|
|
## Briar Threat Model
|
|
|
|
|
|
The following model is informed by the Trike methodology. Threats are generated by applying each attackers' capabilities to each asset/action combination.
|
|
|
|
|
|
To keep the model tractable, the following aspects have been excluded:
|
|
|
* Traffic analysis of transports designed to be unlinkable, such as Tor
|
|
|
* Analysis of the social graph, such as finding nodes with high degree or high centrality
|
|
|
* Aggregate metadata, such as the number of messages in a group or volume of traffic between two users
|
|
|
* Intersection attacks (and related statistical attacks) to link users with nyms
|
|
|
|
|
|
### Scope
|
|
|
|
|
|
#### In scope
|
|
|
|
|
|
* Briar Android app
|
|
|
* Tor, Bluetooth and LAN transports
|
|
|
* Single nym per user
|
|
|
* Single device per user
|
|
|
* Creating an account and a nym
|
|
|
* Adding contacts via QR codes
|
|
|
* Introductions
|
|
|
* Proposing/accepting/declining introductions
|
|
|
* Private messaging
|
|
|
* Reading/writing private messages
|
|
|
* Forums
|
|
|
* Creating forums
|
|
|
* Sharing/accepting/declining forums
|
|
|
* Reading/writing forum posts
|
|
|
* Unsubscribing from forums
|
|
|
* Personal blogs
|
|
|
* Sharing/accepting/declining blogs
|
|
|
* Reading/writing/reblogging/commenting on blog posts
|
|
|
* Unsubscribing from blogs
|
|
|
* RSS import
|
|
|
* Importing feeds
|
|
|
* Removing feeds
|
|
|
* Malware (excluding OS/hardware compromise)
|
|
|
|
|
|
#### Out of scope
|
|
|
|
|
|
* Briar desktop app
|
|
|
* File, modem and WAN transports
|
|
|
* Multi-block messages
|
|
|
* Attachments
|
|
|
* Private groups
|
|
|
* Multiple nyms per user
|
|
|
* Multiple devices per user
|
|
|
* Adding contacts via Bluetooth discovery
|
|
|
* Verifying introduced contacts
|
|
|
* Anonymous forum posts
|
|
|
* Panic button
|
|
|
* Enabling/disabling transports
|
|
|
* Account backup and recovery
|
|
|
* Update mechanism
|
|
|
* Repeaters
|
|
|
* Other Bramble apps
|
|
|
* OS/hardware compromise
|
|
|
|
|
|
### Actors
|
|
|
|
|
|
#### Roles
|
|
|
|
|
|
* User
|
|
|
* Contact (of a user)
|
|
|
* Mutual contact (of two users)
|
|
|
* Member (of a group)
|
|
|
|
|
|
### Assets
|
|
|
|
|
|
* Content of a message
|
|
|
* Metadata of a message: origin, destination, timing, size
|
|
|
* Content of a communication stream
|
|
|
* Metadata of a communication stream: origin, destination, timing, size
|
|
|
* Social graph of users:
|
|
|
* Existence of a contact relationship between two users
|
|
|
* Number of a user's contacts
|
|
|
* Number of two users' mutual contacts
|
|
|
* Identities of a user's contacts
|
|
|
* Identities of two users' mutual contacts
|
|
|
* A user's participation in a group
|
|
|
* Social graph of nyms:
|
|
|
* Existence of a contact relationship between two nyms
|
|
|
* Number of a nym's contacts
|
|
|
* Number of two nyms' mutual contacts
|
|
|
* Identities of a nym's contacts
|
|
|
* Identities of two nyms' mutual contacts
|
|
|
* A nym's participation in a group
|
|
|
* Which user owns a nym
|
|
|
* Which nyms a user owns
|
|
|
|
|
|
### Adversaries
|
|
|
|
|
|
#### Other users
|
|
|
|
|
|
Capabilities:
|
|
|
* Forming contact relationships
|
|
|
* Introducing contacts
|
|
|
* Joining/leaving groups
|
|
|
* Sending/receiving messages
|
|
|
* Sending/receiving communication streams
|
|
|
|
|
|
#### Local network attackers
|
|
|
|
|
|
Capabilities:
|
|
|
* RF monitoring
|
|
|
* Uplink monitoring
|
|
|
* Location monitoring
|
|
|
* Blocking/modifying communication streams
|
|
|
* Malware installation via network
|
|
|
|
|
|
#### Global network attackers
|
|
|
|
|
|
Capabilities:
|
|
|
* RF monitoring
|
|
|
* Uplink monitoring
|
|
|
* Backbone monitoring
|
|
|
* Location monitoring
|
|
|
* Blocking/modifying communication streams
|
|
|
* Malware installation via network
|
|
|
|
|
|
#### Physical attackers
|
|
|
|
|
|
Capabilities:
|
|
|
* Physical surveillance
|
|
|
* Accessing device/app while signed in
|
|
|
* Coercing device/app sign in
|
|
|
* Taking image of device
|
|
|
* Malware installation via physical access
|
|
|
|
|
|
### Intended actions
|
|
|
|
|
|
#### Actor: Alice, a user
|
|
|
1. Content of a message
|
|
|
* Create: Allowed
|
|
|
* Read: Allowed if Alice created the message. Allowed if the message has ever been shared with Alice
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed for Alice's local copy of any message
|
|
|
2. Metadata of a message
|
|
|
* Create: Allowed
|
|
|
* Read: Same rules as for content
|
|
|
* Update: Disallowed
|
|
|
* Delete: Same rules as for content
|
|
|
3. Content of a communication stream
|
|
|
* Create: Allowed
|
|
|
* Read: Allowed if Alice created the stream. Allowed if Alice is the intended recipient of the stream
|
|
|
* Update: Disallowed
|
|
|
* Delete: Disallowed (no local copies are kept)
|
|
|
4. Metadata of a communication stream
|
|
|
* Create: Allowed
|
|
|
* Read: Same rules as for content
|
|
|
* Update: Disallowed
|
|
|
* Delete: Disallowed (no local copies are kept)
|
|
|
5. Existence of a contact relationship between two users
|
|
|
* Create: Allowed if Alice is one of the users and the other user agrees (contact creation/introduction)
|
|
|
* Read: Allowed if Alice is one of the users. Allowed if Alice and the users form an introduction triad. Allowed if Alice is a contact of one of the users, and that user proposes an introduction between Alice and the other user
|
|
|
* Update: Disallowed (verifying contacts is out of scope)
|
|
|
