Skip to content

Latest commit

 

History

History
38 lines (29 loc) · 5.89 KB

threat-modeling.md

File metadata and controls

38 lines (29 loc) · 5.89 KB

Threat Model Analysis for jetbrains/compose-jb

Threat: Unsafe Native Interop (JVM) - Code Execution

  • Description: An attacker exploits vulnerabilities in the application's native code interactions, specifically those facilitated by Compose Multiplatform's expect/actual mechanism or direct platform API calls from within Compose-managed code, to execute arbitrary code. This leverages the ability of Compose to bridge Kotlin code with native platform functionalities. Crafted input passed through Compose UI elements to a flawed native function can trigger this.
    • Impact: Complete system compromise, data theft, malware installation, denial of service.
    • Affected Component: expect/actual implementations targeting the JVM within Compose code. Composable functions that directly or indirectly call native code via JNI or similar, especially those handling user-supplied data originating from Compose UI elements.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Developer: Minimize expect/actual usage for security-sensitive operations. If unavoidable, rigorously validate and sanitize all data passed to native code, even if it originates from Compose UI components. Prefer safer, higher-level abstractions provided by Compose or well-vetted Kotlin Multiplatform libraries. Thoroughly audit and fuzz-test any native interop code, particularly focusing on the data flow from Compose UI elements to native functions. Consider using memory-safe languages (e.g., Rust) for native components called from Compose.

Threat: Unsafe Native Interop (JVM) - Privilege Escalation

  • Description: Similar to the code execution threat, but the attacker gains elevated privileges on the system by exploiting vulnerabilities in native code accessed through Compose Multiplatform's interop mechanisms. This might involve a Compose UI action triggering a native function that interacts with system resources in an insecure way.
    • Impact: Attacker gains administrative/root access, enabling system control, data access, and security bypass.
    • Affected Component: expect/actual implementations targeting the JVM within Compose code. Composable functions interacting with native libraries that have access to privileged operations, especially when triggered by user interactions within the Compose UI.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Developer: Same as above, with a critical emphasis on the principle of least privilege. Ensure the Compose application and its native components run with the absolute minimum necessary permissions. Avoid using expect/actual for tasks requiring elevated privileges unless strictly necessary and thoroughly secured. Audit the permission model of the application and its interaction with the OS through Compose.

Threat: JavaScript Interop Vulnerabilities (Wasm/JS) - XSS

  • Description: An attacker injects malicious JavaScript code through vulnerabilities in Compose for Web's Kotlin/Wasm to JavaScript interop. This exploits the necessary interaction between Compose's Kotlin/Wasm code and the browser's JavaScript environment. Unsanitized user input within a Compose UI element, passed to a JavaScript function via js(...) or an external declaration, can trigger this.
    • Impact: Cross-site scripting (XSS), enabling cookie theft, redirection to malicious sites, application defacement, and other actions within the user's browser session.
    • Affected Component: Kotlin code within Compose for Web using js(...) calls, external declarations for JavaScript functions. Composable functions that handle user input and pass it to JavaScript, or that render data received from JavaScript without proper escaping within the Compose UI.
    • Risk Severity: High
    • Mitigation Strategies:
      • Developer: Always treat data from JavaScript as untrusted, even if it appears to originate from within the Compose application. Sanitize and validate all data passed between Kotlin/Wasm and JavaScript, especially data originating from Compose UI input fields. Minimize js(...) usage; prefer Compose's built-in UI components and data handling. Use a strict Content Security Policy (CSP). Ensure proper output encoding when rendering data within Compose UI elements, leveraging Compose's built-in mechanisms for safe rendering.

Threat: JavaScript Interop Vulnerabilities (Wasm/JS) - Data Exfiltration

  • Description: An attacker uses vulnerabilities in Compose for Web's JavaScript interop to exfiltrate sensitive data. This leverages the bridge between Kotlin/Wasm and JavaScript to access data within the Compose application's memory or to make network requests. A compromised Compose UI component could be manipulated to leak data through this interop layer.
    • Impact: Leakage of sensitive user data (passwords, personal information, financial data).
    • Affected Component: Kotlin code within Compose for Web using js(...) or external declarations. Composable functions that access sensitive data and also interact with JavaScript, particularly those that handle user input or display data.
    • Risk Severity: High
    • Mitigation Strategies:
      • Developer: Same as for XSS, with a strong emphasis on minimizing the exposure of sensitive data to JavaScript. Implement strict access controls within the Compose application to limit what data can be accessed through the JavaScript interop layer. Audit the data flow between Compose UI components and JavaScript code to identify potential exfiltration paths.