Threat model

This document a threat model, based on the methodology presented by Eleanor Saitta, that we as developers use as a guide in our development process. It may not contain all the context needed to fully understand it, if clarifications are needed please ask us.

The used methodology is entirely manual, but is derived from Trike.

Actors, Assets & Actions

Actors

We model the following actors:

System Admin: Administrator of the system running ntpd-rs
System User: Non-administrator user of the system running ntpd-rs
Reference Source: A remote time server we use as a source for our time.
External Client: A remote user that is allowed to use this instance of ntpd-rs to receive time.
Anonymous: Any other party

Assets

We model the following assets:

Clock: The system clock
Source configuration: The configuration on which sources to use, including some metadata on the current status of those sources
Server configuration: The configuration on which interfaces to provide an NTP server on, and who can use those, including some metadata on the current server status.
Request nonce: The random nonce a client uses for a specific request to the server to match the response to the request.
Client NTS keys: The keys a client uses to communicate with a server.
Client NTS cookies: The cookies a client uses to communicate with the server.
Server NTS keys: The keys a server uses to communicate with a client (ephemeral).
Server NTS cookies: The cookies a server is about to send to a client (ephemeral).
NTS Cookie keys: The keys a server uses to encrypt cookies.

Actions

	Clock		Source Configuration		Server Configuration		Request Nonce		Client NTS Keys		Client NTS Cookies		Server NTS Keys		Server NTS Cookies		NTS Cookie keys
System admin	Create - N/A	Read - Always	Create - Always	Read - Always	Create - Always	Read - Always	Create - N/A	Read - Always	Create - N/A	Read - Always	Create - N/A	Read - Always	Create - N/A	Read - Always	Create - Always	Read - Always	Create - Always	Read - Always
System admin	Update - Always	Delete - N/A	Update - Always	Delete - N/A	Update - Always	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - Always	Delete - Always
System user	Create - N/A	Read - Always	Create - Never	Read - Sometimes	Create - Never	Read - Sometimes	Create - N/A	Read - Sometimes	Create - N/A	Read - Sometimes	Create - N/A	Read - Sometimes	Create - N/A	Read - Sometimes	Create - Sometimes	Read - Sometimes	Create - Sometimes	Read - Sometimes
System user	Update - Never	Delete - N/A	Update - Never	Delete - N/A	Update - Never	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - Sometimes	Delete - Sometimes
Reference source	Create - N/A	Read - Never	Create - Never	Read - Never	Create - Never	Read - Never	Create - N/A	Read - Sometimes	Create - N/A	Read - Sometimes	Create - N/A	Read - Sometimes	Create - N/A	Read - Never	Create - Never	Read - Never	Create - Never	Read - Never
Reference source	Update - Sometimes	Delete - N/A	Update - Never	Delete - N/A	Update - Never	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - Never	Delete - Never
External client	Create - N/A	Read - Always	Create - Never	Read - Always	Create - Never	Read - Never	Create - N/A	Read - Never	Create - N/A	Read - Never	Create - N/A	Read - Never	Create - N/A	Read - Someitmes	Create - Sometimes	Read - Sometimes	Create - Never	Read - Never
External client	Update - Never	Delete - N/A	Update - Never	Delete - N/A	Update - Never	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - Never	Delete - Never
Anonymous	Create - N/A	Read - Never	Create - Never	Read - Never	Create - Never	Read - Never	Create - N/A	Read - Never	Create - N/A	Read - Never	Create - N/A	Read - Never	Create - N/A	Read - Never	Create - Never	Read - Never	Create - Never	Read - Never
Anonymous	Update - Never	Delete - N/A	Update - Never	Delete - N/A	Update - Never	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A	Update - Never	Delete - Never

Reference sources may update the Clock only when sufficiently many agree and don't exceed configured adjustment limits.
Reference sources may only know request information related to requests to them.
System users may read configuration (both types) only when allowed by system admin.
External clients may know key material and cookies related to their session.

Failure cases

	Escalation of Privilege		Denial of Service
Clock	Create - NA	Read - Low	Create - NA	Read - Medium
Clock	Update - Critical	Delete - N/A	Update - Medium	Delete - N/A
Source configuration	Create - Critical	Read - Medium	Create - N/A	Read - Low
Source configuration	Update - Critical	Delete - N/A	Update - Low	Delete - N/A
Server configuration	Create - Medium	Read - Low	Create - N/A	Read - Low
Server configuration	Update - Medium	Delete - N/A	Update - Low	Delete - N/A
Request nonce	Create - N/A	Read - Low	Create - N/A	Read - N/A
Request nonce	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A
Client NTS keys	Create - N/A	Read - Critical	Create - N/A	Read - N/A
Client NTS keys	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A
Client NTS cookies	Create - N/A	Read - Low	Create - N/A	Read - N/A
Client NTS cookies	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A
Server NTS keys	Create - N/A	Read - Critical	Create - N/A	Read - N/A
Server NTS keys	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A
Server NTS cookies	Create - N/A	Read - Low	Create - N/A	Read - N/A
Server NTS cookies	Update - N/A	Delete - N/A	Update - N/A	Delete - N/A
NTS Cookie keys	Create - Critical	Read - Critical	Create - N/A	Read - N/A
NTS Cookie keys	Update - Critical	Delete - Medium	Update - N/A	Delete - N/A

Request nonce: The random nonce a client uses for a specific request to the server to match the response to the request.
Client NTS keys: The keys a client uses to communicate with a server.
Client NTS cookies: The cookies a client uses to communicate with the server.
Server NTS keys: The keys a server uses to communicate with a client (ephemeral).
Server NTS cookies: The cookies a server is about to send to a client (ephemeral).
NTS Cookie keys: The keys a server uses to encrypt cookies.

Security strategy

If any actor tries to read the clock, the system will not respond with a valid time if the IP address is not on the configured allowlist
If any actor tries to update the clock, the system tries to verify consensus among multiple reference sources
If any actor tries to update the clock, the system refuses updates beyond a configured limit
If the configuration file (used to create the configuration) is world-writable, the system will emit a warning
If the configuration socket (used to update the configuration) is world-writable, the system will emit a warning
The observability socket (used to read the configuration/status) is a unix socket, which is unreachable over the network by default
If any actor tries to read the clock too often, the system will stop responding a valid time to them
If the nts cookie key storage file is world-readable, the system will emit a warning. The system will never create this file with permissions other than 0600.

Data flow diagram

The security boundaries between the admin and system users and ntpd-rs run through the unix sockets used for communication.
The security boundaries for reference sources and external clients run through the network sockets used for communication.