diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index 072babc56..d7cbaf6b1 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -1,9 +1,10 @@ Generic Threat Model ******************** -************************ +************ Introduction -************************ +************ + This document provides a generic threat model for TF-A firmware. .. note:: @@ -11,9 +12,10 @@ This document provides a generic threat model for TF-A firmware. This threat model doesn't consider Root and Realm worlds introduced by :ref:`Realm Management Extension (RME)`. -************************ +******************** Target of Evaluation -************************ +******************** + In this threat model, the target of evaluation is the Trusted Firmware for A-class Processors (TF-A). This includes the boot ROM (BL1), the trusted boot firmware (BL2) and the runtime EL3 firmware (BL31) as @@ -35,7 +37,8 @@ assumptions: Secure-EL2 software. Data Flow Diagram -====================== +================= + Figure 1 shows a high-level data flow diagram for TF-A. The diagram shows a model of the different components of a TF-A-based system and their interactions with TF-A. A description of each diagram element @@ -51,26 +54,26 @@ are considered untrusted by TF-A. +-----------------+--------------------------------------------------------+ | Diagram Element | Description | +=================+========================================================+ - | ``DF1`` | | At boot time, images are loaded from non-volatile | + | DF1 | | At boot time, images are loaded from non-volatile | | | memory and verified by TF-A boot firmware. These | | | images include TF-A BL2 and BL31 images, as well as | | | other secure and non-secure images. | +-----------------+--------------------------------------------------------+ - | ``DF2`` | | TF-A log system framework outputs debug messages | + | DF2 | | TF-A log system framework outputs debug messages | | | over a UART interface. | +-----------------+--------------------------------------------------------+ - | ``DF3`` | | Debug and trace IP on a platform can allow access | + | DF3 | | Debug and trace IP on a platform can allow access | | | to registers and memory of TF-A. | +-----------------+--------------------------------------------------------+ - | ``DF4`` | | Secure world software (e.g. trusted OS) interact | + | DF4 | | Secure world software (e.g. trusted OS) interact | | | with TF-A through SMC call interface and/or shared | | | memory. | +-----------------+--------------------------------------------------------+ - | ``DF5`` | | Non-secure world software (e.g. rich OS) interact | + | DF5 | | Non-secure world software (e.g. rich OS) interact | | | with TF-A through SMC call interface and/or shared | | | memory. | +-----------------+--------------------------------------------------------+ - | ``DF6`` | | This path represents the interaction between TF-A and| + | DF6 | | This path represents the interaction between TF-A and| | | various hardware IPs such as TrustZone controller | | | and GIC. At boot time TF-A configures/initializes the| | | IPs and interacts with them at runtime through | @@ -78,9 +81,10 @@ are considered untrusted by TF-A. +-----------------+--------------------------------------------------------+ -********************* +*************** Threat Analysis -********************* +*************** + In this section we identify and provide assessment of potential threats to TF-A firmware. The threats are identified for each diagram element on the data flow diagram above. @@ -91,7 +95,8 @@ that represents the impact and likelihood of that threat. We also discuss potential mitigations. Assets -================== +====== + We have identified the following assets for TF-A: .. table:: Table 2: TF-A Assets @@ -99,21 +104,22 @@ We have identified the following assets for TF-A: +--------------------+---------------------------------------------------+ | Asset | Description | +====================+===================================================+ - | ``Sensitive Data`` | | These include sensitive data that an attacker | + | Sensitive Data | | These include sensitive data that an attacker | | | must not be able to tamper with (e.g. the Root | | | of Trust Public Key) or see (e.g. secure logs, | | | debugging information such as crash reports). | +--------------------+---------------------------------------------------+ - | ``Code Execution`` | | This represents the requirement that the | + | Code Execution | | This represents the requirement that the | | | platform should run only TF-A code approved by | | | the platform provider. | +--------------------+---------------------------------------------------+ - | ``Availability`` | | This represents the requirement that TF-A | + | Availability | | This represents the requirement that TF-A | | | services should always be available for