Kaladaran/briar
0
0
Fork 0
mirror of https://code.briarproject.org/briar/briar.git synced 2026-02-11 18:29:05 +01:00
Code Issues Projects Releases Wiki Activity
Page: threat model
Pages
A Quick Overview of the Protocol Stack Adding support for new architectures in Tor Android Accessibility Android Power Management BDF BSP BTP Blog Client Blog Sharing Client Client API Notes Connect at a distance Create Account Design options for multi block messages Development schedule for private message deletion FAQ Field Guide Forum Client Forum Sharing Client Forums Fundamental Problems How Briar Connects to Contacts Introduction Client Mailbox Architecture Mailbox Properties Client Mailbox Scenarios Mailbox cannot reach Briar Messaging Client Navigate away from sharing screen Private Group Client Private Group Sharing Client Profile pictures Quick Start Guide RPC Notes Release Test Plan Roadmap Self destructing messages tests Software bill of materials for private message deletion Sponsor 1 Testing Translation Workflow Transport Key Agreement Client Transport Properties Client add already added contact at distance add contact after time out add contact at distance one contact offline add contact on biar received via hotspot add contact whilst pending contacts add nearby contact bluetooth off add nearby contact that was already added at distance add nearby contact then reconnect via BT add nearby contact twice app in background while do not kill me fragment displayed application lifecycle autostart mailbox on reboot when mailbox set up not completed yet autostart mailbox on reboot when mailbox set up blogs bluetooth setup screen briar connections opens from device view app settings briar in background during sharing briar mailbox test coverage briar mailbox tests executed cancel setup changelog code style comparative test several devices location and wifi settings connect multiple devices to hotspot connect with nearby contact create account on shared briar app delete and recreate contact at distance delete recreate nearby contact deny briar access to location many times deny briar access to location development 101 development workflow device offline warning devices tested disappearing messages sent to direct contacts download app scan QR code download type address manually error handling mailbox uploads feature workflow first install do not kill me fragment fresh install add contact distance reconnect via BT fresh install add nearby contact BT reconnect BT home import somebody elses messages install first time interrupt scanning qr code interrupt unlinking from briar side introductions multiple contacts disapp msgs on off invite multiple contacts to private group location off during contact creation mailbox in briar settings mailbox is running mailbox no internet mailbox not reachable mailbox notifications mailbox onboarding screens scan QR Code mailbox onboarding screens share link mailbox strings translations mailbox success screen mailbox system clock in the future mailbox system clock in the past mailbox test coverage mailbox wiping complete screen main activity reset everything to initial state make intro dis msgs on autodecline make introductions disappearing messages on intro accepted make introductions disappearing messages on intro declined by both make introductions disappearing messages on intro declined by one make introductions disappearing messages on make introductions disappearing messages onoff intro accepted make introductions disappearing messages onoff intro decl autodecl by both manually change battery optimisation setting to ON manually change battery optimisation setting to off message upload both x and y have mailboxes messages as expected no mailbox messages removable media mailbox messages uploaded Y knows x has mb messages uploaded to mailbox correctly mialbox not reachable nearby contact no mailbox autostart on reboot when QRcode scan canceled no mailbox autostart on reboot when mailbox stopped by user notes on testing notification mailbox unreachable disappears after tapping notification mailbox unreachable disappears when mailbox reachable notification mailbox unreachable disappears when mailbox unlinked notification mailbox unreachable onboarding UI open battery settings open hotspot manually open hotspot scan qr code permissions pre review checklist private group invitations messages product backlog re add deleted contact reconnect via BT reboot briar device after QR code scan receive messages during contact creation reconnect via BT when BT = OFF reconnect via BT when Briar BT OFF and device BT OFF device location OFF Briar no access to location reconnect via BT when Briar BT OFF and device BT OFF device location OFF reconnect via BT when Briar BT OFF and device BT OFF reconnect via BT reimport imported messages remove nearby devices permissions and start app reopen mailbox after device goes to sleep restart mailbox after wiping do not keep activities rotate screen whilst adding contact at distance scan incorrect qr code scan qr code scan valid QR code more than once self destructing messages share app briar access to location OFF share app device location OFF share app device wifi OFF share app offline share app wifi in briar OFF signed commits stop mailbox stop sharing after download stop sharing before download finished threat model time last connected tor build process tor port transfer blog posts transfer direct messages transfer forum posts transfer introductions transfer messages with images unlink from briar side mailbox already unlinked unlink from briar side mailbox offline unlink from briar side unlink mailbox side when briar offline unlink mailbox side when briar online unlink mailbox upload new contacts to mailbox user allows connections and rotates screen user allows connections user leaves setup
Clone
6
threat model
akwizgran edited this page 2022-09-30 11:56:32 +00:00
Table of Contents

Briar Threat Model

The following model is informed by the Trike methodology. Threats are generated by applying each attacker's capabilities to each asset/action combination.

