Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add threat model. #9

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add threat model. #9

wants to merge 4 commits into from

Conversation

aekblad
Copy link
Contributor

@aekblad aekblad commented Oct 15, 2024

What changes are made in this PR?

This commit adds a formal threat model for the system.

Why are these changes needed?

We need a threat model if we're serious about security hardening this backend. Once we've done that, having one will increase people's confidence in it.

Related issues:

Closes #4.

@aekblad aekblad requested a review from a team as a code owner October 15, 2024 13:54
zbleness
zbleness reviewed Oct 16, 2024
View reviewed changes
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
@aekblad aekblad requested a review from zbleness October 21, 2024 08:57
flarss34
flarss34 reviewed Oct 28, 2024
View reviewed changes
Copy link

@flarss34 flarss34 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verification should be a part of the threats

threat_model/threat_model.md Show resolved Hide resolved
threat_model/threat_model.md Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
threat_model/threat_model.md Outdated Show resolved Hide resolved
zbleness
zbleness reviewed Nov 4, 2024
View reviewed changes
threat_model/threat_model.md Outdated
|||||| Medium | Deploy IDS to increase chance of detection | Test deployment for IDS presence
| UC1:3 | CVA, CNA | Return malicious state to user which steals data from deployment if deployed | High | Medium | High | Protect traffic with TLS + proper certificates | Test that TVB refuses to talk to HTTP or self-signed Vault
| UC1:3 | CNA | Eavesdrop on returned TF state to obtain secrets | High | Medium | High | Protect traffic with TLS | See above
| UC1:3 | CTA | Leak secrets obtained from Vault | High | Low | High | Ensure dependencies are minimal, trustworthy, and up to date | Use automatic dependency scanning in CI
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another countermeasure is to turn off general egress traffic from TVA (like we are doing).

zbleness
zbleness requested changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@zbleness zbleness left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add the proposed countermeasure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flarss34 flarss34 flarss34 left review comments

@zbleness zbleness Awaiting requested review from zbleness

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature Request] Formal Threat Model for TVB
3 participants
@aekblad @zbleness @flarss34