Interesting email Andrew (as always!). Threat modelling is part of the security review process so we have formal threat models for parts of the system, but I don’t think we have a holistic threat model documented to the level to which you are describing. Certainly capturing security decisions and philosophy is important. I’m currently working on threat model as part of a roadmap for security future features so I can try to incorporate some of the ideas below into that.
On 10 Sep 2014, at 5:50 pm, Andrew Sutherland <[email protected]> wrote: > :pauljt's question about certified app debugging made me wonder if we have > any formal-ish descriptions of the threat/attack models for Firefox OS. I > particularly am interested because it seems like discussions about > complicated issues like this frequently end up going in circles because > people are trying to cobble mental models together from email responses. > (ex: I think the "Add-on File Registration PRD" discussion at > https://groups.google.com/d/msg/mozilla.dev.planning/zLwLNyWm7es/n85wjv5DJ1QJ > would have gone much better with a representation of the attack-defense tree > and indication of which choices were discarded because the attacker already > has a valid counter-attack.) > > And in some cases I think visually expressing the key assumptions that > underlie a lot of our protections can be helpful. For example, in the recent > dev-gaia thread on "App badges via notifications", it seemed to be proposed > to let apps dynamically change their icon > (https://groups.google.com/d/msg/mozilla.dev.gaia/sHFTy6m8va8/g7-V19YusgEJ). > But it's my understanding that much of our defense against rogue apps is that > they are unable to change their name or icon. Being able to easily see at a > glance that defeating a morphing impersonation attack is or is not critical > to us would be handy. (And a hyperlink to a wiki from the graph node that > discusses the trade-offs would be super handy!) > > I've just tried to bring myself up to speed on this a little bit, and it > seems like the http://satoss.uni.lu/projects/atrees/index.php project's > research and papers on Attack Trees are particularly interesting[1]. > > Most important, this library of trees has graphical examples in .pdf form: > http://satoss.uni.lu/projects/atrees/library.php > I suggest starting with a look at > http://satoss.uni.lu/projects/atrees/trees/confidentiality.pdf since it has a > defense node as a root and I like it. > > There's a recent survey paper on attack/defense modeling that seems to cover > the very large field: http://satoss.uni.lu/members/barbara/papers/survey.pdf > > The paper on Attack-Defense trees: > http://satoss.uni.lu/members/barbara/papers/ADT12.pdf > Slides for those who experience academic paper-blindness or just like bullet > points: http://satoss.uni.lu/members/barbara/papers/slides.pdf > > There's also a GPL3 tool implemented in Java at > http://satoss.uni.lu/members/piotr/adtool/, although unless one cares about > the math aspects it seems like one could probably accomplish the diagram > goals without involving Java > > Thanks! > Andrew > > 1: Note that the specific funded effort seems to have ceased and for more > recent papers you'll need to see what the authors like > http://satoss.uni.lu/members/barbara/publications.php are up to. > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
