TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TS / trusted-services / refs/heads/topics/bd/tstee-in-tree / . / docs / security / threat-model.rst
blob: 3bd9dd010bebf332101487a42ea3df8101578ad9 [file] [log] [blame]
Gyorgy Szingd4a86562022-04-07 15:30:34 +0200[diff] [blame]1Generic Threat Model
2====================
3
4Threat modeling is a process to identify security requirements, pinpoint security threats and potential vulnerabilities,
5quantify threat and vulnerability criticality and prioritize remediation methods.
6
7In the next sections you can find the output of this process the for a generic, use-case and service independent
8assessment.
9
10Target evaluation
11-----------------
12
13In this threat model, the target of evaluation is the S-EL0 SPs part of the PSA RoT hosting a "generalized" trusted
14service.
15
16This evaluation is based on the following assumptions:
17
18 * The implementation is based on the |FF-A| standard.
19 * Trusted boot is enabled. This means an attacker cant boot arbitrary images that are not approved by platform
20 providers.
21 * Each trusted service is running in an S-EL0 secure partition. Access to memory and hardware is controlled by the
22 SPM based on the FF-A manifest or FF-A framework messages.
23 * Components running at higher privilege levels than S-EL0 are to be inherently trusted. (I.e. the SPM).
24
25Data flow diagram
26-----------------
27
28The data flow diagram visualizes the connection between components and where the data flow crosses security boundaries.
29
30.. image:: ./generic-data-flow.svg
31 :target: Attachments_
32
33.. table:: List of data flows
34
35 +-----------+---------------------------------------------------------------------------------+----------+
36 | Data flow | Description | In scope |
37 +-----------+---------------------------------------------------------------------------------+----------+
38 | DF1 | Trusted Service interacts with NWd client directly. | Yes |
39 +-----------+---------------------------------------------------------------------------------+----------+
40 | DF2 | Trusted Service interacts with NWd client through SPM. | Yes |
41 +-----------+---------------------------------------------------------------------------------+----------+
42 | DF3 | Trusted Services interact through SPM. | Yes |
43 +-----------+---------------------------------------------------------------------------------+----------+
44 | DF4 | Trusted Service logs debug information. | Yes |
45 +-----------+---------------------------------------------------------------------------------+----------+
46 | DF5 | Trusted Services interact directly. | Yes |
47 +-----------+---------------------------------------------------------------------------------+----------+
48 | DF6, DF7 | Trusted Services interacts with shared hardware. | Yes |
49 +-----------+---------------------------------------------------------------------------------+----------+
50 | DF8 | Trusted Service interacts with dedicated peripheral interface. | Yes |
51 +-----------+---------------------------------------------------------------------------------+----------+
52 | DF9, DF10 | Trusted Service interacts with shared, external hardware. | Yes |
53 +-----------+---------------------------------------------------------------------------------+----------+
54 | DF11 | Trusted Service interacts with dedicated, external hardware. | Yes |
55 +-----------+---------------------------------------------------------------------------------+----------+
56 | DF12 | NWd interacts with more privileged software. | No |
57 +-----------+---------------------------------------------------------------------------------+----------+
58 | DF13 | FF-A manifest and other data is handed over to a Trussed Service | No |
59 +-----------+---------------------------------------------------------------------------------+----------+
60
61Trust boundaries
62----------------
63
64.. list-table:: List of trust boundaries
65
66 * - Trust boundary
67 - Description
68 * - TB1
69 - Trust boundary between TEE and normal world.
70 * - TB2
71 - Trust boundary between higher privilege level SW and Trusted Services.
72 * - TB3, TB4
73 - Trust boundary between trusted services.
74 * - TB5
75 - Trust boundary to physically accessible external hardware.
76
77Assets
78------
79
80The above dataflow identifies the following generalized assets.
