Hi Hu, I read the threat model and I have a question regarding a potential threat. I’m not sure it should belong to this generic threat model or it is already included in one of those presented.
The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.
Can this be considered a threat in this model or should it belong to another model/TOE?
Best, -- Antonio Ken Iannillo Research Scientist – SEDAN group SnT – Interdisciplinary Centre for Security, Reliability and Trust
UNIVERSITÉ DU LUXEMBOURG
CAMPUS KIRCHBERG 29, avenue John F. Kennedy L-1855 Luxembourg Kirchberg T +352 46 66 44 9660
tf-m@lists.trustedfirmware.org
-
Antonio Ken IANNILLO