gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
842 Branches
288 MiB
 
 
 
 
 
 
Tree: 4f475c7697
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4f475c7697'
${ noResults }
synapse/docs/server-server/security-threat-model

142 lines
4.1 KiB
Raw Blame History 

  1. Overview

  2. ========

  3. 

  4. Scope

  5. -----

  6. 

  7. This document considers threats specific to the server to server federation 

  8. synapse protocol.

  9. 

  10. 

  11. Attacker

  12. --------

  13. 

  14. It is assumed that the attacker can see and manipulate all network traffic 

  15. between any of the servers and may be in control of one or more homeservers 

  16. participating in the federation protocol.

  17. 

  18. Threat Model

  19. ============

  20. 

  21. Denial of Service

  22. -----------------

  23. 

  24. The attacker could attempt to prevent delivery of messages to or from the 

  25. victim in order to:

  26. 

  27.     * Disrupt service or marketing campaign of a commercial competitor.

  28.     * Censor a discussion or censor a participant in a discussion.

  29.     * Perform general vandalism.

  30. 

  31. Threat: Resource Exhaustion

  32. ~~~~~~~~~~~~~~~~~~~~~~~~~~~

  33. 

  34. An attacker could cause the victims server to exhaust a particular resource 

  35. (e.g. open TCP connections, CPU, memory, disk storage)

  36. 

  37. Threat: Unrecoverable Consistency Violations

  38. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  39. 

  40. An attacker could send messages which created an unrecoverable "split-brain"

  41. state in the cluster such that the victim's servers could no longer dervive a

  42. consistent view of the chatroom state.

  43. 

  44. Threat: Bad History

  45. ~~~~~~~~~~~~~~~~~~~

  46. 

  47. An attacker could convince the victim to accept invalid messages which the 

  48. victim would then include in their view of the chatroom history. Other servers

  49. in the chatroom would reject the invalid messages and potentially reject the

  50. victims messages as well since they depended on the invalid messages.

  51. 

  52. Threat: Block Network Traffic

  53. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  54. 

  55. An attacker could try to firewall traffic between the victim's server and some

  56. or all of the other servers in the chatroom.

  57. 

  58. Threat: High Volume of Messages

  59. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  60. 

  61. An attacker could send large volumes of messages to a chatroom with the victim

  62. making the chatroom unusable.

  63. 

  64. Threat: Banning users without necessary authorisation

  65. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  66. 

  67. An attacker could attempt to ban a user from a chatroom with the necessary

  68. authorisation.

  69. 

  70. Spoofing

  71. --------

  72. 

  73. An attacker could try to send a message claiming to be from the victim without 

  74. the victim having sent the message in order to:

  75. 

  76.     * Impersonate the victim while performing illict activity.

  77.     * Obtain privileges of the victim.

  78. 

  79. Threat: Altering Message Contents

  80. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  81. 

  82. An attacker could try to alter the contents of an existing message from the 

  83. victim.

  84. 

  85. Threat: Fake Message "origin" Field

  86. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  87. 

  88. An attacker could try to send a new message purporting to be from the victim

  89. with a phony "origin" field.

  90. 

  91. Spamming

  92. --------

  93. 

  94. The attacker could try to send a high volume of solicicted or unsolicted 

  95. messages to the victim in order to:

  96.     

  97.     * Find victims for scams.

  98.     * Market unwanted products.

  99. 

  100. Threat: Unsoliticted Messages

  101. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  102. 

  103. An attacker could try to send messages to victims who do not wish to receive 

  104. them.

  105. 

  106. Threat: Abusive Messages

  107. ~~~~~~~~~~~~~~~~~~~~~~~~

  108. 

  109. An attacker could send abusive or threatening messages to the victim

  110. 

  111. Spying

  112. ------

  113. 

  114. The attacker could try to access message contents or metadata for messages sent

  115. by the victim or to the victim that were not intended to reach the attacker in

  116. order to:

  117. 

  118.     * Gain sensitive personal or commercial information.

  119.     * Impersonate the victim using credentials contained in the messages.

  120.       (e.g. password reset messages)

  121.     * Discover who the victim was talking to and when.

  122. 

  123. Threat: Disclosure during Transmission

  124. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  125. 

  126. An attacker could try to expose the message contents or metadata during 

  127. transmission between the servers.

  128. 

  129. Threat: Disclosure to Servers Outside Chatroom

  130. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  131. 

  132. An attacker could try to convince servers within a chatroom to send messages to

  133. a server it controls that was not authorised to be within the chatroom.

  134. 

  135. Threat: Disclosure to Servers Within Chatroom

  136. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  137. 

  138. An attacker could take control of a server within a chatroom to expose message

  139. contents or metadata for messages in that room.

  140.