81
82.. table::
83
84 +----------------------+----------------------------------------------------------------------------------+
85 | Asset | Description |
86 +----------------------+----------------------------------------------------------------------------------+
87 | ``availability`` | Availability of a trusted service to clients. |
88 +----------------------+----------------------------------------------------------------------------------+
89 | ``code execution`` | Code or code flow of a trusted service. |
90 +----------------------+----------------------------------------------------------------------------------+
91 | ``sensitive data`` | Data that an attacker must not tamper with. These include device identity key, |
92 | | Initial Attestation Key, Protected Storage Key, UEFI variables, tpm-event log, |
93 | | etc... |
94 +----------------------+----------------------------------------------------------------------------------+
95 |``sensitive hardware``| Hardware that an attacker must not be tamper with. Examples are control interface|
96 | | of storage medium, true random number generator, crypto accelerator. |
97 +----------------------+----------------------------------------------------------------------------------+
98
99Attackers and threat agents
100---------------------------
101
102This section identifies the generalized stakeholders interacting with secure services.
103
104.. list-table::
105 :widths: 20,70,10
106
107 * - Attacker/Threat agent
108 - Description
109 - In scope
110 * - ``NSClient``
111 - Client executing in the normal world.
112 - Yes
113 * - ``SClient``
114 - Client running in SWd.
115 - Yes
116 * - ``HPComponent``
117 - Components running at higher privilege level than the trusted service.
118 - No
119 * - ``AppDebug``
120 - Physical attacker using debug signals to access resources.
121 - Yes
122 * - ``PhysAcc``
123 - Physical attacker having access to the external device communication bus and to the external flash communication
124 bus using common hardware.
125 - Yes
126 * - ``AdvPhysAcc``
127 - Attackers who are able to use specialist hardware for attacks that require irreversible changes to the target
128 system (e.g., "rewiring" a chip using a Focused IonBeam FIB workstation).
129 - No
130
131
132
133Threat Priority
134---------------
135
136Threat priority calculation is based on `Common Vulnerability Scoring System`_ (CVSS) Version 3.1. The threat priority
137is represented by the `Severity Rating Scale`_ calculated from the CVSS score of each threat. The CVSS score is
138calculated using the `Vulnerability Calculator`_.
139
140For each threat the priority and a link to CVSS calculator capturing the calculator settings will be listed.
141
142Threat Types
143------------
144
145In this threat model we categorize threats using the `STRIDE threat analysis technique`_. In this technique a threat is
146categorized as one or more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``, ``Information disclosure``,
147``Denial of service`` or ``Elevation of privilege``.
148
149.. list-table::
150 :widths: 15,80
151
152 * - **ID**
153 - 1
154 * - Description
155 - Information leak via debug logs.
156
157 During development it is common practice to help understanding code execution by emitting
158 debug logs.
159 * - Data flow
160 - DF4
161 * - Asset(s)
162 - ``Sensitive Data``
163 * - Threat Agent/Attacker
164 - ``AppDebug``
165 * - Threat type
166 - ``Information disclosure``
167 * - Impact
168 - Sensitive information may get to unauthorized people. Information can potentially help
169 compromising the target or other systems.
170 * - Scoring/CVSS
171 - Medium, 4.6 `CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>`_
172 * - Mitigation
173 - Log messages are put to "verbosity categories". Release builds limit printed log messages
174 to "error" category.
175 * - Mitigation in place
176 - yes
177
178.. list-table::
179 :widths: 15,80
180
181 * - **ID**
182 - 2
183 * - Description
184 - An attacker can tamper with sensitive data and execute arbitrary code through hardware-assisted
185 debug interface.
186 * - Data flow
187 - N/A.
188 * - Asset(s)
189 - ``Sensitive Data``, ``Code Execution``, ``Sensitive Hardware``
190 * - Threat Agent/Attacker
191 - ``AppDebug``
192 * - Threat type
193 - ``Information disclosure``, ``Tampering``
194 * - Impact
195 - Sensitive information may get to unauthorized people. Information can potentially help
196 compromising the target or other systems.
197
198 An attacker may modify sensitive data and alter device behavior and thus compromise the
199 target or other systems.
200 * - Scoring/CVSS
201 - Medium, 6.8 `CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H>`_
202 * - Mitigation
203 - Hardware platform specific means to disable or limit access to debug functionality.
204 * - Mitigation in place
205 - yes
206
207.. list-table::
208 :widths: 15,80
209
210 * - **ID**
211 - 3
212 * - Description
213 - An attacker can perform a denial-of-service attack by using a broken service call that
214 causes the service to enter an unknown state.