To keep the model tractable, the following aspects have been excluded:

  • Traffic analysis of transports designed to be unlinkable, such as Tor
  • Analysis of the social graph, such as finding nodes with a high degree or high centrality
  • Aggregate metadata, such as the number of messages in a group or the volume of traffic between two users
  • Intersection attacks (and related statistical attacks) to link users or Briar identities with other users or Briar identities

Scope

In scope

  • Briar Android and desktop apps
  • Tor, Bluetooth, and LAN transports
  • Single Briar identity per user
  • Single Briar identity per device
  • Single device per user
  • Creating a Briar identity
  • Adding contacts via QR codes
  • Introductions
    • Proposing/accepting/declining introductions
  • Private messaging
    • Reading/writing private messages
  • Forums
    • Creating forums
    • Sharing/accepting/declining forums
    • Reading/writing forum posts
    • Unsubscribing from forums
  • Personal blogs
    • Sharing/accepting/declining blogs
    • Reading/writing/reblogging/commenting on blog posts
    • Unsubscribing from blogs
  • RSS import
    • Importing feeds
    • Removing feeds
  • Malware (excluding OS/hardware compromise)

In scope but not yet analysed

  • Private groups
  • Panic button
  • Enabling/disabling transports
  • Adding contacts remotely by exchanging links
  • Removable drive transport
  • Sharing the app via Wi-Fi hotspot
  • Image attachments
  • Multiple Briar identities per user
  • Multiple Briar identities per device
  • Multiple devices per user

Out of scope

  • OS/hardware compromise

Actors

Roles

  • User
  • Contact (of a user)
  • Mutual contact (of two users)
  • Member (of a group)

Assets

  • Content of a message
  • Metadata of a message: origin, destination, timing, size
  • Content of a communication stream
  • Metadata of a communication stream: origin, destination, timing, size
  • Social graph of users:
    • Existence of a contact relationship between two users
    • Number of a user's contacts
    • Number of two users' mutual contacts
    • Identities of a user's contacts
    • Identities of two users' mutual contacts
    • A user's membership in a group
  • Social graph of Briar identities:
    • Existence of a contact relationship between two Briar identities
    • Number of a Briar identity's contacts
    • Number of two Briar identities' mutual contacts
    • Identities of a Briar identity's contacts
    • Identities of two Briar identities' mutual contacts
    • A Briar identity's membership in a group
  • Which user owns a given Briar identity
  • Which Briar identities a given user owns
  • Which device a given Briar identity is stored on
  • Which Briar identity is stored on a given device
  • The fact that Briar is running on a given device
  • The fact that a given user has a Briar identity

Adversaries

Other users

Capabilities:

  • Forming contact relationships
  • Introducing contacts
  • Joining/leaving groups
  • Sending/receiving messages
  • Sending/receiving communication streams

Local network attackers

Capabilities:

  • RF monitoring
  • Internet uplink monitoring
  • Location monitoring
  • Blocking/modifying communication streams
  • Malware installation via network

Global network attackers

Capabilities:

  • RF monitoring
  • Internet uplink monitoring
  • Internet backbone monitoring
  • Location monitoring
  • Blocking/modifying communication streams
  • Malware installation via network

Physical attackers

Capabilities:

  • Physical surveillance
  • Accessing device/app while signed in
  • Coercing user to sign into device/app
  • Taking images of device (filesystem, RAM, screenshots)
  • Malware installation via physical access

