# Threat model
This document a threat model, based on the methodology presented by Eleanor
Saitta, that we as developers use as a guide in our development process. It may
not contain all the context needed to fully understand it, if clarifications are
needed please ask us.
The used methodology is entirely manual, but is derived from
[Trike](https://www.octotrike.org/).
## Actors, Assets & Actions
### Actors
We model the following actors:
- System Admin: Administrator of the system running statime
- System User: Non-administrator user of the system running statime
- AML: PTP nodes on the Acceptable master list. This includes all ptp nodes if no acceptable master list is configured.
- Anonymous: PTP nodes not on the Acceptable master list
### Assets
We model the following assets:
- Clock: The system clock
- Configuration: The configuration of statime.
- Port state: The state of the individual PTP ports in the statime instance
### Actions
|
Clock |
Configuration |
Port state |
| System admin |
Create - N/A |
Read - Always |
Create - Always |
Read - Always |
Create - N/A |
Read - Always |
| Update - Always |
Delete - N/A |
Update - Always |
Delete - N/A |
Update - Always* |
Delete - N/A |
| System User |
Create - N/A |
Read - Always |
Create - Never |
Read - Sometimes |
Create - N/A |
Read - Sometimes |
| Update - Never |
Delete - N/A |
Update - Never |
Delete - N/A |
Update - Never |
Delete - N/A |
| AML |
Create - N/A |
Read - Sometimes |
Create - Never |
Read - Sometimes |
Create - N/A |
Read - Sometimes |
| Update - Sometimes |
Delete - N/A |
Update - Never |
Delete - N/A |
Update - Sometimes |
Delete - N/A |
| Anonymous |
Create - N/A |
Read - Sometimes |
Create - N/A |
Read - Sometimes |
Create - N/A |
Read - Sometimes |
| Update - Never |
Delete - N/A |
Update - Never |
Delete - N/A |
Update - Never |
Delete - N/A |
- AML nodes and Anonymous nodes may read clock, port state and some configuration values when the port they connect to is in the master state
- AML nodes may only update port state and clock when chosen as the best master by the BMCA
- System user may only read port state and configuration when allowed by system admin
- System admin may update port state, however this may result in unintended behaviour.
## Failure cases
|
Escalation of privilege |
Denial of service |
| Clock |
Create - N/A |
Read - Low |
Create - N/A |
Read - Medium |
| Update - Critical |
Delete - N/A |
Update - Medium |
Delete - N/A |
| Configuration |
Create - Critical |
Read - Low |
Create - Low |
Read - Low |
| Update - Critical |
Delete - Medium |
Update - Low |
Delete - Low |
| Port State |
Create - N/A |
Read - Low |
Create - N/A |
Read - Medium |
| Update - Critical |
Delete - N/A |
Update - Medium |
Delete - N/A |
## Security strategy
- Nodes with their clock identity not on the AML are not taken into account for the BMCA
- Time transmission messages are only accepted from the currently selected master
- Configuration files should not be world-writable
- A port marked master-only will never enter the slave state