From 9118bf5791306398f4a8d5be79b303de62b3d0f6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 14 Mar 2023 15:43:24 +0000 Subject: [PATCH] Threat Model: adjust modality Signed-off-by: Janos Follath --- SECURITY.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 8d2337111c..8d3678a5ee 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,9 +25,10 @@ We classify attacks based on the capabilities of the attacker. ### Remote attacks -The attacker can observe and modify data sent over the network. This includes -observing the content and timing of individual packets, as well as suppressing -or delaying legitimate messages, and injecting messages. +In this section, we consider an attacker who can observe and modify data sent +over the network. This includes observing the content and timing of individual +packets, as well as suppressing or delaying legitimate messages, and injecting +messages. Mbed TLS aims to fully protect against remote attacks and to enable the user application in providing full protection against remote attacks. Said @@ -42,9 +43,9 @@ and workarounds see the [Block Ciphers](#block-ciphers) section. ### Local attacks -The attacker can run software on the same machine. The attacker has -insufficient privileges to directly access Mbed TLS assets such as memory and -files. +In this section, we consider an attacker who can run software on the same +machine. The attacker has insufficient privileges to directly access Mbed TLS +assets such as memory and files. #### Timing attacks @@ -93,9 +94,10 @@ application's threat model, they need to be mitigated by the platform. ### Physical attacks -The attacker has access to physical information about the hardware Mbed TLS is -running on and/or can alter the physical state of the hardware (e.g. power -analysis, radio emissions or fault injection). +In this section, we consider an attacker who can attacker has access to +physical information about the hardware Mbed TLS is running on and/or can alter +the physical state of the hardware (e.g. power analysis, radio emissions or +fault injection). Mbed TLS doesn't make any security guarantees against physical attacks. If physical attacks are present in a use case or a user application's threat