Security/ProcessIsolation/ThreatModel

From MozillaWiki
< Security‎ | ProcessIsolation
Revision as of 21:47, 7 April 2009 by Ladamski (talk | contribs) (Created page with '= High Level Threat Model for Process Isolation = We need to be able to clearly understand and communicate the benefits and limitations of process isolation to users, the press ...')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

High Level Threat Model for Process Isolation

We need to be able to clearly understand and communicate the benefits and limitations of process isolation to users, the press and security researchers. In order to do so we need to identify which threats process could actually mitigate, and then consider the implementation implications of doing so.

Major Threat Categories

In order to not get ratholed into enumerating potential benefits and risks on a per-API basis, we will organize threats around broad categories, then use a few representative APIs as litmus tests of some of the implementation implications.

System Compromise

Compromise the underlying system and achieve malicious code execution with full user privileges.

System Data Theft

Ability to steal data from the local or network filesystem. A subset of the System Compromise category.

Session ID theft or fixation

An attacker could read or set session information (cookies, local data store, HTTPSOnly cookies from an HTTP session, etc.)

User interface compromise

The user interface could be compromised to trick the user into making an incorrect trust decision or directly disclose credentials or other sensitive information

Retrieved from "https://wiki.allizom.org/index.php?title=Security/ProcessIsolation/ThreatModel&oldid=138701"