12:04:40 RRSAgent has joined #wot-sec 12:04:40 logging to http://www.w3.org/2017/06/02-wot-sec-irc 12:04:42 present+ Michael_McCool 12:04:44 Zakim has joined #wot-sec 12:04:57 present+ Elena_Reshetova 12:05:19 Review PRs Continue with Threat model (Elena) Smart Home scenario definition Discussion of container types and implications 12:05:47 Meeting: WoT IG - Security 12:05:47 present: Kaz_Ashimura, Barry_Leiba, Elena_Reshetova, Oliver_Pfaff 12:05:47 Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda 12:06:41 topic: Continue with threat model (Elena) 12:07:04 elena: goes through her GH page 12:07:29 ... Objectives.md 12:08:21 present+ Zoltan_Kis 12:08:49 -> https://github.com/ereshetova/wot/blob/master/security-privacy/AssetsThreatModelSecurityObjectives.md WoT Threat Model & Security Objectives 12:09:20 mm: runtime should take care of it 12:09:29 er: will change the name 12:10:16 bl: somebody makes something to attack on things 12:10:32 mm: attack from another thing 12:10:48 er: have to prevision malicious things 12:11:09 bl: somebody design some WoT things which possibly infect others' things 12:11:34 er: how to distribute/transfer scripts? 12:11:57 ... related to malicious scripts 12:12:18 zk: if it's not distributed, it's still malicious 12:12:38 er: related to how malicious scripts would be distributed 12:12:55 ... where the malicious scripts are installed 12:13:13 q+ 12:13:40 bl: we need to split threats 12:14:58 mm: scripting protection is the main issue 12:15:18 er: what if manufactures manage to substitute scripts? 12:15:45 bl: somebody gets a temperature sensor 12:15:58 ... what kind of attacks are possible? 12:17:57 er: let's go through the threat table 12:18:04 (goes through it) 12:19:09 mm: WoT API or Web API 12:19:27 ... external non-WoT external devices are out of scope 12:20:01 ... we go through the protocols 12:20:09 ... protocol binding would reduce the category 12:20:52 kaz: which category? 12:21:00 mm: for WoT User Interface 12:22:44 ... we have to have certain access permission to access scripts 12:23:20 zk: agree most of this would be covered by scripting 12:23:39 mm: there is a case that an app is a back door 12:24:07 ... would prefer servients talk with external world only via the protocol binding 12:24:20 s/talk/talking/ 12:24:36 er: having less protocols would be better 12:24:51 mm: having only the front door (=protocol binding) 12:25:08 er: (WoT Protocol Bindings) 12:25:50 q+ to suggest we clarify concrete risk scenarios 12:26:09 q+ to put this file on the w3c github repo 12:26:50 mm: if dynamically loadable, could be malicious 12:27:18 ... recommend don't do that 12:27:29 er: (WoT API) 12:27:38 ... getting compromise 12:28:23 ... (WoT API - Unauthorized API access) 12:29:20 s|compromise|compromising Thing instance and getting access/control| 12:29:31 ... unautorized access to an asset provided via WoT API 12:29:59 zk: WoT API is REST API 12:30:12 ... possible mitigation for attacks 12:30:22 er: discovering ports, etc.? 12:30:27 zk: yes 12:30:39 ... e.g., ssh ports 12:32:11 mm: if I was skimming the port, maybe will be scanning generic CoAP ports, etc. 12:32:20 s/will/would/ 12:32:29 ... identify type of devices, etc. 12:33:24 ... maybe related to privacy threats 12:33:44 ... who accesses what using which protocol 12:34:07 er: depending how the device/software is implemented 12:34:23 ... we can make recommendations, though 12:34:42 ... but not sure if we can cover everything 12:34:55 ... (WoT Protocol - TD Integrity) 12:35:32 ... Integrity and confidentiality in transfer 12:35:51 ... do we have notion for free play? 12:36:31 s/free play/re-play/ 12:36:48 op: integrity is one aspect of authenticity 12:36:55 er: can rename it 12:37:39 mm: I distribute some TD 12:37:48 ... and distribute an updated new TD 12:37:59 q? 12:39:05 ... certain kind of attacks 12:39:49 op: regarding user data... 12:40:13 ... would that be considered as what? 12:40:17 ... user data? 12:40:27 mm: sensor data is user data? 12:40:35 op: there is no actual "user" 12:40:47 er: what's the purpose 12:40:53 q? 12:41:03 mm: definition of users? 