[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: i029 - thread models
What is the threat model around the current mechanism for protecting the integrity of the sequence? I've tried to reverse engineer a threat model; is the following accepted as one of the threats against the integrity of the sequence? Threat: Attacker inserts messages into a sequence created by another user. Attacker: Trusted co-user of system with target user. Motivation: Depends upon use case. Varies from a simple denial of service to unauthorized insertion of specific data into an application. Description: Alice and Bob have created sequences with a common service. Bob has the ability to either accurately guess the ID and current message number of Alice's sequence or Bob has the ability to snoop Alice's messages and observe the ID and current message number of Alice's sequence. Bob then proceeds to manufacture messages that contain a sequence header with Alice's sequence ID and the appropriate message number in that sequence. Since Bob is a trusted user of the system, these messages are permitted by whatever security mechanisms are in place to protect the service. Once these messages arrive at the RMD, it processes them as if they belonged to Alice's sequence. - g
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]