Skip to content

S19.04: Threat model document #580

Description

@DavidCozens

Parent epic: #155

Deliver docs/security/threat-model.md per E19's (#155) outline. Cross-linked from SECURITY.md (S19.03).

Content

  • Library scope: what it does (RFC 5424/5426/6587/5425 formatting + transport) and does not (aggregation, storage, analysis, PII handling).
  • Trust boundaries: inside (library, caller, host process) vs outside (network, receiver, log storage); where attacker control starts.
  • Caller obligations: pre-resolved IPs for UDP; mTLS cert provisioning/validation per RFC 5425; log-content correctness; buffer sizing via the MAX_SIZE tunables; lifecycle management.
  • Protected against: malformed caller inputs (MISRA posture, no overflow by construction); network tampering (TLS); replay/eavesdropping (mTLS).
  • Not protected against: compromised calling process; side channels (timing/cache); crypto attacks on the underlying TLS impl; network DoS; log-content confidentiality.
  • Residual risks: non-constant-time formatting; library does not enforce max message size against the caller.
  • Threat actors: in scope — network MITM, passive eavesdroppers, malicious calling code (defends invariants where feasible); out of scope — physical attackers, nation-state exploitation of underlying TLS/OS.
  • Review policy: living document; reviewed when architecture changes (new transport, field type, platform).

Acceptance

docs/security/threat-model.md present and linked from SECURITY.md.

Metadata

Metadata

Assignees

No one assigned

    Labels

    storyStory issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions