docs(threat-model): broaden the scope of threat #05

- Cite crash reports as an example of sensitive information. Previously, it might have sounded like this was the focus of the threat. - Warn about logging high-precision timing information, as well as conditionally logging (potentially nonsensitive) information depending on sensitive information. Change-Id: I33232dcb1e4b5c81efd4cd621b24ab5ac7b58685 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2022-05-16 13:57:38 +02:00 · 2022-05-16 13:57:38 +02:00 · 0677796cb6
parent 7e32cdb21e
commit 0677796cb6
1 changed files with 24 additions and 11 deletions
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@ -463,18 +463,25 @@ These are highlighted in the ``Mitigations implemented?`` box.
 +------------------------+---------------------------------------------------+
 | ID                     | 05                                                |
 +========================+===================================================+
-| Threat                 | | **Information leak via UART logs such as        |
+| Threat                 | | **Information leak via UART logs**              |
 |                        |   crashes**                                       |
 |                        |                                                   |
 |                        | | During the development stages of software it is |
-|                        |   common to include crash reports with detailed   |
+|                        |   common to print all sorts of information on the |
-|                        |   information of the CPU state including current  |
+|                        |   console, including sensitive or confidential    |
-|                        |   values of the registers, privilege level and    |
+|                        |   information such as crash reports with detailed |
-|                        |   stack dumps. This information is useful when    |
+|                        |   information of the CPU state, current registers |
-|                        |   debugging problems before releasing the         |
+|                        |   values, privilege level or stack dumps.         |
-|                        |   production version, but it could be used by an  |
+|                        |                                                   |
-|                        |   attacker to develop a working exploit if left   |
+|                        | | This information is useful when debugging       |
-|                        |   in the production version.                      |
+|                        |   problems before releasing the production        |
 |                        |   version but it could be used by an attacker     |
 |                        |   to develop a working exploit if left enabled in |
 |                        |   the production version.                         |
 |                        |                                                   |
 |                        | | This happens when directly logging sensitive    |
 |                        |   information and more subtly when logging        |
 |                        |   side-channel information that can be used by an |
 |                        |   attacker to learn about sensitive information.  |
 +------------------------+---------------------------------------------------+
 | Diagram Elements       | DF2                                               |
 +------------------------+---------------------------------------------------+
@ -495,7 +502,13 @@ These are highlighted in the ``Mitigations implemented?`` box.
 +------------------------+------------------+----------------+---------------+
 | Total Risk Rating      | N/A              | Medium (8)     | Medium (8)    |
 +------------------------+------------------+----------------+---------------+
-| Mitigations            | Remove crash reports in production releases.      |
+| Mitigations            | | Remove sensitive information logging in         |
 |                        |   production releases.                            |
 |                        |                                                   |
 |                        | | Do not conditionally log information depending  |
 |                        |   on potentially sensitive data.                  |
 |                        |                                                   |
 |                        | | Do not log high precision timing information.   |
 +------------------------+---------------------------------------------------+
 | Mitigations            | | Yes / Platform Specific.                        |
 | implemented?           |   Requires the right build options to be used.    |