Threat Model Name:
Owner:
Reviewer:
Contributors:
Description:
Assumptions:
External Dependencies:
| Not Started | 0 |
| Not Applicable | 9 |
| Needs Investigation | 0 |
| Mitigation Implemented | 17 |
| Total | 26 |
| Total Migrated | 0 |
| Not Started | 0 |
| Not Applicable | 9 |
| Needs Investigation | 0 |
| Mitigation Implemented | 17 |
| Total | 26 |
| Total Migrated | 0 |
| Category: | Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec. |
| Description: | An external threat agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | The LCM will retry every so often (user specified) to grab the latest configuration MOF, and if it fails to connect it will continue to use its current configuration MOF. |
| Category: | A user subject gains increased capability or privilege by taking advantage of an implementation bug. |
| Description: | Python may be able to impersonate the context of omiagent (C/Python interface) in order to gain additional privilege. |
| Justification: | Python runs as root, which cannot be given additional privilege |
| Category: | Tampering is the act of altering the bits. Tampering with a process involves changing bits in the running process. Similarly, Tampering with a data flow involves changing bits on the wire or between two running processes. |
| Description: | If omiagent (C/Python interface) is given access to memory, such as shared memory or pointers, or is given the ability to control what Python executes (for example, passing back a function pointer.), then omiagent (C/Python interface) can tamper with the Python. Consider if the function could work with less access to memory, such as passing data, rather than pointers. Copy in data provided, and then validate it. |
| Justification: | omiagent is entirely controlled by the root process, so it can modify memory of anything on the system in any case. |
| Category: | Tampering is the act of altering the bits. Tampering with a process involves changing bits in the running process. Similarly, Tampering with a data flow involves changing bits on the wire or between two running processes. |
| Description: | Attackers who can send a series of packets can overlap data. For example, packet 1 may be 100 bytes starting at offset 0. Packet 2 may be 100 bytes starting at offset 25. Packet 2 will overwrite 75 bytes of packet 1. Ensure you reassemble data before filtering it, and ensure you explicitly handle these sorts of cases. A variant might be allowing offsets to be signed. |
| Justification: | Only root can send data across the omiagent/python communication layer. |
| Category: | Tampering is the act of altering the bits. Tampering with a process involves changing bits in the running process. Similarly, Tampering with a data flow involves changing bits on the wire or between two running processes. |
| Description: | Packets without sequence numbers or timestamps can be captured and replayed in a wide variety of ways. Use an anti-replay technique (investigate sequence numbers before timers) and a strong integrity technique. |
| Justification: | Only root can send data across the omiagent/python communication layer. |
| Category: | Information disclosure happens when the information can be read by an unauthorized party. |
| Description: | Improper data protection of Configuration MOF can allow an attacker to read information not intended for disclosure. Review authorization settings. |
| Justification: | HTTPS (authenticated with certificates) communications are available for customers that with to protect information. |
| Category: | Repudiation threats involve an adversary denying that something happened. |
| Description: | omiserver (In Proc LCM) claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | Users can use a firewall to ensure communication inside a trust boundary, and omiserver will log all connections and associated data. |
| Category: | Tampering is the act of altering the bits. Tampering with a process involves changing bits in the running process. Similarly, Tampering with a data flow involves changing bits on the wire or between two running processes. |
| Description: | if a dataflow contains JSON, JSON processing and hijacking threats may be exploited. |
| Justification: | The JSON sent is part of the http content block. Only JSON that matches a sequence of key-value pairs will be considered acceptable, which is parsed carefully. |
| Category: | Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address. |
| Description: | Configuration MOF may be spoofed by an attacker and this may lead to incorrect data delivered to omiserver (In Proc LCM). Consider Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | A user can use HTTPS with client certificate auth if they wish for authentication. |
| Category: | Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address. |
| Description: | omiserver (In Proc LCM) may be spoofed by an attacker and this may lead to information disclosure by Configuration MOF. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | A user can use HTTPS with client certificate auth if they wish for authentication. |
| Category: | Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec. |
| Description: | omiserver (In Proc LCM) crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | If omiserver crashes, the service manager will restart it and then the Consistency Engine will begin where it left off the next time cron runs it. |
| Category: | Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec. |
| Description: | An external threat agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | The LCM will fail the Apply Configuration and then retry in its next attempt to grab the configuration MOF. |
