2. Threat Model¶
Remember Shannon’s Maxim and Kerckhoffs’ principle: You should assume that all adversaries know the design of your client application and have access to your source code.
The Datastore adversary and Revoked User Adversaries are independent and do not collaborate.
2.1. Datastore Adversary¶
The Datastore is an untrusted service hosted on a server and network controlled by an adversary. The adversary can view and record the content and metadata of all requests (set/get/delete) to the Datastore API. This allows the adversary to know who stored which key-value entry, when, and what the contents are.
The adversary can add new key-value entries at any time and can modify any existing key-value entry. However, the Datastore will never execute a rollback attack (full or partial).
The Datastore will not launch any Denial of Service (DoS) attacks. However, assume that it implements a rate-limiting scheme which prevents a user from enumerating the key/value pairs in the Datastore.
2.2. Revoked User Adversary¶
Assume that each user records all of the requests that their client makes to Datastore and the corresponding responses.
A user who is granted access to a file is considered trusted and will only use their client to interact with Datastore. However, after a user has their access to a shared file revoked, that user may become malicious, ignore your client implementation, and use the Datastore API directly.
Malicious users could try to perform operations on arbitrary files by utilizing the request/response information that they recorded before their access was revoked. All writes to Datastore made by a user in an attempt to modify file content or re-acquire access to file are malicious actions.