Skip to main content

Stronghold Threat Modeling

As a security software, Stronghold prevents attackers from accessing the secrets that it stores. Threat modeling is a systematic approach that tries to assess all the potential attack scenarios on software.

There are multiple steps to this process:

  1. Model your software.
  2. Define the assets and security property you protect.
  3. List potential threats using existing classification (STRIDE in our case).
  4. Propose mitigations to those threats

Stronghold’s Model

Stronghold is simple in concept; it is used to store secrets. These secrets should never be revealed, even to their owners. Users can interact with secrets through controlled methods called procedures.

Typical use of Stronghold

Typical use of Stronghold

  1. Generate a key in Stronghold.
  2. Use Stronghold procedures to use the key for encryption, decryption, signatures, etc.
  3. Store Stronghold state for future usage in permanent storage called Snapshot.

Model

Stronghold model

  • Users can only interact with secrets through the procedures API.
  • Users can only use procedures on the secrets they own
  • Procedures cannot reveal/temper secrets (can delete them though)
  • Secrets can be kept permanently in an encrypted form in a Snapshot (filesystem)

Assets

The sole asset of Stronghold is its secrets.

High Importance

  • Confidentiality: Secrets are never revealed.
  • IntegrityAssurance that the data stored in the ledger has not been tampered with or altered in any unauthorized way.: Secrets cannot be modified, only deleted.
  • Authentication: Only authorized users can interact with secrets,

Mid Importance

  • Availability: A user can interact with its secrets anytime.

Low Importance

  • Least privilege: There are no privileged users in Stronghold.
  • Non-repudiation: A user can't disprove that it has used a procedure on a secret.

Attack Surface

Stronghold defends against multiple types of attackers. Levels also represent how likely it is for an attacker to appear.

A type of attacker that we don't represent here but is also important comes from potential vulnerabilities in the tools used to build the software.

  • Bonus: Tools:
    • Packages.
    • Rust language.
    • Compilation.
    • Crypto algorithms used.

Potential threats STRIDE

We use the STRIDE threats classification. Stride is applied to all the types of attacks listed above. Mentions of WIP means that it is still "Work In Progress".

Level 1: Procedure API

AttackAttackRemediationSeverity
SpoofedAn unauthorized user executes proceduresWhen restoring Stronghold state from a snapshot a key is required to decrypt the snapshotHigh
TamperedSecrets are tampered with using proceduresProcedures are developed and audited by the team so they don't modify secretsHigh
RepudiatedA user is accused to have used secrets maliciously/incorrectlyLog all the procedures that have been processed (WIP)Low
Information DisclosureA secret is revealed through proceduresProcedures are developed and audited by the team to ensure they don't reveal secretsHigh
Denial of ServiceSpamming procedures to block the systemThis is the responsability of the software that usesMid
Elevation of PrivilegesNone, there are no privileged users in Stronghold

Level 2: Permanent Storage, File System

AttackAttackRemediationSeverity
SpoofedOS responsibility
TamperedFiles storing the secrets are modified. Secrets can be lost.Check the integrity of snapshot with a checksum. Keep an older snapshot to be able to restore the correct stateHigh
RepudiatedOS responsibility
Information DisclosureSnapshot content is readSnapshot content is encryptedHigh
Denial of ServiceHost file system is unavailable. Stronghold cannot commit its current state or load a previous stateStronghold can continue, but can't commitMid
Elevation of PrivilegesAttacker has elevated privilege on the host machine, and can read, write or delete snapshots on the file systemSame case as Tampered and Info Disclosure attacks, the snapshot is encrypted and can be restored if it has a valid checksumHigh

Level 3: Memory

AttackAttackRemediationSeverity
SpoofedOS responsibility
TamperedHost system gets its memory corrupted. Procedures will produce wrong outputs, so original data can be lostSecrets are backed by permanent a storage called Snapshot. User may use a previous snapshot to restore a previous stateHigh
RepudiatedOS responsibility
Information DisclosureSecrets are revealed through reading the memory directlySecrets are stored encrypted in the memory and are only decrypted for the minimum amount of time. Moreover the Boojum scheme protects encryption keys in memory.High
Denial of ServiceMemory is not accessible, preventing Stronghold from workingOS responsibilityMid
Elevation of PrivilegesAttacker has elevated privileges on the host machine and can access the secrets in StrongholdSame case as Tampered and Info Disclosure attacks, the snapshot is encrypted and can be restored if it has a valid checksumHigh

Level 4: Side-channels

AttackAttackRemediationSeverity
SpoofedNo potential attack
TamperedTamper memory using side-channelsRefer to memory and storage tablesHigh
RepudiatedNo potential attack
Information DisclosureSecrets are revealed through side-channelsMake sure the procedure are constant in time and energy usage (WIP). This also depends on the cryptographic implementation usedHigh
Denial of ServicePrevent normal behaviour of stronghold through side-channels such as electromagnetic wavesYou can't protect this from software, it is the host's responsibilityMid
Elevation of PrivilegesNo potential attack