Improve a bit our threat model

author: jvoisin 2018-06-19 23:39:06 +0200
committer: jvoisin 2018-06-19 23:39:06 +0200
commit: 120c3bf72f46a125695b3f9104943a25492010e4 (patch)
tree: a48798997584c5a75ea90b2c13383c99f97d0b00 /doc/threat_model.md
parent: 84277740a9531337ce725687af7ea6d5462a0c97 (diff)
1 files changed, 23 insertions, 17 deletions
diff --git a/doc/threat_model.md b/doc/threat_model.md
index 963a3ee..26e3741 100644
--- a/doc/threat_model.md
+++ b/doc/threat_model.md
@@ -1,5 +1,6 @@
 Threat Model
 ============
 The Metadata Anonymisation Toolkit 2 adversary has a number
 of goals, capabilities, and counter-attack types that can be
 used to guide us towards a set of requirements for the MAT2.
@@ -13,17 +14,18 @@ Mat only removes standard metadata from your files, it does _not_:
  - anonymise their content (the substance and the form)
  - handle watermarking
-  - handle steganography
+  - handle steganography nor homoglyphs
  - handle stylometry
  - handle any non-standard metadata field/system
 If you really want to be anonymous format that does not contain any
 metadata, or better : use plain-text ASCII without trailing spaces.
-And as usual, think before clicking.
+And as usual, think twice before clicking.
 Adversary
------------
+---------
 * Goals:
@@ -40,17 +42,18 @@ Adversary
    to directly identify the author and/or source, his next
    goal is to determine the source of the equipment used
    to produce, copy, and transmit the document. This can
-    include the model of camera used to take a photo, or
+    include the model of camera used to take a photo or a film, 
-    which software was used to produce an office document.
+    which software was used to produce an office document, …
 * Adversary Capabilities - Positioning
    - The adversary created the document specifically for this
    user. This is the strongest position for the adversary to
    have. In this case, the adversary is capable of inserting
    arbitrary, custom watermarks specifically for tracking
-    the user. In general, MAT cannot defend against this
+    the user. In general, MAT2 cannot defend against this
-    adversary, but we list it for completeness.
+    adversary, but we list it for completeness' sake.
    - The adversary created the document for a group of users.
    In this case, the adversary knows that they attempted to
@@ -58,30 +61,33 @@ Adversary
    or may not have watermarked the document for these
    users, but they certainly know the format used.
-    - The adversary did not create the document, the weakest
+                - The adversary did not create the document, the weakest
-    position for the adversary to have. The file format is (most of the time)
+                position for the adversary to have. The file format is
-     standard, nothing custom is added: MAT
+                (most of the time) standard, nothing custom is added:
-    should be able to remove all meta-information from the
+                MAT2 must be able to remove all metadata from the file.
-    file.
 Requirements
---------------
+------------
 * Processing
-    - The MAT2 *should* avoid interactions with information.
+    - MAT2 *should* avoid interactions with information.
    Its goal is to remove metadata, and the user is solely
    responsible for the information of the file.
-    - The MAT2 *must* warn when encountering an unknown
+    - MAT2 *must* warn when encountering an unknown
    format. For example, in a zipfile, if MAT encounters an
    unknown format, it should warn the user, and ask if the
    file should be added to the anonymised archive that is
    produced.
-    - The MAT2 *must* not add metadata, since its purpose is to
+    - MAT2 *must* not add metadata, since its purpose is to
    anonymise files: every added items of metadata decreases
    anonymity.
-    - The MAT2 *should* handle unknown/hidden metadata fields,
+    - MAT2 *should* handle unknown/hidden metadata fields,
    like proprietary extensions of open formats.
+                - MAT2 *must not* fail silently. Upon failure,
+                MAT2 *must not* modify the file in any way.
author	jvoisin	2018-06-19 23:39:06 +0200
committer	jvoisin	2018-06-19 23:39:06 +0200
commit	120c3bf72f46a125695b3f9104943a25492010e4 (patch)
tree	a48798997584c5a75ea90b2c13383c99f97d0b00 /doc/threat_model.md
parent	84277740a9531337ce725687af7ea6d5462a0c97 (diff)

diff --git a/doc/threat_model.md b/doc/threat_model.md index 963a3ee..26e3741 100644 --- a/doc/threat_model.md +++ b/doc/threat_model.md
@@ -1,5 +1,6 @@
1	Threat Model	1	Threat Model
2	============	2	============
		3
3	The Metadata Anonymisation Toolkit 2 adversary has a number	4	The Metadata Anonymisation Toolkit 2 adversary has a number
4	of goals, capabilities, and counter-attack types that can be	5	of goals, capabilities, and counter-attack types that can be
5	used to guide us towards a set of requirements for the MAT2.	6	used to guide us towards a set of requirements for the MAT2.