| Category: | Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec. |
| Description: | An external threat agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | The LCM will fail the Apply Configuration and then retry in its next attempt to grab the configuration MOF. |
| Category: | A user subject gains increased capability or privilege by taking advantage of an implementation bug. |
| Description: | Configuration MOF may be able to remotely execute code for omiserver (In Proc LCM). |
| Justification: | The configuration MOF is just data, which is not executing any code |
| Category: | A user subject gains increased capability or privilege by taking advantage of an implementation bug. |
| Description: | An attacker may pass data into omiserver (In Proc LCM) in order to change the flow of program execution within omiserver (In Proc LCM) to the attacker's choosing. |
| Justification: | This is intended, as the data that comes from the configuration MOF describes what sequences of commands to take on the system running the LCM. This is mitigated by the authentication mechanisms we have in place. Use HTTPS if this is something you are concerned with |
| Category: | A user subject gains increased capability or privilege by taking advantage of an implementation bug. |
| Description: | An attacker may pass data into omiserver (In Proc LCM) in order to change the flow of program execution within omiserver (In Proc LCM) to the attacker's choosing. |
| Justification: | This is intended, as the data that comes from the configuration MOF describes what sequences of commands to take on the system running the LCM. This is mitigated by the authentication mechanisms we have in place. Use HTTPS if this is something you are concerned with |
| Category: | A user subject gains increased capability or privilege by taking advantage of an implementation bug. |
| Description: | Configuration MOF may be able to remotely execute code for omiserver (In Proc LCM). |
| Justification: | The configuration MOF is just data, which is not executing any code |
| Category: | Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec. |
| Description: | An external threat agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | The LCM will fail the Apply Configuration and then retry in its next attempt to grab the configuration MOF. |
| Category: | Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec. |
| Description: | An external threat agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | The LCM will fail the Apply Configuration and then retry in its next attempt to grab the configuration MOF. |
| Category: | Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec. |
| Description: | omiserver (In Proc LCM) crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | If omiserver crashes, the service manager will restart it and then the Consistency Engine will begin where it left off the next time cron runs it. |
| Category: | Information disclosure happens when the information can be read by an unauthorized party. |
| Description: | Improper data protection of Configuration MOF can allow an attacker to read information not intended for disclosure. Review authorization settings. |
| Justification: | HTTPS (authenticated with certificates) communications are available for customers that with to protect information. |
| Category: | Repudiation threats involve an adversary denying that something happened. |
| Description: | omiserver (In Proc LCM) claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | Users can use a firewall to ensure communication inside a trust boundary, and omiserver will log all connections and associated data. |
| Category: | Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address. |
| Description: | Configuration MOF may be spoofed by an attacker and this may lead to incorrect data delivered to omiserver (In Proc LCM). Consider Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | A user can use HTTPS with client certificate auth if they wish for authentication. |
| Category: | A user subject gains increased capability or privilege by taking advantage of an implementation bug. |
| Description: | omiagent (C/Python interface) may be able to impersonate the context of Python in order to gain additional privilege. |
| Justification: | omiagent runs as root, which cannot be given additional privilege |
| Category: | Information disclosure happens when the information can be read by an unauthorized party. |
| Description: | Custom authentication schemes are susceptible to common weaknesses such as weak credential change management, credential equivalence, easily guessable credentials, null credentials, downgrade authentication or a weak credential change management system. Consider the impact and potential mitigations for your custom authentication scheme. |
| Justification: | The communication layer and both python and omiagent are controlled only by root, and therefore only an administrator can modify/view data. |
| Category: | Tampering is the act of altering the bits. Tampering with a process involves changing bits in the running process. Similarly, Tampering with a data flow involves changing bits on the wire or between two running processes. |
| Description: | If Python is given access to memory, such as shared memory or pointers, or is given the ability to control what omiagent (C/Python interface) executes (for example, passing back a function pointer.), then Python can tamper with the omiagent (C/Python interface). Consider if the function could work with less access to memory, such as passing data, rather than pointers. Copy in data provided, and then validate it. |
| Justification: | Python and omiagent are both running as root. |