open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/playground/test-fixtures/threat-model.md
Kjell Tore Guttormsen ce3891bdd0 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 
Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 22:15:47 +02:00

4.8 KiB
Raw Blame History

Threat Model — STRIDE + MAESTRO

Header

Field Value
Report type threat-model
Target DFT data-platform RAG-system
System rag-platform v3.2.0
Date 2026-05-05
Framework STRIDE + MAESTRO
Version llm-security v7.4.0
Triggered by /security threat-model

Risk Dashboard

Metric Value
Risk Score 52/100
Risk Band High
Grade C
Verdict WARNING
Severity Count
Critical 1
High 3
Medium 4
Low 2
Info 0
Total 10

Verdict rationale: 1 CRITICAL on token-theft via cross-tenant context bleed (M5/MAESTRO authorization). 3 HIGH on prompt-injection chains and source-document tampering. Threat model produced; mitigations pending architectural sign-off.

Risikomatrise (5×5)

Trussel Sannsynlighet Konsekvens Score
TM-001 — Cross-tenant context bleed via index sharing 4 5 20
TM-002 — Prompt injection via source documents 4 4 16
TM-003 — Source document tampering (pre-ingest) 3 4 12
TM-004 — Embedding inversion attack 2 5 10
TM-005 — RAG output exfil via tool call 3 3 9
TM-006 — DOS via expensive query patterns 4 2 8
TM-007 — Authorization bypass on retrieval 2 4 8
TM-008 — Logging gap for prompt history 3 2 6
TM-009 — Side-channel via response timing 2 3 6
TM-010 — Stale embeddings post-rotation 2 2 4

Trusler

ID Beskrivelse Severity Mitigation
TM-001 Cross-tenant context bleed via index sharing — single Azure AI Search index across all tenants critical Tenant-isolated indexes OR row-level security with tenant_id filter
TM-002 Prompt injection via source documents — adversarial PDF in corpus high Trust-Bus wrapper + Constrained Markdown parser + pre-ingest scanning
TM-003 Source document tampering pre-ingest — supply chain on doc pipeline high Signed manifests + SHA-256 verification at ingest
TM-004 Embedding inversion attack — recover source text from embeddings medium Use private embedding model OR add noise to stored embeddings
TM-005 RAG output exfil via tool call (Bash, WebFetch chained from RAG output) high Hook-level data-flow tracking (post-session-guard.mjs trifecta)
TM-006 DOS via expensive query patterns medium Query budget + per-tenant rate limit
TM-007 Authorization bypass on retrieval medium Validate tenant_id from auth claim, not request payload
TM-008 Logging gap for prompt history medium Append-only audit log, retain 90d
TM-009 Side-channel via response timing low Constant-time response shaping for sensitive paths
TM-010 Stale embeddings post-rotation low Embedding version tag + rotation playbook

STRIDE Coverage

Category Count Notes
Spoofing 1 TM-007
Tampering 2 TM-003, TM-010
Repudiation 1 TM-008
Information Disclosure 3 TM-001, TM-004, TM-009
Denial of Service 1 TM-006
Elevation of Privilege 2 TM-002, TM-005

MAESTRO Coverage

Layer Count Notes
L1 Foundation Models 0 Out of scope for this assessment
L2 Data Operations 4 TM-001, TM-003, TM-004, TM-010
L3 Agentic Frameworks 0 RAG only, no agents in this layer
L4 Deployment & Infra 1 TM-006
L5 Evaluation & Observability 1 TM-008
L6 Security & Compliance 1 TM-009
L7 Agent Ecosystem 3 TM-002, TM-005, TM-007

Mitigation Roadmap

Priority Trussel Mitigation Owner ETA
P0 TM-001 Tenant-isolated indexes platform-eng 2026-05-15
P0 TM-002 Trust-Bus + Constrained Markdown ai-platform 2026-05-22
P1 TM-003 Signed manifests + ingest verification data-eng 2026-05-29
P1 TM-005 Hook-level data-flow tracking security-eng 2026-05-22
P2 TM-006, TM-007, TM-008 Rate limit + auth + audit log platform-eng 2026-06-15
P3 TM-004, TM-009, TM-010 Embedding hardening research 2026-Q3

Recommendations

  1. Immediate (P0): Tenant-isolated indexes — TM-001 is THE critical risk for this multi-tenant RAG.
  2. Immediate (P0): Trust-Bus wrapper and Constrained Markdown parser — TM-002 closes the highest-volume injection vector.
  3. High (P1): Signed-manifest pipeline (TM-003) and hook-level data-flow tracking (TM-005).
  4. Medium (P2): Rate limit + auth fix + audit log — bundled together for one platform-eng sprint.

Threat model complete. 10 threats across STRIDE + MAESTRO frameworks. 2 P0, 2 P1.