Threat Model Name: KubeArmor Threat Model
Owner: Rahul Jadhav
Reviewer: Accuknox DevOps
Contributors:
Description: KubeArmor is a system security policy enforcement engine.
Assumptions:
External Dependencies:
| Not Started | 75 |
| Not Applicable | 0 |
| Needs Investigation | 0 |
| Mitigation Implemented | 0 |
| Total | 75 |
| Total Migrated | 0 |
| Not Started | 75 |
| Not Applicable | 0 |
| Needs Investigation | 0 |
| Mitigation Implemented | 0 |
| Total | 75 |
| Total Migrated | 0 |
| Category: | Spoofing |
| Description: | KubeArmor-Relay Service may be spoofed by an attacker and this may lead to unauthorized access to KubeArmor Pod. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | KubeArmor Pod may be spoofed by an attacker and this may lead to information disclosure by KubeArmor-Relay Service. Consider using a standard authentication mechanism to identify the destination process. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | Data flowing across GRPC may be tampered with by an attacker. This may lead to a denial of service attack against KubeArmor Pod or an elevation of privilege attack against KubeArmor Pod or an information disclosure by KubeArmor Pod. Failure to verify that input is as expected is a root cause of a very large number of exploitable issues. Consider all paths and the way they handle data. Verify that all input is verified for correctness using an approved list input validation approach. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | KubeArmor Pod claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Information Disclosure |
| Description: | Data flowing across GRPC may be sniffed by an attacker. Depending on what type of data an attacker can read, it may be used to attack other parts of the system or simply be a disclosure of information leading to compliance violations. Consider encrypting the data flow. |
| Justification: | <no mitigation provided> |
| Category: | Information Disclosure |
| Description: | Credentials on the wire are often subject to sniffing by an attacker. Are the credentials re-usable/re-playable? Are credentials included in a message? For example, sending a zip file with the password in the email. Use strong cryptography for the transmission of credentials. Use the OS libraries if at all possible, and consider cryptographic algorithm agility, rather than hardcoding a choice. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | KubeArmor Pod crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KubeArmor Pod may be able to impersonate the context of KubeArmor-Relay Service in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KubeArmor-Relay Service may be able to remotely execute code for KubeArmor Pod. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into KubeArmor Pod in order to change the flow of program execution within KubeArmor Pod to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Virtual Machine may be spoofed by an attacker and this may lead to unauthorized access to KVM Service. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | KVM Service may be spoofed by an attacker and this may lead to information disclosure by Virtual Machine. Consider using a standard authentication mechanism to identify the destination process. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | Data flowing across GRPC may be tampered with by an attacker. This may lead to a denial of service attack against KVM Service or an elevation of privilege attack against KVM Service or an information disclosure by KVM Service. Failure to verify that input is as expected is a root cause of a very large number of exploitable issues. Consider all paths and the way they handle data. Verify that all input is verified for correctness using an approved list input validation approach. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | KVM Service claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Information Disclosure |
| Description: | Data flowing across GRPC may be sniffed by an attacker. Depending on what type of data an attacker can read, it may be used to attack other parts of the system or simply be a disclosure of information leading to compliance violations. Consider encrypting the data flow. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | KVM Service crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KVM Service may be able to impersonate the context of Virtual Machine in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Virtual Machine may be able to remotely execute code for KVM Service. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into KVM Service in order to change the flow of program execution within KVM Service to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | User may be spoofed by an attacker and this may lead to unauthorized access to KubeArmor-Relay Service. Consider using a standard authentication mechanism to identify the external entity. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | KubeArmor-Relay Service claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | KubeArmor-Relay Service crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KubeArmor-Relay Service may be able to impersonate the context of User in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | User may be able to remotely execute code for KubeArmor-Relay Service. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into KubeArmor-Relay Service in order to change the flow of program execution within KubeArmor-Relay Service to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Cross-site request forgery (CSRF or XSRF) is a type of attack in which an attacker forces a user's browser to make a forged request to a vulnerable site by exploiting an existing trust relationship between the browser and the vulnerable web site. In a simple scenario, a user is logged in to web site A using a cookie as a credential. The other browses to web site B. Web site B returns a page with a hidden form that posts to web site A. Since the browser will carry the user's cookie to web site A, web site B now can take any action on web site A, for example, adding an admin to an account. The attack can be used to exploit any requests that the browser automatically authenticates, e.g. by session cookie, integrated authentication, IP whitelisting. The attack can be carried out in many ways such as by luring the victim to a site under control of the attacker, getting the user to click a link in a phishing email, or hacking a reputable web site that the victim will visit. The issue can only be resolved on the server side by requiring that all authenticated state-changing requests include an additional piece of secret payload (canary or CSRF token) which is known only to the legitimate web site and the browser and which is protected in transit through SSL/TLS. See the Forgery Protection property on the flow stencil for a list of mitigations. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | karmor-cli may be spoofed by an attacker and this may lead to unauthorized access to KubeArmor-Relay Service. Consider using a standard authentication mechanism to identify the external entity. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | KubeArmor-Relay Service claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | KubeArmor-Relay Service crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KubeArmor-Relay Service may be able to impersonate the context of karmor-cli in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | karmor-cli may be able to remotely execute code for KubeArmor-Relay Service. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into KubeArmor-Relay Service in order to change the flow of program execution within KubeArmor-Relay Service to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | karmor-cli may be spoofed by an attacker and this may lead to unauthorized access to API Server. Consider using a standard authentication mechanism to identify the external entity. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | The web server 'API Server' could be a subject to a cross-site scripting attack because it does not sanitize untrusted input. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | API Server claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | API Server crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | API Server may be able to impersonate the context of karmor-cli in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | karmor-cli may be able to remotely execute code for API Server. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into API Server in order to change the flow of program execution within API Server to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | CRD: KSP, KHP may be spoofed by an attacker and this may lead to unauthorized access to Daemonset. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | If CRD: KSP, KHP is given access to memory, such as shared memory or pointers, or is given the ability to control what Daemonset executes (for example, passing back a function pointer.), then CRD: KSP, KHP can tamper with Daemonset. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | Daemonset claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Daemonset crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Daemonset may be able to impersonate the context of CRD: KSP, KHP in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | CRD: KSP, KHP may be able to remotely execute code for Daemonset. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into Daemonset in order to change the flow of program execution within Daemonset to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | KubeArmor Pod may be spoofed by an attacker and this may lead to unauthorized access to Config Map. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Config Map may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of Config Map. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | Data flowing across HTTPS may be tampered with by an attacker. This may lead to corruption of Config Map. Ensure the integrity of the data flow to the data store. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | Config Map claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Does KubeArmor Pod or Config Map take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Daemonset may be spoofed by an attacker and this may lead to unauthorized access to etcd. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | etcd may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of etcd. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | Data flowing across HTTPS may be tampered with by an attacker. This may lead to corruption of etcd. Ensure the integrity of the data flow to the data store. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | etcd claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Does Daemonset or etcd take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KubeArmor Pod may be able to impersonate the context of Kubelet in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | KubeArmor Deployment may be spoofed by an attacker and this may lead to unauthorized access to KubeArmor Pod. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | KubeArmor Pod claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | KubeArmor Pod crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KubeArmor Pod may be able to impersonate the context of KubeArmor Deployment in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KubeArmor Deployment may be able to remotely execute code for KubeArmor Pod. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into KubeArmor Pod in order to change the flow of program execution within KubeArmor Pod to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | KVM Service may be able to impersonate the context of CRD: KSP, KHP in order to gain additional privilege. |
| Justification: | <no mitigation provided> |