TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-extras / 26893d76bee4dc8d2788adf82ffb181c86d1d447 / . / examples / vad_an552 / doc / threat_model.rst
blob: 50e1a18a6828e1db597e4f929f4dfdde9f1bc911 [file] [log] [blame]
Gabor Abonyi26893d72021-12-17 09:24:09 +0100[diff] [blame^]1################################################################
2Trusted Firmware-M Voice Activity Detection Example Threat Model
3################################################################
4
5************
6Introduction
7************
8
9This document extends the generic threat model of Trusted Firmware-M (TF-M).
10This threat model provides an analysis of Voice Activity Detection (VAD) Example
11in TF-M and identifies general threats and mitigation.
12
13Scope
14=====
15
16TF-M supports diverse models and topologies. It also implements multiple
17isolation levels. Each case may focus on different target of evaluation (TOE)
18and identify different assets and threats.
19TF-M implementation consists of several secure services, defined as
20Root of Trust (RoT) service. Those RoT services belong to diverse RoT
21(Application RoT or PSA RoT) and access different assets and hardware. Therefore
22each RoT service may require a dedicated threat model.
23
24This analysis only focuses on the assets and threats introduced by the VAD
25example. The TF-M implementation, topologies, or other RoT services are out of
26scope of this document.
27
28Methodology
29===========
30
31The threat modeling in this document follows the process listed below to
32build up the threat model.
33
34- Target of Evaluation (TOE)
35- Assets identification
36- Data Flow Diagram (DFD)
37- Threats prioritization
38- Threats identification
39
40TOE is the entity on which threat modeling is performed. The logic behind this
41process is to firstly investigate the TOE which could be a system, solution or
42use case. This first step helps to identify the assets to be protected in TOE.
43
44According to TOE and assets, Trust Boundaries can be determined. The Data Flow
45Diagram (DFD) across Trust Boundaries is then defined to help identify the
46threats.
47
48Those threats should be prioritized based on a specific group of principals and
49metrics. The principals and metrics should also be specified.
50
51********************
52Target of Evaluation
53********************
54
55A typical TF-M system diagram can be seen on `Generic Threat Model <Generic-Threat-Model_>`_.
56TF-M is running in the Secure Processing Environment (SPE) and NS software is
57running in Non-secure Processing Environment (NSPE).
58
59The TOE in this general model is the VAD Secure Partition and the interaction of
60peripherals, and NSPE. The VAD algorithm itself and its possible flaws are not
61in scope of this document, however the threats that such flaws can cause and its
62mitigations are in scope.
63
64********************
65Asset identification
66********************
67
68In this threat model, assets include the items listed below:
69
70- Software RoT data, e.g.
71
72 - Secure partition code and data
73 - NSPE data stored in SPE
74 - Data generated in SPE as requested by NSPE
75 - Data flowing from peripherals to SPE
76
77- Availability of entire RoT service
78- Result of a RoT service
79
80*****************
81Data Flow Diagram
82*****************
83
84The list and details of data flows are described in the `Generic Threat Model <Generic-Threat-Model_>`_.
85In addition to the data flows above, this use-case introduces a new data flow
86from a peripheral to the SPE. Although the peripheral resides within the SPE,
87the data from it is external so must be considered as data crossing a trust
88boundary. This Data flow will be labeled as DF7 from now on.
89
90.. note::
91
92 All the other data flows across the Trusted Boundary besides the valid ones
93 mentioned in the `Generic Threat Model <Generic-Threat-Model_>`_ and above
94 should be prohibited by default. Proper isolation must be configured to
95 prevent NSPE directly accessing SPE.
96
97 Although the data flows are covered in general in the TF-M Generic Threat
98 Model, for DF2-DF5, given the inner workings and flow of control in VAD
99 partition, additional threats are also considered. Threats identified in the
100 Generic Threat Model still applies.
101
102*********************
103Threat identification
104*********************
105
106Threat priority
107===============
108
109Threat priority is indicated by the score calculated via Common Vulnerability
110Scoring System (CVSS) Version 3.1 [CVSS]_. The higher the threat scores, the
111greater severity the threat is with and the higher the priority is.
112
113CVSS scores can be mapped to qualitative severity ratings defined in CVSS 3.1
114specification [CVSS_SPEC]_. This threat model follows the same mapping between
115CVSS scores and threat priority rating.
116
117This document focuses on *Base Score* which reflects the constant and general
118severity of a threat according to its intrinsic characteristics.
119
120The *Impacted Component* defined in [CVSS_SPEC]_ refers to the assets listed in
121`Asset identification`_.
122
123Threats and mitigation list
124===========================
125
126This section lists generic threats and corresponding mitigation, based on the
127the analysis of data flows in `Data Flow Diagram`_.
128
129Threats are identified following ``STRIDE`` model. Please refer to [STRIDE]_ for
130more details.
131
132The field ``CVSS Score`` reflects the threat priority defined in
133`Threat priority`_. The field ``CVSS Vector String`` contains the textual
134representation of the CVSS metric values used to score the threat. Refer to
135[CVSS_SPEC]_ for more details of CVSS vector string.
