Skip to content

Latest commit

 

History

History
79 lines (64 loc) · 7.17 KB

threat-modeling.md

File metadata and controls

79 lines (64 loc) · 7.17 KB

Threat Model Analysis for ossrs/srs

Threat: RTMP Chunk Stream ID Overflow

  • Threat: RTMP Chunk Stream ID Overflow
    • Description: An attacker sends a crafted RTMP stream with an extremely large or manipulated Chunk Stream ID (CSID) value. The attacker aims to cause an integer overflow or other unexpected behavior within SRS's RTMP parsing logic, potentially leading to a crash or memory corruption.
    • Impact: Denial of Service (DoS) due to server crash. Potential for Remote Code Execution (RCE) if memory corruption is exploitable.
    • SRS Component Affected: RTMP module, specifically the srs_rtmp_handshake.c and srs_protocol_rtmp.c files (and related functions handling RTMP packet parsing).
    • Risk Severity: High (potentially Critical if RCE is possible).
    • Mitigation Strategies:
      • Developer: Implement strict bounds checking on the CSID value during RTMP packet parsing. Ensure that all integer operations involving CSID are safe and prevent overflows. Use a static analysis tool to identify potential integer overflow vulnerabilities.
      • User: Keep SRS updated to the latest version.

Threat: WebRTC SDP Offer/Answer Manipulation

  • Threat: WebRTC SDP Offer/Answer Manipulation
    • Description: An attacker intercepts and modifies the SDP (Session Description Protocol) offer or answer during WebRTC negotiation. The attacker could inject malicious codecs, manipulate ICE candidates, or attempt to exploit vulnerabilities in SRS's WebRTC implementation.
    • Impact: Denial of Service (DoS), potential for unauthorized access to streams, or even RCE if vulnerabilities exist in the WebRTC stack.
    • SRS Component Affected: WebRTC module, specifically the SDP parsing and handling logic (likely within files like srs_app_rtc_server.cpp and related files).
    • Risk Severity: High.
    • Mitigation Strategies:
      • Developer: Implement strict validation of SDP offers and answers. Enforce allowed codecs and parameters. Use a secure signaling channel (e.g., HTTPS) to prevent MITM attacks on the SDP exchange. Keep the WebRTC library (libwebrtc) updated.
      • User: Use HTTPS for all WebRTC signaling. Keep SRS and the WebRTC library updated.

Threat: FFmpeg Transcoding Vulnerability (CVE Exploitation)

  • Threat: FFmpeg Transcoding Vulnerability (CVE Exploitation)
    • Description: An attacker crafts a malicious input stream (e.g., RTMP) that exploits a known or unknown vulnerability in FFmpeg, which SRS uses for transcoding. The attacker aims to achieve RCE on the SRS server.
    • Impact: Remote Code Execution (RCE), complete server compromise.
    • SRS Component Affected: Transcoding module (specifically, the interaction with FFmpeg libraries). This is likely within files like srs_app_transcoder.cpp.
    • Risk Severity: Critical.
    • Mitigation Strategies:
      • Developer: Keep FFmpeg updated to the absolute latest version, including security patches. Regularly monitor FFmpeg security advisories. Consider using a sandboxed environment for transcoding processes. Implement strict input validation before passing data to FFmpeg.
      • User: Keep SRS and FFmpeg updated. Minimize the use of complex transcoding configurations. Run SRS with limited privileges.

Threat: HTTP API Authentication Bypass

  • Threat: HTTP API Authentication Bypass
    • Description: An attacker bypasses the authentication mechanism for the SRS HTTP API (if enabled). The attacker gains unauthorized access to control and configure the SRS server.
    • Impact: Complete server compromise, unauthorized stream manipulation, configuration changes.
    • SRS Component Affected: HTTP API module (likely within files like srs_http_api.cpp).
    • Risk Severity: Critical.
    • Mitigation Strategies:
      • Developer: Implement strong authentication for the HTTP API. Use secure password hashing algorithms. Protect against common web vulnerabilities (e.g., CSRF, session fixation).
      • User: Use strong, unique passwords for the HTTP API. Disable the HTTP API if it's not needed. Restrict access to the API to trusted IP addresses. Use HTTPS for the API.

Threat: Configuration File Injection

  • Threat: Configuration File Injection
    • Description: An attacker gains write access to the SRS configuration file (e.g., through a separate vulnerability or insider threat). The attacker modifies the configuration to introduce malicious settings, such as disabling security features or redirecting streams.
    • Impact: Server compromise, unauthorized stream access, denial of service.
    • SRS Component Affected: Configuration parsing logic (likely within srs_core_config.cpp).
    • Risk Severity: High.
    • Mitigation Strategies:
      • Developer: Implement strict file permissions to prevent unauthorized access to the configuration file. Validate the configuration file for integrity before loading it.
      • User: Protect the configuration file with strong file permissions. Regularly audit the configuration file for unauthorized changes. Use a secure configuration management system.

Threat: DDoS Attack on SRS Ports

  • Threat: DDoS Attack on SRS Ports
    • Description: An attacker floods the SRS server's listening ports (e.g., 1935 for RTMP, 8080 for HTTP) with a large volume of traffic, making the server unavailable to legitimate users.
    • Impact: Denial of Service (DoS).
    • SRS Component Affected: All network-facing components (RTMP, HTTP, WebRTC, SRT modules).
    • Risk Severity: High.
    • Mitigation Strategies:
      • Developer: Implement rate limiting and connection limiting in SRS.
      • User: Use a DDoS mitigation service (e.g., Cloudflare, AWS Shield). Configure firewall rules to limit traffic to known sources. Use a load balancer to distribute traffic across multiple SRS instances.

Threat: Unpatched SRS Vulnerability (Zero-Day)

  • Threat: Unpatched SRS Vulnerability (Zero-Day)
    • Description: An attacker exploits a previously unknown vulnerability in SRS (a "zero-day" vulnerability).
    • Impact: Varies depending on the vulnerability (DoS, RCE, information disclosure).
    • SRS Component Affected: Potentially any component.
    • Risk Severity: Critical (until patched).
    • Mitigation Strategies:
      • Developer: Conduct regular security audits and code reviews. Participate in bug bounty programs. Implement a robust vulnerability disclosure process.
      • User: Keep SRS updated to the absolute latest version. Monitor security advisories and mailing lists. Implement a robust intrusion detection system (IDS). Have an incident response plan in place.