open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/playground/test-fixtures/threat-model.md
Kjell Tore Guttormsen ce3891bdd0 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 
Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 22:15:47 +02:00

124 lines
4.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Threat Model — STRIDE + MAESTRO
---
## Header
| Field | Value |
|-------|-------|
| **Report type** | threat-model |
| **Target** | DFT data-platform RAG-system |
| **System** | rag-platform v3.2.0 |
| **Date** | 2026-05-05 |
| **Framework** | STRIDE + MAESTRO |
| **Version** | llm-security v7.4.0 |
| **Triggered by** | /security threat-model |
---
## Risk Dashboard
| Metric | Value |
|--------|-------|
| **Risk Score** | 52/100 |
| **Risk Band** | High |
| **Grade** | C |
| **Verdict** | WARNING |
| Severity | Count |
|----------|------:|
| Critical | 1 |
| High | 3 |
| Medium | 4 |
| Low | 2 |
| Info | 0 |
| **Total** | **10** |
**Verdict rationale:** 1 CRITICAL on token-theft via cross-tenant context bleed (M5/MAESTRO authorization). 3 HIGH on prompt-injection chains and source-document tampering. Threat model produced; mitigations pending architectural sign-off.
---
## Risikomatrise (5×5)
| Trussel | Sannsynlighet | Konsekvens | Score |
|---------|--------------:|-----------:|------:|
| TM-001 — Cross-tenant context bleed via index sharing | 4 | 5 | 20 |
| TM-002 — Prompt injection via source documents | 4 | 4 | 16 |
| TM-003 — Source document tampering (pre-ingest) | 3 | 4 | 12 |
| TM-004 — Embedding inversion attack | 2 | 5 | 10 |
| TM-005 — RAG output exfil via tool call | 3 | 3 | 9 |
| TM-006 — DOS via expensive query patterns | 4 | 2 | 8 |
| TM-007 — Authorization bypass on retrieval | 2 | 4 | 8 |
| TM-008 — Logging gap for prompt history | 3 | 2 | 6 |
| TM-009 — Side-channel via response timing | 2 | 3 | 6 |
| TM-010 — Stale embeddings post-rotation | 2 | 2 | 4 |
---
## Trusler
| ID | Beskrivelse | Severity | Mitigation |
|----|-------------|----------|-----------|
| TM-001 | Cross-tenant context bleed via index sharing — single Azure AI Search index across all tenants | critical | Tenant-isolated indexes OR row-level security with tenant_id filter |
| TM-002 | Prompt injection via source documents — adversarial PDF in corpus | high | Trust-Bus wrapper + Constrained Markdown parser + pre-ingest scanning |
| TM-003 | Source document tampering pre-ingest — supply chain on doc pipeline | high | Signed manifests + SHA-256 verification at ingest |
| TM-004 | Embedding inversion attack — recover source text from embeddings | medium | Use private embedding model OR add noise to stored embeddings |
| TM-005 | RAG output exfil via tool call (Bash, WebFetch chained from RAG output) | high | Hook-level data-flow tracking (post-session-guard.mjs trifecta) |
| TM-006 | DOS via expensive query patterns | medium | Query budget + per-tenant rate limit |
| TM-007 | Authorization bypass on retrieval | medium | Validate tenant_id from auth claim, not request payload |
| TM-008 | Logging gap for prompt history | medium | Append-only audit log, retain 90d |
| TM-009 | Side-channel via response timing | low | Constant-time response shaping for sensitive paths |
| TM-010 | Stale embeddings post-rotation | low | Embedding version tag + rotation playbook |
---
## STRIDE Coverage
| Category | Count | Notes |
|----------|------:|-------|
| Spoofing | 1 | TM-007 |
| Tampering | 2 | TM-003, TM-010 |
| Repudiation | 1 | TM-008 |
| Information Disclosure | 3 | TM-001, TM-004, TM-009 |
| Denial of Service | 1 | TM-006 |
| Elevation of Privilege | 2 | TM-002, TM-005 |
---
## MAESTRO Coverage
| Layer | Count | Notes |
|-------|------:|-------|
| L1 Foundation Models | 0 | Out of scope for this assessment |
| L2 Data Operations | 4 | TM-001, TM-003, TM-004, TM-010 |
| L3 Agentic Frameworks | 0 | RAG only, no agents in this layer |
| L4 Deployment & Infra | 1 | TM-006 |
| L5 Evaluation & Observability | 1 | TM-008 |
| L6 Security & Compliance | 1 | TM-009 |
| L7 Agent Ecosystem | 3 | TM-002, TM-005, TM-007 |
---
## Mitigation Roadmap
| Priority | Trussel | Mitigation | Owner | ETA |
|----------|---------|-----------|-------|-----|
| P0 | TM-001 | Tenant-isolated indexes | platform-eng | 2026-05-15 |
| P0 | TM-002 | Trust-Bus + Constrained Markdown | ai-platform | 2026-05-22 |
| P1 | TM-003 | Signed manifests + ingest verification | data-eng | 2026-05-29 |
| P1 | TM-005 | Hook-level data-flow tracking | security-eng | 2026-05-22 |
| P2 | TM-006, TM-007, TM-008 | Rate limit + auth + audit log | platform-eng | 2026-06-15 |
| P3 | TM-004, TM-009, TM-010 | Embedding hardening | research | 2026-Q3 |
---
## Recommendations
1. **Immediate (P0):** Tenant-isolated indexes — TM-001 is THE critical risk for this multi-tenant RAG.
2. **Immediate (P0):** Trust-Bus wrapper and Constrained Markdown parser — TM-002 closes the highest-volume injection vector.
3. **High (P1):** Signed-manifest pipeline (TM-003) and hook-level data-flow tracking (TM-005).
4. **Medium (P2):** Rate limit + auth fix + audit log — bundled together for one platform-eng sprint.
---
*Threat model complete. 10 threats across STRIDE + MAESTRO frameworks. 2 P0, 2 P1.*
Reference in a new issue View git blame Copy permalink