9.1 KiB
Threat model
Introduction
The mta1_mkdf device is a platform for running secure applications in a restricted execution environment physically separate from the device host. The secure applications provide functionality and controlled access to derived secrets on the device. The purpose of the device is to solve typical end user authentication problems.
For more information about the mta1_mkdf, please see the mta1_mkdf System Description.
This document describes the threat model for the mta1_mkdf. Based on the system description and use cases, the threat model tries to capture and describe the threats that needs to be mitigated in order for the mta1_mkdf to meet its purpose and objectives.
Version information
The threat model applies to version one of the mta1_mkdf. The threat model will be updated as our knowledge and abilities progress and new versions are developed.
Version one
-
A publicly available, but limited device targeted for a select set of friendly, competent users.
-
Supports Linux and possibly MacOS as host
-
Used for a limited set of use cases, primarily for testing
-
Users are expected to:
- Note that a device is missing within 24 hours
- Note that a device has been physically tampered with
- Note that a device behaves in an unexpected way
Use cases for Version one
Time Based OTP (TOTP) Used at least once per day. Current time supplied by the host.
- The user connect the device to the host
- The user runs SW on the host to load the TOTP application
- The user provides its User Supplied Secret (USS) via host SW
- The user triggers a TOTP operation using host SW
- The user press the button on the device
- The device returns the calculated TOTP token
- SW on the host use the TOTP token to perform authentication for an application or target host
Ed25519 Signing Used at least once per day.
- The user connect the device to the host
- The user runs SW on the host to load the Ed25519 application
- The user triggers an Ed25519 signing operation using host SW. This also loads the message or hash to be signed
- The user press the button on the device
- The device returns the Ed25519 signature
- SW on the host use the signature for authentication, verification
SSH connect Used at least once per day.
- The user connect the device to the host
- The user runs SW on the host to load the SSH auth application
- The user provides its User Supplied Secret (USS) via host SW
- The user trigger a SSH connect operation from the host
- The user press the button on the device
- The device returns a SSH signature
- The SSH application on the host use the SSH signature for authentication to the remote SSH server
Version N
-
Publicly available devices for end users for which there are no expectation on knowledge or competence beyond normal IT usage skills
-
Used in normal IT systems, but also for more sensitive enterprise and operational use cases
Assumptions
-
There are no backdoors or vulnerabilities in Lattice iCE40 UltraPlus FPGA devices that allow access to internal configuration memory after the device has been locked.
-
The Project IceStorm toolchain, including YoSys and NextPnR generates a correct design, and also does not inject hardware exfiltration mechanisms in the generated bitstream.
-
There is no access to the contents of the internal, Non-Volatile Configuration Memory (NVM) from the FPGA fabric besides the configuration circuit.
-
Toolchain for development of FPGA HW, application_fpga FW does not contain backdoors etc.
-
The design including source code for FPGA, SDK, FW, boot SW, board design is open and published.
-
The end user is not an attacker. The end user at least doesn't knowingly aid, support the attacker in attacks on its device
Assets
-
UDS - Unique Device Secret. Provisioned and stored during device manufacturing. Never to be replaced during the life time of a given device. Used to derive application secrets. Must never leave the device. Mullvad must NOT store a copy of the UDS.
-
USS - User Supplied Secret. Provisioned by the application. May possibly be replaced many times. Supplied from the host to the device. Should not be revealed to a third party.
-
UDI - Unique Device ID. Provisioned and stored during device manufacturing. Never to be replaced or altered during the life time of a given device. May be copied, extracted, read from the device.
-
UDA - Unique Device Authentication Secret. Provisioned and stored during device manufacturing. Never to be replaced during the life time of a given device. Used to authenticate a specific device. Must never leave the device. Mullvad MUST have a copy of the UDA.
Threat Actors - The bad guys
Different actors have different reasons, access to competence, resources etc. This description tries to capture the possible attacks and attacks vectors through four synthetic threat actors.
0. Average Joe
- Curious opportunist
- No real competence, no resources beyond a personal computer
- No planning or preparation before an attack
- Prepared to invest little time (minutes) or resources - for example to connect a device found, try a few passwords
- End game is to gain access to possible information, resources unknown to the attacker before the attack is performed
1. The CCC Hacker
- Sympathetic to the goals of the project
- Wants to probe all parts and the system in a quest to determine how the device really works, use it in possibly different ways, find weaknesses (and get them fixed).
- Is possibly a user, but in this case not the legitimate end user
- Have a high level of competence
- Prepared to spend time to prepare and perform an attack. Possibly low effort over an extended period
- Access to compute resources. Possibly access to lab equipment
- Will try all possible SW and HW attack vectors. In and out of scope
- End game is to find flaws in threat model. Acquire knowledge and findings to produce an interesting talk at CCC, USENIX or Security Fest
2. vERyRevil
- Ransomware gang. Driven by short term financial gain
- Short term focus. Fastest possible access to economic assets
- Have, or can acquire high level of competence
- Have access to large amount of resources
- Have time and is prepared to spend time on preparations
- Short time to perform an attack. Will not persist for a long time
- Will do strict cost benefit-analysis to decide to perform, abort attacks if they don't work
- SW based attacks. Is assumed to remotely own the host
- Supply chain attacks on secure application, host application, SDK, infiltration of device and application development
- End game is to gain access, control over resources protected by the device. Resources that can be used as leverage for financial gain
4. APT4711
-
State actor
-
Interested in access to information, perform surveillance, and possibly control of the end user or resources
-
Long term focus. Attacks are discreet and persistent
-
Access to high competence
-
Access to very large amounts of resources
-
Prepared to invest a lot of time, effort to prepare and execute an attack
-
Prepared to perform physical visits (missions) at target (end user) as well as Mullvad or Mullvad suppliers in order to manipulate, steal, replace components, systems
-
SW based attacks. Is assumed to remotely own the host
-
Supply chain attacks - both on SW and HW, components
-
Supply chain attacks on application, host application, SDK, development
-
End game: Long term stealth presence providing access to information about the end user
Attacks in Scope
The following attacks are in scope for version one
-
All digital attacks from the host including but not limited to:
- The framing protocol and all recipients (endpoints)
- manipulation, fuzzing, injection, reordering and replay of any and all communication
- The framing protocol and all recipients (endpoints)
-
Time based side channel attacks on challenge-response device authentication
-
Time based side channel attacks on UDS based key derivation
-
Time based side channel attacks on secure applications developed by Mullvad
-
Supply chain physical attacks on devices provisioned by Mullvad
-
Decapping and physical probing on the FPGA
-
Supply chain attacks on Mullvad provided HW and SW design resources
Attacks out of scope
The following attacks are out of scope for version one
-
Electromagnetic-, power-, and optical-based fault injection attacks
-
Electromagnetic-based side channel, differential power analysis and correlation leakage attacks
Consequences - Game Over
The following Game Over Scenarios have been identified
- The attacker gains access to the UDS and the USS
- Requires replacement of the device with a new unit
Work In Progress
TODOs and random notes.
-
TODO: Mention and separately describe the NVCM and the CRAM.
-
TODO: Mention limitations related to EBR and SPRAM