From 33d5a67a40fbbf0b2454337b01b1f71801ed3509 Mon Sep 17 00:00:00 2001 From: Steve Lasker Date: Wed, 4 Mar 2020 17:43:51 -0800 Subject: [PATCH] Reformat to make markdown happy (#14) With this I can markdown threatmodel.md > threatmodel.html and get nice output. Signed-off-by: Serge Hallyn --- threatmodel.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/threatmodel.md b/threatmodel.md index e888f709..806f3e0b 100644 --- a/threatmodel.md +++ b/threatmodel.md @@ -1,9 +1,12 @@ ## Threat model + It is assumed that an attacker may perform one or more the following actions: + 1. intercept and alter network traffic 2. compromise some set of weak crypto algorithms which are supported in some legacy cases 3. compromise a repository, including gaining access to use any keys stored on the repository 4. compromise a signing key, for example due to malicious action or accidental disclosure by the key owner 5. compromise a step in the software supply chain. This can happen in many different ways, such as by gaining access to the server, compromising the software used in the step of the supply chain, passing different software to a subsequent step than what was intended, or causing an operator to make an error in a step. + While it is not always possible to protect against all scenarios, the system should to the extent possible mitigate and/or reduce the damage caused by a successful attack, detect the occurrence of an attack and notify appropriate parties, yet remain usable for parties operating the system. Furthermore, the system should recover from successful attacks in a way that presents low operational overhead and risk to users.