Intended actions

Actor: Alice, a user

  1. Content of a message
    • Create: Allowed
    • Read: Allowed if Alice created the message. Allowed if the message has ever been shared with Alice
    • Update: Disallowed
    • Delete: Allowed for Alice's local copy of any message
  2. Metadata of a message
    • Create: Allowed
    • Read: Same rules as for content
    • Update: Disallowed
    • Delete: Same rules as for content
  3. Content of a communication stream
    • Create: Allowed
    • Read: Allowed if Alice created the stream. Allowed if Alice is the intended recipient of the stream
    • Update: Disallowed
    • Delete: Disallowed (no local copies are kept)
  4. Metadata of a communication stream
    • Create: Allowed
    • Read: Same rules as for content
    • Update: Disallowed
    • Delete: Disallowed (no local copies are kept)
  5. Existence of a contact relationship between two users
    • Create: Allowed if Alice is one of the users and the other user agrees (contact creation/introduction)
    • Read: Allowed if Alice is one of the users. Allowed if Alice and the users form an introduction triad. Allowed if Alice is a contact of one of the users, and that user proposes an introduction between Alice and the other user
    • Update: Disallowed (verifying contacts is out of scope)
    • Delete: Allowed if Alice is one of the users (contact deletion)
  6. Number of a user's contacts
    • Create: Allowed if Alice is the user and the number is zero (account creation)
    • Read: Allowed if Alice is the user. Allowed to read a lower bound using the rules for reading the existence of a contact relationship between users
    • Update: Allowed to increment/decrement using the rules for creating/deleting a contact relationship between users
    • Delete: Allowed if Alice is the user (account deletion)
  7. Number of two users' mutual contacts
    • Create: Allowed if Alice is one of the users and the number is zero (account creation)
    • Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between users
    • Update: Allowed to increment if Alice is one of the users, and Alice is a contact of the other user, and the other user agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice is one of the users, and Alice and the other user belong to an introduction triad (contact deletion)
    • Delete: Allowed if Alice is one of the users (account deletion)
  8. Identities of a user's contacts
    • Create: Allowed if Alice is the user and the set of contacts is empty (account creation)
    • Read: Allowed if Alice is the user. Allowed to read a subset using the rules for reading the existence of a contact relationship between users
    • Update: Allowed to add/subtract using the rules for creating/deleting a contact relationship between users
    • Delete: Allowed if Alice is the user (account deletion)
  9. Identities of two users' mutual contacts
    • Create: Allowed if Alice is one of the users and the set of mutual contacts is empty (account creation)
    • Read: Allowed to read a subset using the rules for reading the existence of a contact relationship between users
    • Update: Allowed to add if Alice is one of the users, and Alice is a contact of the other user, and the other user agrees, and the new mutual contact agrees (introduction). Allowed to subtract if Alice is one of the users, and Alice and the other user belong to an introduction triad (contact deletion)
    • Delete: Allowed if Alice is one of the users (account deletion)
  10. A user's participation in a group
  • Create: Allowed if Alice is the user, and either Alice created the group or the group has ever been shared with Alice
  • Read: Allowed if Alice is the user. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the user's Briar identity is sent to the group, following the rules for reading the metadata of a message and reading which user owns a Briar identity
  • Update: Disallowed
  • Delete: Allowed if Alice is the user
  1. Existence of a contact relationship between two Briar identities:
  • Create: Allowed if Alice owns one of the Briar identities and the other owner agrees (contact creation/introduction)
  • Read: Allowed if Alice owns one of the Briar identities. Allowed if Alice and the owners form an introduction triad. Allowed if Alice is a contact of one of the owners, and that user proposes an introduction between Alice and the other owner
  • Update: Disallowed (verifying contacts is out of scope)
  • Delete: Allowed if Alice owns one of the Briar identities (contact deletion)
  1. Number of a Briar identity's contacts
  • Create: Allowed if Alice owns the Briar identity and the number is zero (account creation)
  • Read: Allowed if Alice owns the Briar identity. Allowed to read a lower bound using the rules for reading the existence of a contact relationship between Briar identities
  • Update: Allowed to increment/decrement using the rules for creating/deleting a contact relationship between Briar identities
  • Delete: Allowed if Alice owns the Briar identity (account deletion)
  1. Number of two Briar identities' mutual contacts
  • Create: Allowed if Alice owns one of the Briar identities and the number is zero (account creation)
  • Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between Briar identities
  • Update: Allowed to increment if Alice owns one of the Briar identities, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice owns one of the Briar identities, and Alice and the other owner belong to an introduction triad (contact deletion)
  • Delete: Allowed if Alice owns one of the Briar identities (account deletion)
  1. Identities of a Briar identity's contacts
  • Create: Allowed if Alice owns the Briar identity and the set of contacts is empty (account creation)
  • Read: Allowed if Alice owns the Briar identity. Allowed to read a subset using the rules for reading the existence of a contact relationship between Briar identities
  • Update: Allowed to add/subtract using the rules for creating/deleting a contact relationship between Briar identities
  • Delete: Allowed if Alice owns the Briar identity (account deletion)
  1. Identities of two Briar identities' mutual contacts
  • Create: Allowed if Alice owns one of the Briar identities and the set of mutual contacts is empty (account creation)
  • Read: Allowed to read a subset using the rules for reading the existence of a contact relationship between Briar identities
  • Update: Allowed to add if Alice owns one of the Briar identities, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to subtract if Alice owns one of the Briar identities, and Alice and the other owner belong to an introduction triad (contact deletion)
  • Delete: Allowed if Alice owns one of the Briar identities (account deletion)
  1. A Briar identity's participation in a group
  • Create: Allowed if Alice owns the Briar identity, and either Alice created the group or the group has ever been shared with Alice
  • Read: Allowed if Alice owns the Briar identity. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the Briar identity is sent to the group, following the rules for reading the metadata of a message
  • Update: Disallowed
  • Delete: Allowed if Alice owns the Briar identity
  1. Which user owns a Briar identity
  • Create: Allowed if Alice is the user and the Briar identity is being created (account creation)
  • Read: Allowed if Alice owns the Briar identity. Allowed if Alice is a contact of the owner
  • Update: Disallowed
  • Delete: Allowed if Alice owns the Briar identity (account deletion)
  1. Which Briar identity a user owns
  • Create: Allowed if Alice is the user and the Briar identity is being created (account creation)
  • Read: Allowed if Alice owns the Briar identity. Allowed if Alice is a contact of the owner
  • Update: Disallowed
  • Delete: Allowed if Alice owns the Briar identity (account deletion)

Threats

Attacker: Lou, a local network attacker

  1. Content of a communication stream
    • Delete: Possible if the origin/destination is on Lou's network
  2. Metadata of a communication stream
    • Read: Possible to read the origin/destination if the transport is linkable and the origin/destination is on Lou's network
    • Update: Possible if the origin/destination is on Lou's network (spoofing addresses, truncating/extending/delaying the stream)
    • Delete: Possible if the origin/destination is on Lou's network
  3. Existence of a contact relationship between two users
    • Read: Possible if one of the users sends a stream to the other, and the transport is linkable, and the origin or destination is on Lou's network. Possible if the users add each other as contacts using Lou's network
  4. Number of a user's contacts
    • Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users
  5. Number of two users' mutual contacts
    • Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users
  6. Identities of a user's contacts
    • Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
  7. Identities of two users' mutual contacts
    • Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
  8. The fact that users have Briar identities and are running Briar
  • Read: Possible to observe users adding each other as contacts via the local network

Attacker: Rex, a remote network attacker

  1. Content of a communication stream
    • Delete: Possible if the stream crosses Rex's network
  2. Metadata of a communication stream
    • Read: Possible to read the origin and destination if the transport is linkable and the stream crosses Rex's network
    • Update: Possible if the stream crosses Rex's network (spoofing addresses, truncating/extending/delaying the stream)
    • Delete: Possible if the stream crosses Rex's network
  3. Existence of a contact relationship between two users
    • Read: Possible if one of the users sends a stream to the other, and the transport is linkable, and the stream crosses Rex's network
  4. Number of a user's contacts
    • Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users
  5. Number of two users' mutual contacts
    • Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users
  6. Identities of a user's contacts
    • Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
  7. Identities of two users' mutual contacts
    • Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users

Attacker: Phil, a physical attacker

All actions on all assets are possible using the rules for Alice, if:

  • Phil gets physical access to Alice's device, and
  • Phil can unlock the device, and
  • Phil can sign into Alice's account

Phil can unlock the device if:

  • The device is already unlocked, or
  • Phil observes Alice unlocking the device, or
  • Phil can guess the device credentials, or
    • Phil images the device, and
    • Phil can brute-force the device credentials

Phil can sign into Alice's account if:

  • Alice is already signed in, or
  • Phil observes Alice signing in, or
  • Phil can guess the account credentials, or
    • Phil images the device, and
    • Phil can brute-force the account credentials

  1. Existence of a contact relationship between two users

    • Read: Possible if Phil observes the users adding each other as contacts. Possible using the rules for Alice, and the rules for reading which user owns a Briar identity, if Phil observes Alice using the app

  2. Number of a user's contacts

    • Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, if Phil observes Alice using the app

  3. Number of two users' mutual contacts

    • Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible to read a lower bound using the rules for Alice, if Phil observes Alice using the app

  4. Identities of a user's contacts

    • Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, and the rules for reading which user owns a Briar identity, if Phil observes Alice using the app

  5. Identities of two users' mutual contacts

    • Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible to read a subset using the rules for Alice, if Phil observes Alice using the app

  6. A user's participation in a group

  • Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app
  1. Existence of a contact relationship between two Briar identities:
  • Read: Possible using the rules for reading the existence of a contact relationship between two users, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
  1. Number of a Briar identity's contacts
  • Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
  1. Number of two Briar identities' mutual contacts
  • Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
  1. Briar identities of a Briar identity's contacts
  • Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a Briar identity, and the rules for reading which Briar identity a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
  1. Briar identities of two Briar identities' mutual contacts
  • Read: Possible using the rules for reading the identities of two users' mutual contacts, the rules for reading which user owns a Briar identity, and the rules for reading which Briar identity a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
  1. A Briar identity's participation in a group
  • Read: Possible if Phil observes the Briar identity's owner using the app. Possible using the rules for Alice, if Phil observes Alice using the app
  1. Which user owns a Briar identity
  • Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app
  1. Which Briar identity a user owns
  • Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app