docs: extend generic tf-a threat model

Adding a new threat which is about leaving sensitive information in internal buffers which could be stolen by an attacker. Signed-off-by: Tamas Ban <tamas.ban@arm.com> Change-Id: I737e802c0adc9b00c89a0e21779745c51afb4b17
2025-04-19 19:14:28 +00:00 · 2022-11-30 17:06:05 +01:00 · 2022-11-30 17:06:05 +01:00 · 1fba1a8558
commit 1fba1a8558
parent 2b9c8b877c
1 changed files with 41 additions and 3 deletions
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@ -170,7 +170,7 @@ Threat Risk Ratings

 For each threat identified, a risk rating that ranges
 from *informational* to *critical* is given based on the likelihood of the
-threat occuring if a mitigation is not in place, and the impact of the
+threat occurring if a mitigation is not in place, and the impact of the
 threat (i.e. how severe the consequences could be). Table 4 explains each
 rating in terms of score, impact and likelihood.

@ -778,8 +778,9 @@ These are highlighted in the ``Mitigations implemented?`` box.
 +========================+====================================================+
 | Threat                 | | **Misconfiguration of the Memory Management Unit |
 |                        |   (MMU) may allow a normal world software to       |
-|                        |   access sensitive data or execute arbitrary       |
-|                        |   code**                                           |
+|                        |   access sensitive data, execute arbitrary         |
+|                        |   code or access otherwise restricted HW           |
+|                        |   interface**                                      |
 |                        |                                                    |
 |                        | | A misconfiguration of the MMU could              |
 |                        |   lead to an open door for software running in the |
@ -853,6 +854,8 @@ These are highlighted in the ``Mitigations implemented?`` box.
 +------------------------+-----------------------------------------------------+
 | Threat Type            | Information Disclosure                              |
 +------------------------+-------------------+----------------+----------------+
+| Application            | Server            | IoT            | Mobile         |
+------------------------+-------------------+----------------+----------------+
 | Impact                 | Medium (3)        | Medium (3)     | Medium (3)     |
 +------------------------+-------------------+----------------+----------------+
 | Likelihood             | Low (2)           | Low (2)        | Low (2)        |
@ -880,6 +883,41 @@ These are highlighted in the ``Mitigations implemented?`` box.
 |                        |   mitigated.                                        |
 +------------------------+-----------------------------------------------------+

+------------------------+-----------------------------------------------------+
+| ID                     | 13                                                  |
+========================+=====================================================+
+| Threat                 | | **Leaving sensitive information in the memory,    |
+|                        |   can allow an attacker to retrieve them.**         |
+|                        |                                                     |
+|                        | | Accidentally leaving not-needed sensitive data in |
+|                        |   internal buffers can leak them if an attacker     |
+|                        |   gains access to memory due to a vulnerability.    |
+------------------------+-----------------------------------------------------+
+| Diagram Elements       | DF4, DF5                                            |
+------------------------+-----------------------------------------------------+
+| Affected TF-A          | BL1, BL2, BL31                                      |
+| Components             |                                                     |
+------------------------+-----------------------------------------------------+
+| Assets                 | Sensitive Data                                      |
+------------------------+-----------------------------------------------------+
+| Threat Agent           | NSCode, SecCode                                     |
+------------------------+-----------------------------------------------------+
+| Threat Type            | Information Disclosure                              |
+------------------------+-------------------+----------------+----------------+
+| Application            | Server            | IoT            | Mobile         |
+------------------------+-------------------+----------------+----------------+
+| Impact                 |  Critical (5)     | Critical (5)   | Critical (5)   |
+------------------------+-------------------+----------------+----------------+
+| Likelihood             |  Medium (3)       | Medium (3)     | Medium (3)     |
+------------------------+-------------------+----------------+----------------+
+| Total Risk Rating      |  High (15)        | High (15)      | High (15)      |
+------------------------+-------------------+----------------+----------------+
+| Mitigations            |   Clear the sensitive data from internal buffers as |
+|                        |   soon as they are not needed anymore.              |
+------------------------+-----------------------------------------------------+
+| Mitigations            | | Yes / Platform specific                           |
+------------------------+-----------------------------------------------------+
+
 --------------

 *Copyright (c) 2021-2022, Arm Limited. All rights reserved.*