This document a threat model, based on the methodology presented by Eleanor Saitta, that we as developers use as a guide in our development process. It may not contain all the context needed to fully understand it, if clarifications are needed please ask us.
We model the following actors:
- System Admin: Administrator of the system running ntpd-rs
- System User: Non-administrator user of the system running ntpd-rs
- Reference Source: A remote time server we use as a source for our time.
- External Client: A remote user that is allowed to use this instance of ntpd-rs to receive time.
- Anonymous: Any other party
We model the following assets:
- Clock: The system clock
- Source configuration: The configuration on which sources to use, including some metadata on the current status of those sources
- Server configuration: The configuration on which interfaces to provide an NTP server on, and who can use those, including some metadata on the current server status.
| Clock | Source Configuration | Server Configuration | ||||
|---|---|---|---|---|---|---|
| System admin | Create - N/A | Read - Always | Create - Always | Read - Always | Create - Always | Read - Always |
| Update - Always | Delete - N/A | Update - Always | Delete - N/A | Update - Always | Delete - N/A | |
| System user | Create - N/A | Read - Always | Create - Never | Read - Sometimes | Create - Never | Read - Sometimes |
| Update - Never | Delete - N/A | Update - Never | Delete - N/A | Update - Never | Delete - N/A | |
| Reference source | Create - N/A | Read - Never | Create - Never | Read - Never | Create - Never | Read - Never |
| Update - Sometimes | Delete - N/A | Update - Never | Delete - N/A | Update - Never | Delete - N/A | |
| External client | Create - N/A | Read - Always | Create - Never | Read - Always | Create - Never | Read - Never |
| Update - Never | Delete - N/A | Update - Never | Delete - N/A | Update - Never | Delete - N/A | |
| Anonymous | Create - N/A | Read - Never | Create - Never | Read - Never | Create - Never | Read - Never |
| Update - Never | Delete - N/A | Update - Never | Delete - N/A | Update - Never | Delete - N/A | |
- Reference sources may update the Clock only when sufficiently many agree and don't exceed configured adjustment limits.
- System users may read configuration (both types) only when allowed by system admin.
| Escalation of Privilege | Denial of Service | |||
|---|---|---|---|---|
| Clock | Create - NA | Read - Low | Create - NA | Read - Medium |
| Update - Critical | Delete - N/A | Update - Medium | Delete - N/A | |
| Source configuration | Create - Critical | Read - Medium | Create - N/A | Read - Low |
| Update - Critical | Delete - N/A | Update - Low | Delete - N/A | |
| Server configuration | Create - Medium | Read - Low | Create - N/A | Read - Low |
| Update - Medium | Delete - N/A | Update - Low | Delete - N/A | |
- If any actor tries to read the clock, the system will not respond with a valid time if the IP address is not on the configured allowlist
- If any actor tries to update the clock, the system tries to verify consensus among multiple reference sources
- If any actor tries to update the clock, the system refuses updates beyond a configured limit
- If the configuration file (used to create the configuration) is world-writable, the system will emit a warning
- If the configuration socket (used to update the configuration) is world-writable, the system will emit a warning
- The observability socket (used to read the configuration/status) is a unix socket, which is unreachable over the network by default
- If any actor tries to read the clock too often, the system will stop responding a valid time to them
- The security boundaries between the admin and system users and ntpd-rs run through the unix sockets used for communication.
- The security boundaries for reference sources and external clients run through the network sockets used for communication.