use. | +--------------------+---------------------------------------------------+ Threat Agents -===================== +============= + To understand the attack surface, it is important to identify potential attackers, i.e. attack entry points. The following threat agents are in scope of this threat model. @@ -123,16 +129,16 @@ in scope of this threat model. +-------------------+-------------------------------------------------------+ | Threat Agent | Description | +===================+=======================================================+ - | ``NSCode`` | | Malicious or faulty code running in the Non-secure | + | NSCode | | Malicious or faulty code running in the Non-secure | | | world, including NS-EL0 NS-EL1 and NS-EL2 levels | +-------------------+-------------------------------------------------------+ - | ``SecCode`` | | Malicious or faulty code running in the secure | + | SecCode | | Malicious or faulty code running in the secure | | | world, including S-EL0 and S-EL1 levels | +-------------------+-------------------------------------------------------+ - | ``AppDebug`` | | Physical attacker using debug signals to access | + | AppDebug | | Physical attacker using debug signals to access | | | TF-A resources | +-------------------+-------------------------------------------------------+ - | ``PhysicalAccess``| | Physical attacker having access to external device | + | PhysicalAccess | | Physical attacker having access to external device | | | communication bus and to external flash | | | communication bus using common hardware | +-------------------+-------------------------------------------------------+ @@ -145,7 +151,8 @@ in scope of this threat model. considered out-of-scope. Threat Types -======================== +============ + In this threat model we categorize threats using the `STRIDE threat analysis technique`_. In this technique a threat is categorized as one or more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``, @@ -153,7 +160,8 @@ or more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``, ``Elevation of privilege``. Threat Risk Ratings -======================== +=================== + For each threat identified, a risk rating that ranges from *informational* to *critical* is given based on the likelihood of the threat occuring if a mitigation is not in place, and the impact of the @@ -165,7 +173,7 @@ rating in terms of score, impact and likelihood. +-----------------------+-------------------------+---------------------------+ | **Rating (Score)** | **Impact** | **Likelihood** | +=======================+=========================+===========================+ - | ``Critical (5)`` | | Extreme impact to | | Threat is almost | + | Critical (5) | | Extreme impact to | | Threat is almost | | | entire organization | certain to be exploited.| | | if exploited. | | | | | | Knowledge of the threat | @@ -173,17 +181,17 @@ rating in terms of score, impact and likelihood. | | | are in the public | | | | domain. | +-----------------------+-------------------------+---------------------------+ - | ``High (4)`` | | Major impact to entire| | Threat is relatively | + | High (4) | | Major impact to entire| | Threat is relatively | | | organization or single| easy to detect and | | | line of business if | exploit by an attacker | | | exploited | with little skill. | +-----------------------+-------------------------+---------------------------+ - | ``Medium (3)`` | | Noticeable impact to | | A knowledgeable insider | + | Medium (3) | | Noticeable impact to | | A knowledgeable insider | | | line of business if | or expert attacker could| | | exploited. | exploit the threat | | | | without much difficulty.| +-----------------------+-------------------------+---------------------------+ - | ``Low (2)`` | | Minor damage if | | Exploiting the threat | + | Low (2) | | Minor damage if | | Exploiting the threat | | | exploited or could | would require | | | be used in conjunction| considerable expertise | | | with other | and resources | @@ -191,7 +199,7 @@ rating in terms of score, impact and likelihood. | | perform a more serious| | | | attack | | +-----------------------+-------------------------+---------------------------+ - | ``Informational (1)`` | | Poor programming | | Threat is not likely | + | Informational (1) | | Poor programming | | Threat is not likely | | | practice or poor | to be exploited on its | | | design decision that | own, but may be used to | | | may not represent an | gain information for | @@ -235,14 +243,15 @@ In this threat model we consider three target environments: ``Internet of Things(IoT)``, ``Mobile`` and ``Server``. Threat Assessment -============================ +================= + The following threats were identified by applying STRIDE analysis on each diagram element of the data flow diagram. +------------------------+----------------------------------------------------+ | ID | 01 | +========================+====================================================+ -| ``Threat`` | | **An attacker can mangle firmware images to | +| Threat | | **An attacker can mangle firmware images to | | | execute arbitrary code** | | | | | | | Some TF-A images are loaded from external | @@ -252,26 +261,26 @@ each diagram element of the data flow diagram. | | updating mechanism to modify the non-volatile | | | images to execute arbitrary code. | +------------------------+----------------------------------------------------+ -| ``Diagram Elements`` | DF1, DF4, DF5 | +| Diagram Elements | DF1, DF4, DF5 | +------------------------+----------------------------------------------------+ -| ``Affected TF-A | BL2, BL31 | -| Components`` | | +| Affected TF-A | BL2, BL31 | +| Components | | +------------------------+----------------------------------------------------+ -| ``Assets`` | Code Execution | +| Assets | Code Execution | +------------------------+----------------------------------------------------+ -| ``Threat Agent`` | PhysicalAccess, NSCode, SecCode | +| Threat Agent | PhysicalAccess, NSCode, SecCode | +------------------------+----------------------------------------------------+ -| ``Threat Type`` | Tampering, Elevation of Privilege | +| Threat Type | Tampering, Elevation of Privilege | +------------------------+------------------+-----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+------------------+-----------------+---------------+ -| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | +| Impact | Critical (5) | Critical (5) | Critical (5) | +------------------------+------------------+-----------------+---------------+ -| ``Likelihood`` | Critical (5) | Critical (5) | Critical (5) | +| Likelihood | Critical (5) | Critical (5) | Critical (5) | +------------------------+------------------+-----------------+---------------+ -| ``Total Risk Rating`` | Critical (25) | Critical (25) | Critical (25) | +| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) | +------------------------+------------------+-----------------+---------------+ -| ``Mitigations`` | | TF-A implements the `Trusted Board Boot (TBB)`_ | +| Mitigations | | TF-A implements the `Trusted Board Boot (TBB)`_ | | | feature which prevents malicious firmware from | | | running on the platform by authenticating all | | | firmware images. In addition to this, the TF-A | @@ -283,33 +292,33 @@ each diagram element of the data flow diagram. +------------------------+----------------------------------------------------+ | ID | 02 | +========================+====================================================+ -| ``Threat`` | | **An attacker may attempt to boot outdated, | +| Threat | | **An attacker may attempt to boot outdated, | | | potentially vulnerable firmware image** | | | | | | | When updating firmware, an attacker may attempt | | | to rollback to an older version that has unfixed | | | vulnerabilities. | +------------------------+----------------------------------------------------+ -| ``Diagram Elements`` | DF1, DF4, DF5 | +| Diagram Elements | DF1, DF4, DF5 | +------------------------+----------------------------------------------------+ -| ``Affected TF-A | BL2, BL31 | -| Components`` | | +| Affected TF-A | BL2, BL31 | +| Components | | +------------------------+----------------------------------------------------+ -| ``Assets`` | Code Execution | +| Assets | Code Execution | +------------------------+----------------------------------------------------+ -| ``Threat Agent`` | PhysicalAccess, NSCode, SecCode | +| Threat Agent | PhysicalAccess, NSCode, SecCode | +------------------------+----------------------------------------------------+ -| ``Threat Type`` | Tampering | +| Threat Type | Tampering | +------------------------+------------------+-----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+------------------+-----------------+---------------+ -| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | +| Impact | Critical (5) | Critical (5) | Critical (5) | +------------------------+------------------+-----------------+---------------+ -| ``Likelihood`` | Critical (5) | Critical (5) | Critical (5) | +| Likelihood | Critical (5) | Critical (5) | Critical (5) | +------------------------+------------------+-----------------+---------------+ -| ``Total Risk Rating`` | Critical (25) | Critical (25) | Critical (25) | +| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) | +------------------------+------------------+-----------------+---------------+ -| ``Mitigations`` | | TF-A supports anti-rollback protection using | +| Mitigations | | TF-A supports anti-rollback protection using | | | non-volatile counters (NV counters) as required | | | by `TBBR-Client specification`_. After a firmware| | | image is validated, the image revision number | @@ -324,7 +333,7 @@ each diagram element of the data flow diagram. +------------------------+-------------------------------------------------------+ | ID | 03 | +========================+=======================================================+ -| ``Threat`` | | **An attacker can use Time-of-Check-Time-of-Use | +| Threat | | **An attacker can use Time-of-Check-Time-of-Use | | | (TOCTOU) attack to bypass image authentication | | | during the boot process** | | | | @@ -336,33 +345,33 @@ each diagram element of the data flow diagram. | | after the integrity and authentication check has | | | been performed. | +------------------------+-------------------------------------------------------+ -| ``Diagram Elements`` | DF1 | +| Diagram Elements | DF1 | +------------------------+-------------------------------------------------------+ -| ``Affected TF-A | BL1, BL2 | -| Components`` | | +| Affected TF-A | BL1, BL2 | +| Components | | +------------------------+-------------------------------------------------------+ -| ``Assets`` | Code Execution, Sensitive Data | +| Assets | Code Execution, Sensitive Data | +------------------------+-------------------------------------------------------+ -| ``Threat Agent`` | PhysicalAccess | +| Threat Agent | PhysicalAccess | +------------------------+-------------------------------------------------------+ -| ``Threat Type`` | Elevation of Privilege | +| Threat Type | Elevation of Privilege | +------------------------+---------------------+-----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+---------------------+-----------------+---------------+ -| ``Impact`` | N/A | Critical (5) | Critical (5) | +| Impact | N/A | Critical (5) | Critical (5) | +------------------------+---------------------+-----------------+---------------+ -| ``Likelihood`` | N/A | Medium (3) | Medium (3) | +| Likelihood | N/A | Medium (3) | Medium (3) | +------------------------+---------------------+-----------------+---------------+ -| ``Total Risk Rating`` | N/A | High (15) | High (15) | +| Total Risk Rating | N/A | High (15) | High (15) | +------------------------+---------------------+-----------------+---------------+ -| ``Mitigations`` | | TF-A boot firmware copies image to on-chip | +| Mitigations | | TF-A boot firmware copies image to on-chip | | | memory before authenticating an image. | +------------------------+-------------------------------------------------------+ +------------------------+-------------------------------------------------------+ | ID | 04 | +========================+=======================================================+ -| ``Threat`` | | **An attacker with physical access can execute | +| Threat | | **An attacker with physical access can execute | | | arbitrary image by bypassing the signature | | | verification stage using glitching techniques** | | | | @@ -381,26 +390,26 @@ each diagram element of the data flow diagram. | | points where the image is validated against the | | | signature. | +------------------------+-------------------------------------------------------+ -| ``Diagram Elements`` | DF1 | +| Diagram Elements | DF1 | +------------------------+-------------------------------------------------------+ -| ``Affected TF-A | BL1, BL2 | -| Components`` | | +| Affected TF-A | BL1, BL2 | +| Components | | +------------------------+-------------------------------------------------------+ -| ``Assets`` | Code Execution | +| Assets | Code Execution | +------------------------+-------------------------------------------------------+ -| ``Threat Agent`` | PhysicalAccess | +| Threat Agent | PhysicalAccess | +------------------------+-------------------------------------------------------+ -| ``Threat Type`` | Tampering, Elevation of Privilege | +| Threat Type | Tampering, Elevation of Privilege | +------------------------+---------------------+-----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+---------------------+-----------------+---------------+ -| ``Impact`` | N/A | Critical (5) | Critical (5) | +| Impact | N/A | Critical (5) | Critical (5) | +------------------------+---------------------+-----------------+---------------+ -| ``Likelihood`` | N/A | Medium (3) | Medium (3) | +| Likelihood | N/A | Medium (3) | Medium (3) | +------------------------+---------------------+-----------------+---------------+ -| ``Total Risk Rating`` | N/A | High (15) | High (15) | +| Total Risk Rating | N/A | High (15) | High (15) | +------------------------+---------------------+-----------------+---------------+ -| ``Mitigations`` | | The most effective mitigation is adding glitching | +| Mitigations | | The most effective mitigation is adding glitching | | | detection and mitigation circuit at the hardware | | | level. However, software techniques, | | | such as adding redundant checks when performing | @@ -413,7 +422,7 @@ each diagram element of the data flow diagram. +------------------------+---------------------------------------------------+ | ID | 05 | +========================+===================================================+ -| ``Threat`` | | **Information leak via UART logs such as | +| Threat | | **Information leak via UART logs such as | | | crashes** | | | | | | | During the development stages of software it is | @@ -426,26 +435,26 @@ each diagram element of the data flow diagram. | | attacker to develop a working exploit if left | | | in the production version. | +------------------------+---------------------------------------------------+ -| ``Diagram Elements`` | DF2 | +| Diagram Elements | DF2 | +------------------------+---------------------------------------------------+ -| ``Affected TF-A | BL1, BL2, BL31 | -| Components`` | | +| Affected TF-A | BL1, BL2, BL31 | +| Components | | +------------------------+---------------------------------------------------+ -| ``Assets`` | Sensitive Data | +| Assets | Sensitive Data | +------------------------+---------------------------------------------------+ -| ``Threat Agent`` | AppDebug | +| Threat Agent | AppDebug | +------------------------+---------------------------------------------------+ -| ``Threat Type`` | Information Disclosure | +| Threat Type | Information Disclosure | +------------------------+------------------+----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+------------------+----------------+---------------+ -| ``Impact`` | N/A | Low (2) | Low (2) | +| Impact | N/A | Low (2) | Low (2) | +------------------------+------------------+----------------+---------------+ -| ``Likelihood`` | N/A | High (4) | High (4) | +| Likelihood | N/A | High (4) | High (4) | +------------------------+------------------+----------------+---------------+ -| ``Total Risk Rating`` | N/A | Medium (8) | Medium (8) | +| Total Risk Rating | N/A | Medium (8) | Medium (8) | +------------------------+------------------+----------------+---------------+ -| ``Mitigations`` | | In TF-A, crash reporting is only enabled for | +| Mitigations | | In TF-A, crash reporting is only enabled for | | | debug builds by default. Alternatively, the log | | | level can be tuned at build time (from verbose | | | to no output at all), independently of the | @@ -455,7 +464,7 @@ each diagram element of the data flow diagram. +------------------------+----------------------------------------------------+ | ID | 06 | +========================+====================================================+ -| ``Threat`` | | **An attacker can read sensitive data and | +| Threat | | **An attacker can read sensitive data and | | | execute arbitrary code through the external | | | debug and trace interface** | | | | @@ -468,27 +477,27 @@ each diagram element of the data flow diagram. | | attacker to read sensitive data and execute | | | arbitrary code. | +------------------------+----------------------------------------------------+ -| ``Diagram Elements`` | DF3 | +| Diagram Elements | DF3 | +------------------------+----------------------------------------------------+ -| ``Affected TF-A | BL1, BL2, BL31 | -| Components`` | | +| Affected TF-A | BL1, BL2, BL31 | +| Components | | +------------------------+----------------------------------------------------+ -| ``Assets`` | Code Execution, Sensitive Data | +| Assets | Code Execution, Sensitive Data | +------------------------+----------------------------------------------------+ -| ``Threat Agent`` | AppDebug | +| Threat Agent | AppDebug | +------------------------+----------------------------------------------------+ -| ``Threat Type`` | Tampering, Information Disclosure, | +| Threat Type | Tampering, Information Disclosure, | | | Elevation of privilege | +------------------------+------------------+---------------+-----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+------------------+---------------+-----------------+ -| ``Impact`` | N/A | High (4) | High (4) | +| Impact | N/A | High (4) | High (4) | +------------------------+------------------+---------------+-----------------+ -| ``Likelihood`` | N/A | Critical (5) | Critical (5) | +| Likelihood | N/A | Critical (5) | Critical (5) | +------------------------+------------------+---------------+-----------------+ -| ``Total Risk Rating`` | N/A | Critical (20) | Critical (20) | +| Total Risk Rating | N/A | Critical (20) | Critical (20) | +------------------------+------------------+---------------+-----------------+ -| ``Mitigations`` | | Configuration of debug and trace capabilities is | +| Mitigations | | Configuration of debug and trace capabilities is | | | platform specific. Therefore, platforms must | | | disable the debug and trace capability for | | | production releases or enable proper debug | @@ -498,7 +507,7 @@ each diagram element of the data flow diagram. +------------------------+------------------------------------------------------+ | ID | 07 | +========================+======================================================+ -| ``Threat`` | | **An attacker can perform a denial-of-service | +| Threat | | **An attacker can perform a denial-of-service | | | attack by using a broken SMC call that causes the | | | system to reboot or enter into unknown state.