* Delete: Allowed if Alice is one of the users (contact deletion)
|
|
|
6. Number of a user's contacts
|
|
|
* Create: Allowed if Alice is the user and the number is zero (account creation)
|
|
|
* Read: Allowed if Alice is the user. Allowed to read a lower bound using the rules for reading the existence of a contact relationship between users
|
|
|
* Update: Allowed to increment/decrement using the rules for creating/deleting a contact relationship between users
|
|
|
* Delete: Allowed if Alice is the user (account deletion)
|
|
|
7. Number of two users' mutual contacts
|
|
|
* Create: Allowed if Alice is one of the users and the number is zero (account creation)
|
|
|
* Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between users
|
|
|
* Update: Allowed to increment if Alice is one of the users, and Alice is a contact of the other user, and the other user agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice is one of the users, and Alice and the other user belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice is one of the users (account deletion)
|
|
|
8. Identities of a user's contacts
|
|
|
* Create: Allowed if Alice is the user and the set of contacts is empty (account creation)
|
|
|
* Read: Allowed if Alice is the user. Allowed to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
* Update: Allowed to add/subtract using the rules for creating/deleting a contact relationship between users
|
|
|
* Delete: Allowed if Alice is the user (account deletion)
|
|
|
9. Identities of two users' mutual contacts
|
|
|
* Create: Allowed if Alice is one of the users and the set of mutual contacts is empty (account creation)
|
|
|
* Read: Allowed to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
* Update: Allowed to add if Alice is one of the users, and Alice is a contact of the other user, and the other user agrees, and the new mutual contact agrees (introduction). Allowed to subtract if Alice is one of the users, and Alice and the other user belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice is one of the users (account deletion)
|
|
|
10. A user's participation in a group
|
|
|
* Create: Allowed if Alice is the user, and either Alice created the group or the group has ever been shared with Alice
|
|
|
* Read: Allowed if Alice is the user. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the user's nym is sent to the group, following the rules for reading the metadata of a message and reading which user owns a nym
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed if Alice is the user
|
|
|
11. Existence of a contact relationship between two nyms:
|
|
|
* Create: Allowed if Alice owns one of the nyms and the other owner agrees (contact creation/introduction)
|
|
|
* Read: Allowed if Alice owns one of the nyms. Allowed if Alice and the owners form an introduction triad. Allowed if Alice is a contact of one of the owners, and that user proposes an introduction between Alice and the other owner
|
|
|
* Update: Disallowed (verifying contacts is out of scope)
|
|
|
* Delete: Allowed if Alice owns one of the nyms (contact deletion)
|
|
|
12. Number of a nym's contacts
|
|
|
* Create: Allowed if Alice owns the nym and the number is zero (account creation)
|
|
|
* Read: Allowed if Alice owns the nym. Allowed to read a lower bound using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to increment/decrement using the rules for creating/deleting a contact relationship between nyms
|
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
|
13. Number of two nyms' mutual contacts
|
|
|
* Create: Allowed if Alice owns one of the nyms and the number is zero (account creation)
|
|
|
* Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to increment if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice is owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice owns one of the nyms (account deletion)
|
|
|
14. Identities of a nym's contacts
|
|
|
* Create: Allowed if Alice owns the nym and the set of contacts is empty (account creation)
|
|
|
* Read: Allowed if Alice owns the nym. Allowed to read a subset using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to add/subtract using the rules for creating/deleting a contact relationship between nyms
|
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
|
15. Identities of two nyms' mutual contacts
|
|
|
* Create: Allowed if Alice owns one of the nyms and the set of mutual contacts is empty (account creation)
|
|
|
* Read: Allowed to read a subset using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to add if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to subtract if Alice owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice owns one of the nyms (account deletion)
|
|
|
16. A nym's participation in a group
|
|
|
* Create: Allowed if Alice owns the nym, and either Alice created the group or the group has ever been shared with Alice
|
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the nym is sent to the group, following the rules for reading the metadata of a message
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed if Alice owns the nym
|
|
|
17. Which user owns a nym
|
|
|
* Create: Allowed if Alice is the user and the nym is being created (account creation)
|
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice is a contact of the owner
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
|
18. Which nym a user owns
|
|
|
* Create: Allowed if Alice is the user and the nym is being created (account creation)
|
