Skip to content

Latest commit

 

History

History
91 lines (76 loc) · 8.13 KB

threat-modeling.md

File metadata and controls

91 lines (76 loc) · 8.13 KB

Threat Model Analysis for cloudwu/skynet

Threat: Unhandled Exceptions in Lua Scripts (Leading to Actor Crash)

  • Threat: Unhandled Exceptions in Lua Scripts (Leading to Actor Crash)
    • Description: An attacker sends crafted messages that cause unhandled exceptions within a Lua script running inside a Skynet actor. This exploits the interaction between Skynet's message handling and the Lua runtime. The lack of proper pcall/xpcall usage within the Skynet context makes this Skynet-specific.
    • Impact: Actor crash, leading to denial of service for that actor and potentially cascading failures if other actors depend on it. May expose internal state information.
    • Skynet Component Affected: lua-skynet.c (Lua integration), specific Lua scripts within actors.
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement robust error handling in all Lua scripts using pcall or xpcall to catch and handle exceptions gracefully. This is crucial for Skynet's stability.
      • Log all errors with sufficient context for debugging.
      • Validate all input data before processing it within the Lua script.
      • Use a linter for Lua code.

Threat: Global Variable Corruption in Lua (Across Actors)

  • Threat: Global Variable Corruption in Lua (Across Actors)
    • Description: An attacker exploits a vulnerability in one actor's Lua script to modify global variables shared across the Skynet environment. This leverages Skynet's shared Lua state, making it a Skynet-specific concern.
    • Impact: Unpredictable behavior in multiple actors, data corruption, potential privilege escalation within the Skynet cluster.
    • Skynet Component Affected: lua-skynet.c (Lua integration), global Lua state managed by Skynet.
    • Risk Severity: High
    • Mitigation Strategies:
      • Minimize the use of global variables in Lua scripts within the Skynet environment.
      • Use module-level variables (local to the script) whenever possible.
      • If global variables must be used, carefully control access and validate modifications. This is critical in the shared Skynet context.
      • Consider a stricter Lua sandbox that further restricts access to the global state managed by Skynet.

Threat: Deadlock due to Circular Message Dependencies (Within Skynet)

  • Threat: Deadlock due to Circular Message Dependencies (Within Skynet)
    • Description: An attacker triggers a sequence of messages between Skynet actors that creates a circular dependency. This is a direct consequence of Skynet's actor model and message passing.
    • Impact: Complete deadlock of the involved Skynet actors, leading to denial of service.
    • Skynet Component Affected: skynet_server.c (message dispatch), skynet_mq.c (message queue), the logic of the interacting Skynet actors.
    • Risk Severity: High
    • Mitigation Strategies:
      • Carefully design message passing protocols within Skynet to avoid circular dependencies.
      • Use a directed acyclic graph (DAG) to visualize message flows and identify potential cycles within the Skynet actor network.
      • Implement timeouts on message sends and receives within Skynet's message handling to break potential deadlocks.
      • Monitor Skynet's internal metrics (message queue lengths, actor responsiveness) to detect deadlocks.

Threat: Message Flooding (DoS Targeting Skynet's Message Queue)

  • Threat: Message Flooding (DoS Targeting Skynet's Message Queue)
    • Description: An attacker sends a large number of messages to a specific actor or to the Skynet cluster, overwhelming Skynet's internal message queue. This directly targets Skynet's core communication mechanism.
    • Impact: Denial of service for the targeted actor or the entire Skynet cluster.
    • Skynet Component Affected: skynet_mq.c (message queue), skynet_server.c (message dispatch), skynet_timer.c (timer management, potentially affected by queue overload).
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement rate limiting on incoming messages, both globally and per actor, within Skynet's configuration.
      • Use a message queue with a bounded size and implement a backpressure mechanism within Skynet to handle overload.
      • Monitor Skynet's internal message queue lengths and processing times.
      • Consider dedicated message queues for critical Skynet services.

Threat: Replay Attack on Non-Idempotent Operations (Within Skynet Actors)

  • Threat: Replay Attack on Non-Idempotent Operations (Within Skynet Actors)
    • Description: An attacker intercepts a legitimate message sent between Skynet actors that performs a non-idempotent operation and resends it. This exploits the lack of idempotency handling within the Skynet actor communication.
    • Impact: Duplicate operations, data corruption, unauthorized actions within the Skynet cluster.
    • Skynet Component Affected: The logic of the Skynet actor handling the non-idempotent operation.
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement idempotency for all operations within Skynet actors where possible. Use unique request identifiers and track them.
      • If idempotency is not possible, implement a mechanism within the Skynet actor to detect and reject duplicate messages (sequence numbers, timestamps).

Threat: Buffer Overflow in skynet_mq.c (Skynet Core Vulnerability)

  • Threat: Buffer Overflow in skynet_mq.c (Skynet Core Vulnerability)
    • Description: An attacker sends a specially crafted message with an excessively large payload that overflows a buffer within Skynet's core message queue implementation. This is a direct vulnerability in Skynet itself.
    • Impact: Complete system compromise, denial of service, arbitrary code execution within the Skynet process.
    • Skynet Component Affected: skynet_mq.c (message queue).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Keep Skynet up-to-date with the latest security patches. This is paramount.
      • Perform regular security audits of the Skynet codebase, focusing on skynet_mq.c.
      • Use memory-safe programming techniques in the C code (bounds checking).
      • Use tools like AddressSanitizer and Valgrind to detect memory errors during Skynet's development and testing.

Threat: Malicious Service Registration (Abusing Skynet's Service Discovery)

  • Threat: Malicious Service Registration (Abusing Skynet's Service Discovery)
    • Description: An attacker registers a malicious service with Skynet's service registry, impersonating a legitimate service. This directly targets Skynet's service management.
    • Impact: Traffic redirection to the malicious service, data interception, denial of service for the legitimate service within the Skynet cluster.
    • Skynet Component Affected: The Skynet service registry (implementation depends on configuration, but is a core Skynet concept).
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement authentication and authorization for service registration within Skynet. Only trusted actors should register services.
      • Use a secure and trusted service registry integrated with Skynet.
      • Validate service names and addresses before Skynet actors connect to them.
      • Monitor Skynet's service registry for suspicious activity.