136
137.. note::
138
139 A generic threat may have different behaviors and therefore require different
140 mitigation, in diverse TF-M models and usage scenarios.
141
142 This threat model document focuses on threats specific to the VAD partition.
143 Similar threats might exist in the generic threat model with different
144 consequense or severity. For the details of generic threats in general usage
145 scenario, please refer to the `Generic Threat Model <Generic-Threat-Model_>`_ document.
146
147NSPE requests TF-M secure service
148---------------------------------
149
150This section identifies threats on ``DF2`` defined in `Data Flow Diagram`_.
151
152.. table:: TFM-VAD-REQUEST-SERVICE-I-1
153 :widths: 10 50
154
155 +---------------+------------------------------------------------------------+
156 | Index | **TFM-VAD-REQUEST-SERVICE-I-1** |
157 +---------------+------------------------------------------------------------+
158 | Description | A malicious NS application may extract result of a VAD |
159 | | service request by measuring time while the service was |
160 | | unavailable for further request. |
161 +---------------+------------------------------------------------------------+
162 | Justification | A malicious NS application may request VAD service to |
163 | | perform voice activity detection, while another legit NS |
164 | | app is doing so. By measuring how much time it takes for |
165 | | the service to became available, it can be extracted if |
166 | | there was voice activity or not. |
167 +---------------+------------------------------------------------------------+
168 | Category | Information disclose |
169 +---------------+------------------------------------------------------------+
170 | Mitigation | Not yet. Service could use non-blocking or callback based |
171 | | Implementation. |
172 +---------------+------------------------------------------------------------+
173 | CVSS Score | 2.9 (Low) |
174 +---------------+------------------------------------------------------------+
175 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
176 | String | |
177 +---------------+------------------------------------------------------------+
178
179.. table:: TFM-VAD-REQUEST-SERVICE-D-1
180 :widths: 10 50
181
182 +---------------+------------------------------------------------------------+
183 | Index | **TFM-VAD-REQUEST-SERVICE-D-1** |
184 +---------------+------------------------------------------------------------+
185 | Description | A Malicious NS applications may frequently call secure |
186 | | services to block secure service requests from other NS |
187 | | applications. |
188 +---------------+------------------------------------------------------------+
189 | Justification | TF-M runs on IoT devices with constrained resource. Even |
190 | | though multiple outstanding NS PSA Client calls can be |
191 | | supported in system, the number of NS PSA client calls |
192 | | served by TF-M simultaneously are still limited. |
193 | | |
194 | | Therefore, if a malicious NS application or multiple |
195 | | malicious NS applications continue calling TF-M secure |
196 | | services frequently, it may block other NS applications to |
197 | | request secure service from TF-M. |
198 | | |
199 | | For VAD service request, this can have more consequense as |
200 | | the current implementation is blocking Secure thread. |
201 +---------------+------------------------------------------------------------+
202 | Category | Denial of service |
203 +---------------+------------------------------------------------------------+
204 | Mitigation | TF-M is unable to manage behavior of NS applications. |
205 | | Assets are not disclosed and TF-M is neither directly |
206 | | impacted in this threat. |
207 | | |
208 | | Repeatedly exploiting this vulnerability could distrupt |
209 | | and decrease the availability of TF-M and other secure |
210 | | servicese, but not completely. Because of this, the |
211 | | availability vector of the threat is considered high. |
212 | | |
213 | | It relies on NS OS to enhance scheduling policy and |
214 | | prevent a single NS application to occupy entire CPU time. |
215 | | It is beyond the scope of this threat model. |
216 +---------------+------------------------------------------------------------+
217 | CVSS Score | 6.2 (Medium) |
218 +---------------+------------------------------------------------------------+
219 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
220 | String | |
221 +---------------+------------------------------------------------------------+
222
223NS interrupts preempts SPE execution
224------------------------------------
225
226This section identifies threats on ``DF5`` defined in `Data Flow Diagram`_.
227
228.. table:: TFM-VAD-NS-INTERRUPT-T-D-1
229 :widths: 10 50
230
231 +---------------+------------------------------------------------------------+
232 | Index | **TFM-VAD-NS-INTERRUPT-T-D-1** |
233 +---------------+------------------------------------------------------------+
234 | Description | An attacker may trigger spurious NS interrupts frequently |
235 | | to block SPE execution. |
236 +---------------+------------------------------------------------------------+
237 | Justification | In single Armv8-M core scenario, an attacker may inject a |
238 | | malicious NS application or hijack a NS hardware to |
239 | | frequently trigger spurious NS interrupts to keep |
240 | | preempting SPE and block SPE to perform normal secure |
241 | | execution. |
242 | | |
243 | | Blocking VAD service long enough can cause loss of input |
244 | | data from peripherals to the service, possibly changing |
245 | | the return value of the service request. |
246 +---------------+------------------------------------------------------------+
247 | Category | Tampering / Denial of service |
248 +---------------+------------------------------------------------------------+
249 | Mitigation | It is out of scope of TF-M. |
250 | | |
251 | | Assets protected by TF-M won't be leaked. TF-M won't be |
252 | | directly impacted. |
253 +---------------+------------------------------------------------------------+
254 | CVSS Score | 5.1 (Medium) |
255 +---------------+------------------------------------------------------------+
256 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
257 | String | |
258 +---------------+------------------------------------------------------------+
259
260Data from peripherals to SPE
261------------------------------------
262
263This section identifies threats on ``DF7`` defined in `Data Flow Diagram`_.