** | | | | @@ -508,26 +517,26 @@ each diagram element of the data flow diagram. | | by calling unimplemented SMC call or by passing | | | invalid arguments. | +------------------------+------------------------------------------------------+ -| ``Diagram Elements`` | DF4, DF5 | +| Diagram Elements | DF4, DF5 | +------------------------+------------------------------------------------------+ -| ``Affected TF-A | BL31 | -| Components`` | | +| Affected TF-A | BL31 | +| Components | | +------------------------+------------------------------------------------------+ -| ``Assets`` | Availability | +| Assets | Availability | +------------------------+------------------------------------------------------+ -| ``Threat Agent`` | NSCode, SecCode | +| Threat Agent | NSCode, SecCode | +------------------------+------------------------------------------------------+ -| ``Threat Type`` | Denial of Service | +| Threat Type | Denial of Service | +------------------------+-------------------+----------------+-----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-------------------+----------------+-----------------+ -| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | +| Impact | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+-----------------+ -| ``Likelihood`` | High (4) | High (4) | High (4) | +| Likelihood | High (4) | High (4) | High (4) | +------------------------+-------------------+----------------+-----------------+ -| ``Total Risk Rating`` | High (12) | High (12) | High (12) | +| Total Risk Rating | High (12) | High (12) | High (12) | +------------------------+-------------------+----------------+-----------------+ -| ``Mitigations`` | | The generic TF-A code validates SMC function ids | +| Mitigations | | The generic TF-A code validates SMC function ids | | | and arguments before using them. | | | Platforms that implement SiP services must also | | | validate SMC call arguments. | @@ -536,7 +545,7 @@ each diagram element of the data flow diagram. +------------------------+------------------------------------------------------+ | ID | 08 | +========================+======================================================+ -| ``Threat`` | | **Memory corruption due to memory overflows and | +| Threat | | **Memory corruption due to memory overflows and | | | lack of boundary checking when accessing resources | | | could allow an attacker to execute arbitrary code, | | | modify some state variable to change the normal | @@ -558,27 +567,27 @@ each diagram element of the data flow diagram. | | validations might also result in these kinds of | | | errors in release builds. | +------------------------+------------------------------------------------------+ -| ``Diagram Elements`` | DF4, DF5 | +| Diagram Elements | DF4, DF5 | +------------------------+------------------------------------------------------+ -| ``Affected TF-A | BL1, BL2, BL31 | -| Components`` | | +| Affected TF-A | BL1, BL2, BL31 | +| Components | | +------------------------+------------------------------------------------------+ -| ``Assets`` | Code Execution, Sensitive Data | +| Assets | Code Execution, Sensitive Data | +------------------------+------------------------------------------------------+ -| ``Threat Agent`` | NSCode, SecCode | +| Threat Agent | NSCode, SecCode | +------------------------+------------------------------------------------------+ -| ``Threat Type`` | Tampering, Information Disclosure, | +| Threat Type | Tampering, Information Disclosure, | | | Elevation of Privilege | +------------------------+-------------------+-----------------+----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-------------------+-----------------+----------------+ -| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | +| Impact | Critical (5) | Critical (5) | Critical (5) | +------------------------+-------------------+-----------------+----------------+ -| ``Likelihood`` | Medium (3 | Medium (3) | Medium (3) | +| Likelihood | Medium (3 | Medium (3) | Medium (3) | +------------------------+-------------------+-----------------+----------------+ -| ``Total Risk Rating`` | High (15) | High (15) | High (15) | +| Total Risk Rating | High (15) | High (15) | High (15) | +------------------------+-------------------+-----------------+----------------+ -| ``Mitigations`` | | TF-A uses a combination of manual code reviews and | +| Mitigations | | TF-A uses a combination of manual code reviews and | | | automated program analysis and testing to detect | | | and fix memory corruption bugs. All TF-A code | | | including platform code go through manual code | @@ -607,7 +616,7 @@ each diagram element of the data flow diagram. +------------------------+------------------------------------------------------+ | ID | 09 | +========================+======================================================+ -| ``Threat`` | | **Improperly handled SMC calls can leak register | +| Threat | | **Improperly handled SMC calls can leak register | | | contents** | | | | | | | When switching between secure and non-secure | @@ -615,26 +624,26 @@ each diagram element of the data flow diagram. | | register contents of other normal world clients | | | can be leaked. | +------------------------+------------------------------------------------------+ -| ``Diagram Elements`` | DF5 | +| Diagram Elements | DF5 | +------------------------+------------------------------------------------------+ -| ``Affected TF-A | BL31 | -| Components`` | | +| Affected TF-A | BL31 | +| Components | | +------------------------+------------------------------------------------------+ -| ``Assets`` | Sensitive Data | +| Assets | Sensitive Data | +------------------------+------------------------------------------------------+ -| ``Threat Agent`` | NSCode | +| Threat Agent | NSCode | +------------------------+------------------------------------------------------+ -| ``Threat Type`` | Information Disclosure | +| Threat Type | Information Disclosure | +------------------------+-------------------+----------------+-----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-------------------+----------------+-----------------+ -| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | +| Impact | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+-----------------+ -| ``Likelihood`` | High (4) | High (4) | High (4) | +| Likelihood | High (4) | High (4) | High (4) | +------------------------+-------------------+----------------+-----------------+ -| ``Total Risk Rating`` | High (12) | High (12) | High (12) | +| Total Risk Rating | High (12) | High (12) | High (12) | +------------------------+-------------------+----------------+-----------------+ -| ``Mitigations`` | | TF-A saves and restores registers | +| Mitigations | | TF-A saves and restores registers | | | by default when switching contexts. Build options | | | are also provided to save/restore additional | | | registers such as floating-point registers. | @@ -643,7 +652,7 @@ each diagram element of the data flow diagram. +------------------------+-----------------------------------------------------+ | ID | 10 | +========================+=====================================================+ -| ``Threat`` | | **SMC calls can leak sensitive information from | +| Threat | | **SMC calls can leak sensitive information from | | | TF-A memory via microarchitectural side channels**| | | | | | | Microarchitectural side-channel attacks such as | @@ -652,26 +661,26 @@ each diagram element of the data flow diagram. | | use this kind of attack to leak sensitive | | | data from TF-A memory. | +------------------------+-----------------------------------------------------+ -| ``Diagram Elements`` | DF4, DF5 | +| Diagram Elements | DF4, DF5 | +------------------------+-----------------------------------------------------+ -| ``Affected TF-A | BL31 | -| Components`` | | +| Affected TF-A | BL31 | +| Components | | +------------------------+-----------------------------------------------------+ -| ``Assets`` | Sensitive Data | +| Assets | Sensitive Data | +------------------------+-----------------------------------------------------+ -| ``Threat Agent`` | SecCode, NSCode | +| Threat Agent | SecCode, NSCode | +------------------------+-----------------------------------------------------+ -| ``Threat Type`` | Information Disclosure | +| Threat Type | Information Disclosure | +------------------------+-------------------+----------------+----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-------------------+----------------+----------------+ -| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | +| Impact | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+----------------+ -| ``Likelihood`` | Medium (3) | Medium (3) | Medium (3) | +| Likelihood | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+----------------+ -| ``Total Risk Rating`` | Medium (9) | Medium (9) | Medium (9) | +| Total Risk Rating | Medium (9) | Medium (9) | Medium (9) | +------------------------+-------------------+----------------+----------------+ -| ``Mitigations`` | | TF-A implements software mitigations for Spectre | +| Mitigations | | TF-A implements software mitigations for Spectre | | | type attacks as recommended by `Cache Speculation | | | Side-channels`_ for the generic code. SiPs should | | | implement similar mitigations for code that is | @@ -681,7 +690,7 @@ each diagram element of the data flow diagram. +------------------------+----------------------------------------------------+ | ID | 11 | +========================+====================================================+ -| ``Threat`` | | **Misconfiguration of the Memory