Context and assumptions

Setting up the scene

Alice wishes to start hosting a coordination platform for her activist group, but she doesn't want to host the platform herself for the following reasons:

• Shes does not want to have incriminating data in her house
• She is unable to provide the required level if high availability for her group's safety and operational standards
• She has limited bandwidth/electricity to devote to her cause

She gets in touch with Bob, owner and operator of Bob's friendly datacenter, and orders from him a VPS (Virtual Private Server). Bob's pretty open-minded so Alice is free to use whatever OS she wants, gets a public IP.

Enters Leo

One day Bob's phone rings, it's Leo calling! Leo asks Bob to confirm that he indeed has Alice as a customer. Without further ado, Leo pays Bob a visit! After entering the premises and showing a government agency badge, Leo asks for complete access to Bob's infrastructure and binds him with a gag order to make sure no one hears about his investigation. Even if Bob is sympathetic to Alice or wishes to protect his customers he would now run afoul of his country's laws if he were to warn them. Leo might have been nice to him but he is not to be trifled with...

Leo sets up shop

Commandeering an office in Bob's datacenter, Leo gets to work. He has plenty of options:

1. Network sniffing: Leo can capture and log ALL trafic related to Alice's activity inside Bob's datacenter, so he will know the IP of everyone interacting with her platform
2. Firmware/hardware attacks: during maintenance windows, Leo could tamper with the BIOS/UEFI of Alice's server (if she had chosen a bare-metal option), or with her server's storage devices in order to deactivate encryption or exfiltrate data unnoticed
3. Memory attacks: Leo is able to take snapshots of Alice's VPS RAM to gather information about her activities. If she had chosen a bare-metal server he could cut the power, extract and refrigerate the RAM sticks in order to retrieve the data, but such an attack would be very conspicuous

Alice's threat model

Alice is very happy with her new deployment. The platform runs great and her team has started using it in earnest. Still, the bond of implicit trust that now exists between her and Bob bothers here. She decides to do a quick threat modelling exercise to calm her mind: instead of wondering about whatifs, she is going to identify the risks associated with her current setup and find ways to mitigate them.

Threats to Confidentiality

If Bob was dishonest (or compelled into acting dishonestly), he would be able to harvest information directly from her server's memory! (She doesn't know Leo is already hard at work)

Impacted assets

• decryption keys (eg: her https private key, allowing for complete decryption of her team's traffic)
• sensitive data (ephemeral private messages on her forum that arer only kepy in RAM in an unencrypted form)
• software state (session cookies, metadata)

Bob could also use side-channel attacks by monitoring the underlying server's power usage or run cache timing attack to find the value of her cryptographic secret keys even if Bob's hardware allows her to store them in a dedicated secure chip!

Threats to integrity

Someone with Bob's level of access (he is the administrator of the hypervisor - the software that runs Alice's virtual server) could also:

• Run an evil maid attack: inject thir own code in the bootloader, in Alice's OS image or inside the hypervisor which Alice can't monitor
• Through the hypervisor, tamper with Alice's virtual machine to compromise it

Threats to availability

Having access to the physical layer of the network as well as the power grid feeding the servers, Bob could disrupt Alice's operations in the following way:

• Disconnect Alice's VM from the network
• Throttle Alice's network traffic
• Cut the power off to Alice's host server to perform a cold boot attack