This site may contain outdated or incomplete information.
STRIDE Threat Model
| STRIDE Element | Access Controls | Password Protection | Raft Consensus Algorithm | MVCC in TiKV | RocksDB Storage Engine | TiKV Clients | Placement Driver | Timestamp Oracle | Transport-Layer Security (TLS) | Programming Language (Rust) | Authentication |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Spoofing Identity | Attackers could impersonate authorized users to gain access to TiKV nodes and PD. | Weak password protocols can be exploited to gain unauthorized access. | Falsifying identity as a leader node could disrupt consensus. | Spoofing transactions to appear as legitimate could enable unauthorized actions. | Impersonating a legitimate client could allow unauthorized access to TiKV nodes. | Spoofing the Placement Driver could disrupt TiKV’s data management and routing. | Spoofing timestamp requests can lead to incorrect time assignments for transactions. | Intercepting TLS certificates could enable attackers to impersonate TiKV nodes. | Impersonating an authenticated user can grant unauthorized access to sensitive functions. | ||
| Tampering | Tampering with access control settings could weaken restrictions. | Attackers could alter authentication data or mechanisms. | Tampering with data replication processes can corrupt data consistency. | Tampering with timestamps could cause data inconsistencies or conflicts. | Altering RocksDB configurations or data could compromise data integrity. | Tampering with client applications can lead to malicious data insertion or alteration. | Tampering with PD’s metadata can lead to incorrect data placement or loss. | Manipulating timestamps can cause inconsistencies and conflicts in transaction ordering. | Tampering with TLS configurations can compromise secure communication. | Exploiting language-specific vulnerabilities, though less likely in Rust, can lead to data tampering. | Altering authentication data or mechanisms can lead to unauthorized system access. |
| Repudiation | If audit trails are poor, malicious activities may go unrecorded, denying wrongdoing. | Lack of secure audit logs could prevent tracking unauthorized access changes. | Without proper logging, changes made to the consensus process might not be traceable. | Untraceable transactions due to poor logging could lead to repudiation of actions. | Without proper audit logs, unauthorized modifications in RocksDB might go unnoticed. | Clients could deny performing actions if actions are not properly logged. | Lack of auditing can make it difficult to trace unauthorized changes in PD. | Lack of traceability for timestamp issuance could enable denial of transaction manipulation. | Failure to log TLS configuration changes could allow unauthorized alterations to go unnoticed. | Rust’s safety features reduce the likelihood of untraceable changes in the codebase. | Failure to log authentication attempts could allow unauthorized activities to be denied. |
| Information Disclosure | Unauthorized access could lead to exposure of sensitive data. | Insufficient password protection might reveal user credentials. | Intercepting communications could reveal sensitive replicated data. | Unencrypted timestamps could reveal transaction times and patterns. | Vulnerabilities in third-party dependencies could lead to data leaks. | Compromised clients could leak sensitive data stored in TiKV. | Gaining access to PD can reveal critical metadata about data distribution. | Access to timestamping information could expose transaction patterns and timings. | Compromised TLS can lead to exposure of data in transit between nodes. | ||
| Denial of Service | Overloading access control mechanisms could lead to service disruptions. | Repeated password attempts or protocol abuse could disrupt service. | Disrupting the consensus process can lead to denial of service. | Conflicts or faulty timestamping can lead to transaction processing delays. | Exploiting RocksDB vulnerabilities could slow down or halt data operations. | Overloading clients or exploiting vulnerabilities can disrupt their interaction with TiKV. | Overloading or disrupting PD can significantly impact data availability and cluster operations. | Overloading the Timestamp Oracle can delay or prevent timestamp issuance, disrupting transactions. | Disrupting TLS can block or slow down secure communication, affecting service availability. | ||
| Elevation of Privilege | Gaining unauthorized access could lead to elevated privileges within the system. | Accessing accounts with higher privileges could lead to control over critical functions. | An attacker could gain control over data flow and decision-making by becoming a malicious leader. | Altering timestamps could grant unauthorized data access or modifications. | Exploiting vulnerabilities could lead to unauthorized access or control over data storage. | Accessing elevated privileges through client exploitation can lead to broader system compromise. | Controlling PD could grant significant control over the cluster’s operational aspects. | Manipulating the timestamping process could give undue advantage or access to certain transactions. | Compromised TLS could be exploited to gain access to encrypted communications, leading to privileged information access. | Exploiting rare vulnerabilities in Rust could lead to unauthorized system access. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.