Management Unit | +| Threat | | **Misconfiguration of the Memory Management Unit | | | (MMU) may allow a normal world software to | | | access sensitive data or execute arbitrary | | | code** | @@ -692,26 +701,26 @@ each diagram element of the data flow diagram. | | execute code if the proper security mechanisms | | | are not in place. | +------------------------+----------------------------------------------------+ -| ``Diagram Elements`` | DF5, DF6 | +| Diagram Elements | DF5, DF6 | +------------------------+----------------------------------------------------+ -| ``Affected TF-A | BL1, BL2, BL31 | -| Components`` | | +| Affected TF-A | BL1, BL2, BL31 | +| Components | | +------------------------+----------------------------------------------------+ -| ``Assets`` | Sensitive Data, Code execution | +| Assets | Sensitive Data, Code execution | +------------------------+----------------------------------------------------+ -| ``Threat Agent`` | NSCode | +| Threat Agent | NSCode | +------------------------+----------------------------------------------------+ -| ``Threat Type`` | Information Disclosure, Elevation of Privilege | +| Threat Type | Information Disclosure, Elevation of Privilege | +------------------------+-----------------+-----------------+----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-----------------+-----------------+----------------+ -| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | +| Impact | Critical (5) | Critical (5) | Critical (5) | +------------------------+-----------------+-----------------+----------------+ -| ``Likelihood`` | High (4) | High (4) | High (4) | +| Likelihood | High (4) | High (4) | High (4) | +------------------------+-----------------+-----------------+----------------+ -| ``Total Risk Rating`` | Critical (20) | Critical (20) | Critical (20) | +| Total Risk Rating | Critical (20) | Critical (20) | Critical (20) | +------------------------+-----------------+-----------------+----------------+ -| ``Mitigations`` | | In TF-A, configuration of the MMU is done | +| Mitigations | | In TF-A, configuration of the MMU is done | | | through a translation tables library. The | | | library provides APIs to define memory regions | | | and assign attributes including memory types and | @@ -729,7 +738,7 @@ each diagram element of the data flow diagram. +------------------------+-----------------------------------------------------+ | ID | 12 | +========================+=====================================================+ -| ``Threat`` | | **Incorrect configuration of Performance Monitor | +| Threat | | **Incorrect configuration of Performance Monitor | | | Unit (PMU) counters can allow an attacker to | | | mount side-channel attacks using information | | | exposed by the counters** | @@ -741,24 +750,24 @@ each diagram element of the data flow diagram. | | software) to potentially carry out | | | side-channel timing attacks against TF-A. | +------------------------+-----------------------------------------------------+ -| ``Diagram Elements`` | DF5, DF6 | +| Diagram Elements | DF5, DF6 | +------------------------+-----------------------------------------------------+ -| ``Affected TF-A | BL31 | -| Components`` | | +| Affected TF-A | BL31 | +| Components | | +------------------------+-----------------------------------------------------+ -| ``Assets`` | Sensitive Data | +| Assets | Sensitive Data | +------------------------+-----------------------------------------------------+ -| ``Threat Agent`` | NSCode | +| Threat Agent | NSCode | +------------------------+-----------------------------------------------------+ -| ``Threat Type`` | Information Disclosure | +| Threat Type | Information Disclosure | +------------------------+-------------------+----------------+----------------+ -| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | +| Impact | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+----------------+ -| ``Likelihood`` | Low (2) | Low (2) | Low (2) | +| Likelihood | Low (2) | Low (2) | Low (2) | +------------------------+-------------------+----------------+----------------+ -| ``Total Risk Rating`` | Medium (6) | Medium (6) | Medium (6) | +| Total Risk Rating | Medium (6) | Medium (6) | Medium (6) | +------------------------+-------------------+----------------+----------------+ -| ``Mitigations`` | | TF-A follows mitigation strategies as described | +| Mitigations | | TF-A follows mitigation strategies as described | | | in `Secure Development Guidelines`_. General | | | events and cycle counting in the Secure world is | | | prohibited by default when applicable. However, | @@ -774,7 +783,7 @@ each diagram element of the data flow diagram. -------------- -*Copyright (c) 2021, Arm Limited. All rights reserved.* +*Copyright (c) 2021-2022, Arm Limited. All rights reserved.* .. _STRIDE threat analysis technique: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model