledge is preserved (Yamaguchi et al., 4 Dec 2025).
- Selective Adaptation: Only non-frozen parameters update, allowing competitive target-language gains while sharply reducing degradation of source task and safety metrics.
3. Protocol Workflows and Formal Guarantees
| Domain | Update Shield Mechanism | Guarantee Type |
|---|---|---|
| OS / TSR | SGX-sanctified sanitization/signing | Post-update attestation equals predicted state |
| Embedded / CASU | Hardware FSM, AuthToken, immutability | Continuous integrity, no runtime modification |
| LLM / SSU | Static source-driven column freeze | Catastrophic forgetting sharply mitigated |
- Formalism in OS: While Ozga et al. omit explicit formalisms for the measurement or attestation, the invariant maintained is: ∀ installed file F, IMA_measure(F) = σ_F and verify_PKpub(σ_F, F) = true (Ozga et al., 2021).
- Hardware Enforcement in CASU: Two hardware invariants are verified: (1) Any unauthorized write to protected regions outside the trusted code region induces reset; (2) Any instruction dispatch outside these regions induces reset. All cryptographic authentications rely on HMAC_K, with K physically shielded (Nunes et al., 2022).
- Parameter Selection in LLMs: The SSU algorithm is specified by mask generation over calibration-driven scores, with frozen columns statically excluded from gradient-based updates during target adaptation (Yamaguchi et al., 4 Dec 2025). The mask is determined as:
- For each column j, .
- Freeze top k% columns by magnitude.
4. Performance, Coverage, and Empirical Results
Operating System Integrity (TSR)
- Coverage: 99.76% of Alpine Linux main/community packages supported (11,581 total), with only 28 (≈0.24%) unsanitizable.
- Overhead: Repository size increases by 3.6% (3,000MB → 3,110MB). Median runtime overhead for sanitization inside SGX is 1.18× native; full-repo initialization increases from 9.5 to 13.6 min (1.43×). Package install latency grows minimally (110ms→141ms) (Ozga et al., 2021).
Embedded Systems (CASU)
- Hardware Overhead: On OpenMSP430, CASU adds ≈3% LUTs and 0.3% registers.
- Runtime Cost: Secure updates require ≈200ms end-to-end for 250–734B binaries at 16MHz.
- No Ongoing Attestation: Classic RA is replaced; update tokens are HMACs over new code, with memory and runtime costs greatly reduced (Nunes et al., 2022).
LLM Adaptation
- Source Retention: Full fine-tuning produces 20.3%/22.3% relative drop (7B/13B) on English instruction tasks; SSU reduces this to 5.9%/4.7% (Yamaguchi et al., 4 Dec 2025).
- Target Gains: SSU yields target-language gains exceeding full fine-tuning, e.g., +54.3%/52.3% (7B/13B) averaged across five low-resource languages.
- Safety and Code-Mixing: Safety task drops are minimized to 0.1%/2.0%. Incidence of code-mixed responses remains at ≈1%, in line with English prompts.
- Static Mask Sufficiency: 128–500 calibration examples suffice for reliable scoring. SSU outperforms adaptive masking or random freezes in both retention and target task performance.
5. Analysis of Trade-Offs, Limitations, and Practical Considerations
- Freezing Ratio in LLMs: Source-task retention monotonically increases with the freeze ratio k; target-language adaptation peaks at k≈30–50%. Default k=50% balances retention and adaptation, but can be tuned depending on operator priority (Yamaguchi et al., 4 Dec 2025).
- Granularity: Column-wise freezing preserves entire feature pathways, supporting source abilities and target domain transfer. Row or element-wise freezing disrupts learned structures, degrading performance.
- Sanitization Limits in OS: A small minority of packages (e.g., those involving ephemeral key generation) remain unsanitizable; the system conservatively rejects them.
- Hardware/Embedded: CASU’s invariants are statically model-checked in SMV; update protocol security is reduced to the unforgeability of HMAC and the physical protection of the hardware key.
6. Comparative Perspectives and Scope of Applicability
- Canonicality and Determinism: All approaches center updates around predictable, testable final states—either at the file system (OS), application binary (embedded), or parameter subset (LLMs).
- Shielded Execution and Key Management: In both TSR and CASU, hardware provides isolation (SGX enclave, ROM region), enforcing update authenticity and runtime immutability.
- Adaptation vs. Stability: In LLM scenarios, SSU outperforms both full fine-tuning and alternative static/dynamic parameter selection (e.g., AdaLoRA, GMT, HFT, LoTA, S2FT) in balancing source retention and target adaptation, with statistical significance (p < 0.05).
- Implementation Simplicity: SSU approaches require no dynamic runtime overhead beyond an initial (OS/TSR: one-time sanitization and signing; LLM: one-shot score and mask computation), facilitating ready deployment in existing infrastructure.
7. Future Directions and Open Questions
- OS and Embedded: The expansion of canonical script sanitization, multi-source repository blending, and cross-distro generalization remain open. Advancing OS-side measurement models may allow formal invariants for more complex workflows.
- LLM Adaptation: Integrating SSU with vocabulary or subword retraining, supporting simultaneous adaptation to multiple target domains or languages, and developing dynamic or continuous freezing schedules are recommended for further gains (Yamaguchi et al., 4 Dec 2025).
- Compositional SSU: A plausible implication is cross-domain integration—e.g., using hardware-anchored SSU for parameter-protected adaptive embedded AI—could benefit from the orthogonality of SSU primitives described in operating systems, embedded, and ML adaptation domains.
Source-Shielded Updates constitute a general paradigm where a trusted, source-originated shield—expressed as enclave-based sanitization, hardware-enforced immutability, or algorithmic freezing—ensures integrity, provenance, and controlled evolution of system or model state during updates or adaptation. These properties directly address critical challenges in trust, safety, and knowledge preservation across software security and AI.