From 4c0dc2c9ff18d7e58cbe4cd18ec28ac06f240b1f Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Fri, 1 May 2020 12:39:19 -0400 Subject: [PATCH 1/6] Added attacker goals Signed-off-by: Justin Cappos --- threatmodel.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/threatmodel.md b/threatmodel.md index 806f3e0b..382f78a3 100644 --- a/threatmodel.md +++ b/threatmodel.md @@ -10,3 +10,8 @@ It is assumed that an attacker may perform one or more the following actions: While it is not always possible to protect against all scenarios, the system should to the extent possible mitigate and/or reduce the damage caused by a successful attack, detect the occurrence of an attack and notify appropriate parties, yet remain usable for parties operating the system. Furthermore, the system should recover from successful attacks in a way that presents low operational overhead and risk to users. +Attacker Goals: +1. Trying to have a party install a malicious image under the attackers control. +2. Trying to have a party install an outdated image. For example, one with known security vulnerabilities. +3. Making images unavailable for installation. +4. Enabling future attacks of the above types to be carried out more easily. For example, by causing a party to trust the attacker's key. From a0e372a4b760a5be32d868bfb7d7e37453edaf94 Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Mon, 4 May 2020 13:41:40 -0400 Subject: [PATCH 2/6] Update threatmodel.md Co-authored-by: Marina Moore --- threatmodel.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/threatmodel.md b/threatmodel.md index 382f78a3..fad4cffd 100644 --- a/threatmodel.md +++ b/threatmodel.md @@ -14,4 +14,6 @@ Attacker Goals: 1. Trying to have a party install a malicious image under the attackers control. 2. Trying to have a party install an outdated image. For example, one with known security vulnerabilities. 3. Making images unavailable for installation. -4. Enabling future attacks of the above types to be carried out more easily. For example, by causing a party to trust the attacker's key. +4. Preventing a party from learning about updates to currently installed images. +5. Convincing a party to download large amounts of data that interfere with the party's system. +6. Enabling future attacks of the above types to be carried out more easily. For example, by causing a party to trust the attacker's key. From 85deb58b3c87ee67332e763cf59eb278729eccb0 Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Tue, 13 Apr 2021 14:27:53 +0800 Subject: [PATCH 3/6] Update threatmodel.md Co-authored-by: Marina Moore --- threatmodel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threatmodel.md b/threatmodel.md index fad4cffd..0a493155 100644 --- a/threatmodel.md +++ b/threatmodel.md @@ -11,7 +11,7 @@ It is assumed that an attacker may perform one or more the following actions: While it is not always possible to protect against all scenarios, the system should to the extent possible mitigate and/or reduce the damage caused by a successful attack, detect the occurrence of an attack and notify appropriate parties, yet remain usable for parties operating the system. Furthermore, the system should recover from successful attacks in a way that presents low operational overhead and risk to users. Attacker Goals: -1. Trying to have a party install a malicious image under the attackers control. +1. To have a party deploy a malicious artifact under the attacker's control. 2. Trying to have a party install an outdated image. For example, one with known security vulnerabilities. 3. Making images unavailable for installation. 4. Preventing a party from learning about updates to currently installed images. From 2f1c198b3a677a1cdd89de28d6b543073c5bed8b Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Tue, 13 Apr 2021 14:29:58 +0800 Subject: [PATCH 4/6] Update threatmodel.md Co-authored-by: Marina Moore --- threatmodel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threatmodel.md b/threatmodel.md index 0a493155..925c3722 100644 --- a/threatmodel.md +++ b/threatmodel.md @@ -14,6 +14,6 @@ Attacker Goals: 1. To have a party deploy a malicious artifact under the attacker's control. 2. Trying to have a party install an outdated image. For example, one with known security vulnerabilities. 3. Making images unavailable for installation. -4. Preventing a party from learning about updates to currently installed images. +4. Prevent a party from learning about updates to currently installed artifacts. 5. Convincing a party to download large amounts of data that interfere with the party's system. 6. Enabling future attacks of the above types to be carried out more easily. For example, by causing a party to trust the attacker's key. From b1762a8e5f5033bb1d1dbaf930fc6cbb058a47cf Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Tue, 13 Apr 2021 14:30:26 +0800 Subject: [PATCH 5/6] Update threatmodel.md Co-authored-by: Marina Moore --- threatmodel.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/threatmodel.md b/threatmodel.md index 925c3722..ec9acc08 100644 --- a/threatmodel.md +++ b/threatmodel.md @@ -16,4 +16,9 @@ Attacker Goals: 3. Making images unavailable for installation. 4. Prevent a party from learning about updates to currently installed artifacts. 5. Convincing a party to download large amounts of data that interfere with the party's system. -6. Enabling future attacks of the above types to be carried out more easily. For example, by causing a party to trust the attacker's key. +6. Enable future attacks of the above types to be carried out more easily. For example, by causing a party to trust the attacker's key. + +## Out of Scope +The following attacks are considered out of scope for Notary v2: +1. Denial of Service (DoS) attacks. +2. Registry validation. A registry may choose to do validation when artifacts are uploaded, but this validation is out of scope of Notary v2. From 5e2a17ba972fc0324bf5aeffd92382a3dac0944f Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Tue, 13 Apr 2021 14:30:49 +0800 Subject: [PATCH 6/6] Update threatmodel.md Co-authored-by: Marina Moore --- threatmodel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threatmodel.md b/threatmodel.md index ec9acc08..6f402887 100644 --- a/threatmodel.md +++ b/threatmodel.md @@ -15,7 +15,7 @@ Attacker Goals: 2. Trying to have a party install an outdated image. For example, one with known security vulnerabilities. 3. Making images unavailable for installation. 4. Prevent a party from learning about updates to currently installed artifacts. -5. Convincing a party to download large amounts of data that interfere with the party's system. +5. Convince a party to download large amounts of data, such as signatures or metadata, that interfere with the party's system. 6. Enable future attacks of the above types to be carried out more easily. For example, by causing a party to trust the attacker's key. ## Out of Scope