Threat models over space and time: A case study of end‐to‐end‐encrypted messaging applications

Software: Practice and Experience Pub Date : 2024-05-22 DOI:10.1002/spe.3341

Partha Das Chowdhury, Maria Sameen, Jenny Blessing, Nicholas Boucher, Joseph Gardiner, Tom Burrows, Ross Anderson, Awais Rashid

{"title":"Threat models over space and time: A case study of end‐to‐end‐encrypted messaging applications","authors":"Partha Das Chowdhury, Maria Sameen, Jenny Blessing, Nicholas Boucher, Joseph Gardiner, Tom Burrows, Ross Anderson, Awais Rashid","doi":"10.1002/spe.3341","DOIUrl":null,"url":null,"abstract":"Threat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real‐world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end‐to‐end‐encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short‐lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.","PeriodicalId":21899,"journal":{"name":"Software: Practice and Experience","volume":"65 34","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Software: Practice and Experience","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1002/spe.3341","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Threat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real‐world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end‐to‐end‐encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short‐lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.

查看原文本刊更多论文

时空威胁模型：端到端加密信息应用案例研究

威胁建模是安全系统工程的基础之一，必须考虑到系统运行的环境。在这项工作中，我们探讨了现实世界的系统工程在多大程度上反映了不断变化的威胁环境。我们研究了六个广泛使用的端到端加密移动信息应用程序的桌面客户端，以了解它们在多大程度上随着空间（在新平台上启用客户端，如桌面客户端）和时间（新威胁出现时）调整了威胁模型。我们试验了针对这些桌面客户端的短时对抗访问，并使用两个流行的威胁诱发框架 STRIDE 和 LINDDUN 对结果进行了分析。结果表明，系统设计人员需要在系统运行的不断变化的环境中跟踪威胁，更重要的是，要通过重新划分信任边界来减轻威胁，使其与管理边界保持一致。对信任与管理之间关系的细致理解对强大的安全性至关重要，包括提供安全的默认设置。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Software: Practice and Experience

自引率

0.00%

发文量