12:41:10 ... TD here 12:41:14 ... about metadata 12:41:22 ... next is solution 12:41:25 ... over the protocols themselves 12:42:42 er: physical user or non physical 12:43:04 op: solution data would help 12:43:10 ... like normal data 12:43:24 q? 12:43:46 er: will change the term 12:43:56 mm: previous point on re-play 12:44:02 ... something happen again 12:44:08 s/happen/would happen/ 12:44:21 ... network may have "repeat things" 12:44:32 ... sequence, freshness and uniqueness 12:47:26 kaz: would suggest we think about some concrete use case and risk scenario when we discuss these stakeholders/components of the threat model 12:47:37 er: there is a section later 12:47:59 kaz: yeah, we should look at the use case as well when we discus each component 12:48:20 er: (Scenario 1 - Home environment) 12:48:49 [[ 12:48:50 In this scenario we assume a standard home environment with a WoT network running behind a firewall that separates it from the rest of the Internet. However the WoT network is shared with the standard user home network that contains other non-WoT devices that have high chances of being compromised. This results on viewing these non-WoT devices as network attackers with access to WoT network and its APIs/Protocol Bindings. WoT scripts and protocol bindings are 12:48:50 considered trusted, single solution provider exists on physical WoT devices, no dynamic installation of WoT scripts are possible. 12:48:50 ]] 12:49:31 er: WoT scripts and protocol bindings are considered as trusted. 12:50:23 ... implies the following WoT Security objectives 12:51:30 @@@ 12:51:41 mm: each threat needs example use case 12:51:48 ... clarify the impacts 12:52:02 er: can give examples 12:53:22 mm: gives some example use case 12:53:29 er: ok 12:53:36 ... will give examples 12:53:58 mm: how to deal with mitigation? 12:54:06 ... depending on protocols? 12:54:32 ... which capability is available with which protocols? 12:55:09 ... some of the mitigations are depending on underlying protocols 12:55:18 ... others have to be described 12:55:43 er: we have to discuss "mitigation" 12:56:05 ... sometimes underlying protocol doesn't handle it 12:56:11 s/handle/guarantee/ 12:56:22 ... and we ourselves need to handle that 12:56:41 mm: should list which protocols support what 12:56:46 ... security properties 12:57:00 ... our recommendation and non-recommendation 12:57:26 er: there are already protocols that WoT is expected to support 12:57:53 ... we have to provide end-to-end security 12:58:20 mm: there is a list under the TD section and the binding section 12:58:27 ... CoAP, bluetooth, etc. 12:58:50 mm: let's add concrete examples for threats 12:58:53 er: can do that 12:59:09 ... anyone can send your ideas as well 12:59:22 q? 13:00:17 kaz: whan/how to move this document on Elena's repo to the W3C repo? 13:00:23 er: there is a pullrequest 13:00:39 barryleiba has left #wot-sec 13:00:39 kaz: let's approve the pullrequest and make this the starting point 13:01:21 [ adjourned ] 13:01:30 rrsagent, make log public 13:01:35 rrsagent, draft minutes 13:01:35 I have made the request to generate http://www.w3.org/2017/06/02-wot-sec-minutes.html kaz 13:02:48 Chair: McCool 13:02:49 rrsagent, draft minutes 13:02:49 I have made the request to generate http://www.w3.org/2017/06/02-wot-sec-minutes.html kaz 13:03:11 present+ Michael_McCool 13:03:13 rrsagent, draft minutes 13:03:14 I have made the request to generate http://www.w3.org/2017/06/02-wot-sec-minutes.html kaz