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice is a contact of the owner
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
|
|
|
|
### Threats
|
|
|
|
|
|
#### Attacker: Lou, a local network attacker
|
|
|
|
|
|
3. Content of a communication stream
|
|
|
* Delete: Possible if the origin/destination is on Lou's network
|
|
|
4. Metadata of a communication stream
|
|
|
* Read: Possible to read the origin/destination if the transport is linkable and the origin/destination is on Lou's network
|
|
|
* Update: Possible if the origin/destination is on Lou's network (delaying the stream)
|
|
|
* Delete: Possible if the origin/destination is on Lou's network
|
|
|
5. Existence of a contact relationship between two users
|
|
|
* Read: Possible if one of the users sends a stream to the other, and the transport is linkable, and the origin or destination is on Lou's network. Possible if the users add each other as contacts using Lou's network
|
|
|
6. Number of a user's contacts
|
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users
|
|
|
7. Number of two users' mutual contacts
|
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users
|
|
|
8. Identities of a user's contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
9. Identities of two users' mutual contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
|
|
|
#### Attacker: Rex, a remote network attacker
|
|
|
|
|
|
3. Content of a communication stream
|
|
|
* Delete: Possible if the stream crosses Rex's network
|
|
|
4. Metadata of a communication stream
|
|
|
* Read: Possible to read the origin and destination if the transport is linkable and the stream crosses Rex's network
|
|
|
* Update: Possible if the stream crosses Rex's network (delaying the stream)
|
|
|
* Delete: Possible if the stream crosses Rex's network
|
|
|
5. Existence of a contact relationship between two users
|
|
|
* Read: Possible if one of the users sends a stream to the other, and the transport is linkable, and the stream crosses Rex's network
|
|
|
6. Number of a user's contacts
|
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users
|
|
|
7. Number of two users' mutual contacts
|
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users
|
|
|
8. Identities of a user's contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
9. Identities of two users' mutual contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
|
|
|
#### Attacker: Phil, a physical attacker
|
|
|
|
|
|
All actions on all assets are possible using the rules for Alice, if:
|
|
|
* Phil gets physical access to Alice's device, and
|
|
|
* Phil can unlock the device, and
|
|
|
* Phil can sign into Alice's account
|
|
|
|
|
|
Phil can unlock the device if:
|
|
|
* The device is already unlocked, or
|
|
|
* Phil observes Alice unlocking the device, or
|
|
|
* Phil can guess the device credentials, or
|
|
|
* Phil images the device, and
|
|
|
* Phil can brute-force the device credentials
|
|
|
|
|
|
Phil can sign into Alice's account if:
|
|
|
* Alice is already signed in, or
|
|
|
* Phil observes Alice signing in, or
|
|
|
* Phil can guess the account credentials, or
|
|
|
* Phil images the device, and
|
|
|
* Phil can brute-force the account credentials
|
|
|
|
|
|
5. Existence of a contact relationship between two users
|
|
|
* Read: Possible if Phil observes the users adding each other as contacts. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice while she is signed in
|
|
|
|
|
|
6. Number of a user's contacts
|
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
7. Number of two users' mutual contacts
|
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible to read a lower bound using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
8. Identities of a user's contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice while she is signed in
|
|
|
|
|
|
9. Identities of two users' mutual contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible to read a subset using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
10. A user's participation in a group
|
|
|
* Read: Possible if Phil observes the user while she is signed in. Possible using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
11. Existence of a contact relationship between two nyms:
|
|
|
* Read: Possible using the rules for reading the existence of a contact relationship between two users, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
12. Number of a nym's contacts
|
|
|
* Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
13. Number of two nyms' mutual contacts
|
|
|
* Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice ,if Phil observes Alice while she is signed in
|
|
|
|
|
|
14. Nyms of a nym's contacts
|
|
|
* Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
15. Nyms of two nyms' mutual contacts
|
|
|
* Read: Possible using the rules for reading the identities of two users' mutual contacts , the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
16. A nym's participation in a group
|
|
|
* Read: Possible if Phil observes the nym's owner while she is signed in. Possible using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
17. Which user owns a nym
|
|
|
* Read: Possible if Phil observes the user while she is signed in. Possible using the rules for Alice, if Phil observes Alice while she is signed in
|
|
|
|
|
|
18. Which nym a user owns
|
|
|
* Read: Possible if Phil observes the user while she is signed in. Possible using the rules for Alice, if Phil observes Alice while she is signed in |