264
265.. table:: TFM-VAD-PERIPH-DATA-TO-SPE-T-D-1
266 :widths: 10 50
267
268 +---------------+------------------------------------------------------------+
269 | Index | **TFM-VAD-PERIPH-DATA-TO-SPE-T-D-1** |
270 +---------------+------------------------------------------------------------+
271 | Description | An attacker may gain ability to artificially modify the |
272 | | data and may trigger untested data paths within the voice |
273 | | activity detection algorithm. |
274 +---------------+------------------------------------------------------------+
275 | Justification | TF-M is unable to prevent manipulation of external data, |
276 | | attacker might inject malicious data through the |
277 | | peripheral. The VAD algorithm is considered trusted, but |
278 | | given its complexity, might be subject to vulnaribilities |
279 | | within its data flow. |
280 | | |
281 | | By carefully crafted data, an attacker might be able to |
282 | | cause the failure of the VAD algorithm. It can also be |
283 | | used or gain in-depth knowledge of the algorithm, possibly |
284 | | making it prone to adversarial attacks. The attacker might |
285 | | also be able to read data accessible within the secure |
286 | | partition that the VAD algorithm is running in. |
287 +---------------+------------------------------------------------------------+
288 | Category | Tampering / Denial of service |
289 +---------------+------------------------------------------------------------+
290 | Mitigation | It is out of scope of TF-M to mitigate vulnerabilities |
291 | | within the VAD algorithm, however TF-M is responsible for |
292 | | properly isolating the algorithm within the secure |
293 | | partition, so vulnerabilities must not propagate. |
294 +---------------+------------------------------------------------------------+
295 | CVSS Score | 6.8 (Medium) |
296 +---------------+------------------------------------------------------------+
297 | CVSS Vector | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
298 | String | |
299 +---------------+------------------------------------------------------------+
300
301***************
302Version control
303***************
304
305.. table:: Version control
306
307 +---------+--------------------------------------------------+---------------+
308 | Version | Description | TF-M version |
309 +=========+==================================================+===============+
310 | v1.0 | First version | TF-M v1.6.0 |
311 +---------+--------------------------------------------------+---------------+
312
313*********
314Reference
315*********
316
317.. [Security-Incident-Process] `Security Incident Process <https://developer.trustedfirmware.org/w/collaboration/security_center/reporting/>`_
318
319.. [Generic-Threat-Model] `Generic Threat Model <https://tf-m-user-guide.trustedfirmware.org/docs/security/threat_models/generic_threat_model.html>`_
320
321.. [FF-M] `ArmĀ® Platform Security Architecture Firmware Framework 1.0 <https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4>`_
322
323.. [DUAL-CPU-BOOT] `Booting a dual core system <https://tf-m-user-guide.trustedfirmware.org/docs/technical_references/design_docs/dual-cpu/booting_a_dual_core_system.html>`_
324
325.. [CVSS] `Common Vulnerability Scoring System Version 3.1 Calculator <https://www.first.org/cvss/calculator/3.1>`_
326
327.. [CVSS_SPEC] `CVSS v3.1 Specification Document <https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf>`_
328
329.. [STRIDE] `The STRIDE Threat Model <https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)?redirectedfrom=MSDN>`_
330
331.. [SECURE-BOOT] `Secure boot <https://tf-m-user-guide.trustedfirmware.org/docs/technical_references/design_docs/tfm_secure_boot.html>`_
332
333.. [ROLLBACK-PROTECT] `Rollback protection in TF-M secure boot <https://tf-m-user-guide.trustedfirmware.org/docs/technical_references/design_docs/secure_boot_rollback_protection.html>`_
334
335.. [STACK-SEAL] `Armv8-M processor Secure software Stack Sealing vulnerability <https://developer.arm.com/support/arm-security-updates/armv8-m-stack-sealing>`_
336
337.. [ADVISORY-TFMV-1] `Advisory TFMV-1 <https://tf-m-user-guide.trustedfirmware.org/docs/security/security_advisories/stack_seal_vulnerability.html>`_
338
339.. [ADVISORY-TFMV-2] `Advisory TFMV-2 <https://tf-m-user-guide.trustedfirmware.org/docs/security/security_advisories/svc_caller_sp_fetching_vulnerability.html>`_
340
341--------------------
342
343*Copyright (c) 2020-2022 Arm Limited. All Rights Reserved.*