Threat models over space and time: A case study of end‐to‐end‐encrypted messaging applications

Partha Das Chowdhury; Maria Sameen; Jenny  Blessing; Nicholas Boucher; Joe Gardiner; Tom  Burrows; Ross Anderson; Awais Rashid

doi:10.1002/spe.3341

Threat models over space and time: A case study of end‐to‐end‐encrypted messaging applications

Partha Das Chowdhury^*, Maria Sameen, Jenny Blessing, Nicholas Boucher, Joe Gardiner, Tom Burrows, Ross Anderson, Awais Rashid

^*Corresponding author for this work

Research output: Contribution to journal › Article (Academic Journal) › peer-review

Abstract

Threat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real-world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end-to-end-encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short-lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.

Original language	English
Pages (from-to)	2316-2335
Number of pages	20
Journal	Software: practice and experience
Volume	54
Issue number	12
Early online date	22 May 2024
DOIs	https://doi.org/10.1002/spe.3341
Publication status	Published - 1 Dec 2024

Bibliographical note

Publisher Copyright:
© 2024 The Authors. Software: Practice and Experience published by John Wiley & Sons Ltd.

Access to Document

10.1002/spe.3341Licence: CC BY

Handle.net

Persistent link

Cite this

@article{55f867c78aee4c10a00e93d6d3e9e922,

title = "Threat models over space and time: A case study of end‐to‐end‐encrypted messaging applications",

abstract = "Threat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real-world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end-to-end-encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short-lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.",

author = "{Das Chowdhury}, Partha and Maria Sameen and Jenny Blessing and Nicholas Boucher and Joe Gardiner and Tom Burrows and Ross Anderson and Awais Rashid",

note = "Publisher Copyright: {\textcopyright} 2024 The Authors. Software: Practice and Experience published by John Wiley & Sons Ltd.",

year = "2024",

month = dec,

day = "1",

doi = "10.1002/spe.3341",

language = "English",

volume = "54",

pages = "2316--2335",

journal = "Software: practice and experience",

issn = "0038-0644",

publisher = "John Wiley & Sons, Inc",

number = "12",

}

TY - JOUR

T1 - Threat models over space and time

T2 - A case study of end‐to‐end‐encrypted messaging applications

AU - Das Chowdhury, Partha

AU - Sameen, Maria

AU - Blessing, Jenny

AU - Boucher, Nicholas

AU - Gardiner, Joe

AU - Burrows, Tom

AU - Anderson, Ross

AU - Rashid, Awais

PY - 2024/12/1

Y1 - 2024/12/1

N2 - Threat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real-world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end-to-end-encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short-lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.

AB - Threat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real-world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end-to-end-encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short-lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.

U2 - 10.1002/spe.3341

DO - 10.1002/spe.3341

M3 - Article (Academic Journal)

SN - 0038-0644

VL - 54

SP - 2316

EP - 2335

JO - Software: practice and experience

JF - Software: practice and experience

IS - 12

ER -

Threat models over space and time: A case study of end‐to‐end‐encrypted messaging applications

Abstract

Bibliographical note

Access to Document

Handle.net

Fingerprint

Cite this