@@ -13,17 +14,18 @@ Mat only removes standard metadata from your files, it does _not_:
13		14
14	- anonymise their content (the substance and the form)	15	- anonymise their content (the substance and the form)
15	- handle watermarking	16	- handle watermarking
16	- handle steganography	17	- handle steganography nor homoglyphs
17	- handle stylometry	18	- handle stylometry
18	- handle any non-standard metadata field/system	19	- handle any non-standard metadata field/system
19		20
20	If you really want to be anonymous format that does not contain any	21	If you really want to be anonymous format that does not contain any
21	metadata, or better : use plain-text ASCII without trailing spaces.	22	metadata, or better : use plain-text ASCII without trailing spaces.
22	And as usual, think before clicking.	23
		24	And as usual, think twice before clicking.
23		25
24		26
25	Adversary	27	Adversary
26	------------	28	---------
27		29
28	* Goals:	30	* Goals:
29		31
@@ -40,17 +42,18 @@ Adversary
40	to directly identify the author and/or source, his next	42	to directly identify the author and/or source, his next
41	goal is to determine the source of the equipment used	43	goal is to determine the source of the equipment used
42	to produce, copy, and transmit the document. This can	44	to produce, copy, and transmit the document. This can
43	include the model of camera used to take a photo, or	45	include the model of camera used to take a photo or a film,
44	which software was used to produce an office document.	46	which software was used to produce an office document, …
45		47
46		48
47	* Adversary Capabilities - Positioning	49	* Adversary Capabilities - Positioning
		50
48	- The adversary created the document specifically for this	51	- The adversary created the document specifically for this
49	user. This is the strongest position for the adversary to	52	user. This is the strongest position for the adversary to
50	have. In this case, the adversary is capable of inserting	53	have. In this case, the adversary is capable of inserting
51	arbitrary, custom watermarks specifically for tracking	54	arbitrary, custom watermarks specifically for tracking
52	the user. In general, MAT cannot defend against this	55	the user. In general, MAT2 cannot defend against this
53	adversary, but we list it for completeness.	56	adversary, but we list it for completeness' sake.
54		57
55	- The adversary created the document for a group of users.	58	- The adversary created the document for a group of users.
56	In this case, the adversary knows that they attempted to	59	In this case, the adversary knows that they attempted to
@@ -58,30 +61,33 @@ Adversary
58	or may not have watermarked the document for these	61	or may not have watermarked the document for these
59	users, but they certainly know the format used.	62	users, but they certainly know the format used.
60		63
61	- The adversary did not create the document, the weakest	64	- The adversary did not create the document, the weakest
62	position for the adversary to have. The file format is (most of the time)	65	position for the adversary to have. The file format is
63	standard, nothing custom is added: MAT	66	(most of the time) standard, nothing custom is added:
64	should be able to remove all meta-information from the	67	MAT2 must be able to remove all metadata from the file.
65	file.	68
66		69
67	Requirements	70	Requirements
68	---------------	71	------------
69		72
70	* Processing	73	* Processing
71	- The MAT2 should avoid interactions with information.	74
		75	- MAT2 should avoid interactions with information.
72	Its goal is to remove metadata, and the user is solely	76	Its goal is to remove metadata, and the user is solely
73	responsible for the information of the file.	77	responsible for the information of the file.
74		78
75	- The MAT2 must warn when encountering an unknown	79	- MAT2 must warn when encountering an unknown
76	format. For example, in a zipfile, if MAT encounters an	80	format. For example, in a zipfile, if MAT encounters an
77	unknown format, it should warn the user, and ask if the	81	unknown format, it should warn the user, and ask if the
78	file should be added to the anonymised archive that is	82	file should be added to the anonymised archive that is
79	produced.	83	produced.
80		84
81	- The MAT2 must not add metadata, since its purpose is to	85	- MAT2 must not add metadata, since its purpose is to
82	anonymise files: every added items of metadata decreases	86	anonymise files: every added items of metadata decreases
83	anonymity.	87	anonymity.
84		88
85	- The MAT2 should handle unknown/hidden metadata fields,	89	- MAT2 should handle unknown/hidden metadata fields,
86	like proprietary extensions of open formats.	90	like proprietary extensions of open formats.
87		91
		92	- MAT2 must not fail silently. Upon failure,
		93	MAT2 must not modify the file in any way.