215
216 Secure and non-secure clients access a trusted service through FF-A calls. Malicious code
217 can attempt to place the service into an inconsistent state by calling unimplemented
218 calls or by passing invalid arguments.
219 * - Data flow
220 - DF1, DF2, DF3, DF5
221 * - Asset(s)
222 - ``Availability``
223 * - Threat Agent/Attacker
224 - ``NSclient``, ``SClient``
225 * - Threat type
226 - ``Denial of service``
227 * - Impact
228 - The service or the whole system may temporarily or permanently enter an unusable state.
229 * - Scoring/CVSS
230 - Medium, 6.8 `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H>`_
231 * - Mitigation
232 - The service must validate all inputs before usage. Input validation shall be checked during
233 code review and by testing.
234 * - Mitigation in place
235 - yes
236
237.. list-table::
238 :widths: 15,80
239
240 * - **ID**
241 - 4
242 * - Description
243 - Memory corruption due to memory overflows and lack of boundary checking when accessing
244 resources.
245
246 Allows an attacker to execute arbitrary code, modify memory content to change
247 program flow.
248 * - Data flow
249 - DF1, DF2, DF3, DF5
250 * - Asset(s)
251 - ``Code execution``, ``Sensitive Data``, ``Denial of service``
252 * - Threat Agent/Attacker
253 - ``SClient``, ``NSClient``, ``HSComponent``
254 * - Threat type
255 - ``Tampering``, ``Information disclosure``, ``Elevation of privilege``, ``Denial of service``
256 * - Impact
257 - The service or the whole system may temporarily or permanently enter an unusable state.
258
259 Malicious code might be executed in the context of the compromised service.
260 Leakage of sensitive data.
261 * - Scoring/CVSS
262 - High, 8.4 `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>`_
263 * - Mitigation
264 - The service must validate boundaries and sanity check incoming data. Validation shall be
265 checked during code reviews and by testing.
266 * - Mitigation in place
267 - yes
268
269.. list-table::
270 :widths: 15,80
271
272 * - **ID**
273 - 5
274 * - Description
275 - External devices connected to the system storing sensitive data. An attacker could eavesdrop external signals.
276 * - Data flow
277 - DF9, DF10, DF11
278 * - Asset(s)
279 - ``Sensitive Data``
280 * - Threat agent/Attacker
281 - ``PhysAcc``
282 * - Threat type
283 - ``Information disclosure``
284 * - Impact
285 - An attacker may get access to sensitive data, could tamper with sensitive data, or could attack the service
286 using the external device by injecting malicious data, which could lead to malfunction or execution of malicious
287 code.
288 * - Scoring/CVSS
289 - Medium, 5.9 `CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H>`_
290 * - Mitigation
291 - When designing the use case, storage services must be assessed to understand which protection type they can
292 implement (integrity, authenticity, confidentiality, rollback-protection). Sensitive data must be categorized
293 and mapped to the storage service which can provide the needed protection.
294
295 For example integrity can be safeguarded by using checksums. Authenticity by using digital signatures.
296 Confidentiality by using encryption. Rollback protection by using nonce values.
297 * - Mitigation in place
298 - yes
299
300.. list-table::
301 :widths: 15,80
302
303 * - **ID**
304 - 6
305 * - Description
306 - State of external devices connected to the system might be modified by an attacker.
307
308 This includes modifying signals, replacing the device, or modifying device content.
309 * - Data flow
310 - DF9, DF10, DF11
311 * - Asset(s)
312 - ``Sensitive Data``, ``Denial of service``, ``Code execution``
313 * - Threat agent/Attacker
314 - ``PhysAcc``
315 * - Threat type
316 - ``Tampering``, ``Denial of service``, ``Code execution``
317 * - Impact
318 - An attacker could tamper with sensitive data, or could attack the system by injecting malicious data, which
319 could lead to malfunction, execution of malicious code, or using old state with known vulnerability.
320 * - Scoring/CVSS
321 - High, 7.3 `CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H>`_
322 * - Mitigation
323 - When designing the use case, storage services must be assessed to understand which protection type they can
324 implement (integrity, authenticity, confidentiality, rollback-protection). Sensitive data must be categorized
325 and mapped to the storage service which can provide the needed protection.
326
327 For example integrity can be safeguarded by using checksums. Authenticity by using digital signatures.
328 Confidentiality by using encryption. Rollback protection by using hardware backed nonce values.
329 * - Mitigation in place
330 - yes
331
332
333.. list-table::
334 :widths: 15,80
335
336 * - ID
337 - 7
338 * - Description
339 - Invalid or conflicting access to shared hardware.
340
341 * - Data flow
342 - DF6, DF7, DF9, DF10
343 * - Asset(s)
344 - ``Sensitive Data``, ``Denial of service``, ``Code execution``
345 * - Threat Agent/Attacker
346 - ``SClient``, ``NSClient``, ``HPComponent``
347 * - Threat type
348 - ``Tampering``, ``Information disclosure``, ``Denial of service``, ``Code execution``
349 * - Impact
350 - A trusted service relying on shared hardware usage might get compromised or misbehaving if other stakeholders
351 affect shared hardware in unexpected way.
352
353 * - Scoring/CVSS
354 - High, 7.0 `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H>`_
355 * - Mitigation
356 - Access to peripherals must be limited to the smallest possible set of services. Ideally each peripheral should be
357 dedicated to a single trusted service and sharing of peripherals should be avoided is possible. If sharing can
358 not be avoided, a strict handover process shall be implemented to allow proper context switches, where hardware
359 state can be controlled.
360 * - Mitigation in place
361 - yes
362
363.. list-table::
364 :widths: 15,80
365
366 * - **ID**
367 - 8
368 * - Description
369 - Unauthenticated access to hardware.
370
371 A trusted service relying on hardware usage might get compromised or misbehaving if hardware state is
372 maliciously altered.
373 * - Data flow
374 - DF6, DF7, DF9, DF10
375 * - Asset(s)
376 - ``Sensitive Data``, ``Denial of service``, ``Code execution``
377 * - Threat Agent/Attacker
378 - ``SClient``, ``NSClient``, ``HPComponent``
379 * - Threat type
380 - ``Tampering``, ``Information disclosure``, ``Denial of service``, ``Code execution``
381 * - Impact
382 - An attacker may get access to sensitive data of might make a trusted service or the system enter an unusable
383 state by tampering with hardware peripherals.
384 * - Scoring/CVSS
385 - Medium, 6.4 `CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H>`_
386 * - Mitigation
387 - Access to peripherals must be limited to the smallest possible set of services. Ideally each peripheral should be
388 dedicated to a single trusted service, and sharing of peripherals should be avoided is possible. If sharing can
389 not be avoided, a strict handover process shall be implemented to allow proper context switches, where register
390 values can be controlled.
391 * - Mitigation in place
392 - yes
393
394
395.. list-table::
396 :widths: 15,80
397
398 * - **ID**
399 - 9
400 * - Description
401 - Unauthenticated access to sensitive data.
402 * - Data flow
403 - DF1, DF2, DF3, DF5
404 * - Asset(s)
405 - ``Sensitive Data``, ``Denial of service``
406 * - Threat Agent/Attacker
407 - ``SClient``, ``NSClient``, ``HPComponent``
408 * - Threat type
409 - ``Tampering``, ``Information disclosure``, ``Denial of service``
410 * - Impact
411 - A trusted service may manage data of multiple clients. Different clients shall not be able to access each
412 other's data unless in response to explicit request.
413 * - Scoring/CVSS
414 - Medium, 6.8 `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N>`_
415 * - Mitigation
416 - Trusted services must implement access control based on identification data provided by higher privileged
417 components (i.e. FF-A endpoint ID).
418 * - Mitigation in place
419 - yes
420
421
422--------------
423
424.. _Attachments:
425.. Rubric:: Attachments
426
427Source file of the `Data flow diagram`_. Please use the yEd_ for editing. :download:`./generic-data-flow.graphml`
428
429--------------
430
431.. _`Common Vulnerability Scoring System`: https://www.first.org/cvss/v3.1/specification-document
432.. _`Vulnerability Calculator`: https://www.first.org/cvss/calculator/3.1
433.. _`Severity Rating Scale`: https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale
434.. _`STRIDE threat analysis technique`: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model
435.. _yEd: https://www.yworks.com/products/yed
436
437*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.*
438
439SPDX-License-Identifier: BSD-3-Clause