From fba71d08ba420b633ac99b5ae1a8ace7649eb0a8 Mon Sep 17 00:00:00 2001 From: Michael McCool Date: Thu, 1 Sep 2022 09:18:18 -0300 Subject: [PATCH 1/8] remove arch-security-consideration-public-metadata-only; redundant --- index.html | 4 ---- 1 file changed, 4 deletions(-) diff --git a/index.html b/index.html index 41d092d1..caec3986 100644 --- a/index.html +++ b/index.html @@ -4104,10 +4104,6 @@
Thing Description Private Security Data Risk
There SHOULD be a strict separation of Public Security Metadata and Private Security Data. - - Producers of TDs and extensions meant to be used in TDs - MUST ensure that only Public Security Metadata - is ever stored in TDs. Authentication and authorization SHOULD be established based on separately managed Private Security Data. From 8ea6e76bac6ffee0eda06fac339cbeb97c0786cd Mon Sep 17 00:00:00 2001 From: Michael McCool Date: Thu, 1 Sep 2022 09:23:17 -0300 Subject: [PATCH 2/8] make arch-security-consideration-other-programming-mechanisms informative --- index.html | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/index.html b/index.html index caec3986..323e3003 100644 --- a/index.html +++ b/index.html @@ -4158,11 +4158,10 @@

WoT Scripting API Risks

mitigations.

- In general, these risks and mitigations should also be applied to any system that supports programmable behavior for WoT systems, - not just the WoT Scripting API. + not just the WoT Scripting API.

Cross-Script Security Risk
From 5a1b8945cd3baf8cae147721140add6e90f96268 Mon Sep 17 00:00:00 2001 From: Michael McCool Date: Thu, 1 Sep 2022 09:42:03 -0300 Subject: [PATCH 3/8] reword isolation assertions --- index.html | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/index.html b/index.html index 323e3003..4fdb413c 100644 --- a/index.html +++ b/index.html @@ -3418,11 +3418,11 @@

WoT Runtime

defines such an application-facing interface that follows the Thing abstraction and enables the deployment of behavior implementations during runtime through application scripts. See for alternative APIs, which can also only be available during compile time. - In general, application logic should be executed in isolated execution environments - to prevent unauthorized access to the management aspects of the WoT Runtime, + In general, application logic should be executed in sandboxed execution environments + that prevent unauthorized access to the management aspects of the WoT Runtime from the application code, in particular the Private Security Data. - In multi-tenant Servients, additional execution environment isolation is required for the different - tenants. + In multi-tenant Servients, different tenants should also be prevented from accessing each other's data + without authorization.

A WoT Runtime needs to provide certain operations to manage the lifecycle of Things, @@ -4169,8 +4169,8 @@

Cross-Script Security Risk
In basic WoT setups, all scripts running inside the WoT Runtime are considered trusted, distributed by the manufacturer, and therefore there - is no strong need to perform strict isolation - between each running script instance. However, + is no strong need to perform isolate + script instances from each other. However, depending on device capabilities, deployment use case scenarios, and risk level it might be desirable to do so. For example, if one script handles @@ -4182,27 +4182,26 @@
Cross-Script Security Risk
example is mutual co-existence of different tenants on a single WoT device. In this case each WoT runtime instance will be hosting a different tenant, - and isolation between them is required. + and preventing tenants from accessing each other's data + without authorization will generally be needed.

Mitigation:
The WoT Runtime SHOULD perform isolation of - script instances and their data in cases when + script instances and their data from each other in cases when scripts handle sensitive data. Similarly, the WoT Runtime implementation SHOULD perform isolation of WoT - Runtime instances and their data if a WoT + Runtime instances and their data from each other if a WoT device has more than one tenant. - Such isolation - can be performed within the WoT Runtime - using platform security mechanisms available on - the device. For more information see Sections - "WoT Servient Single-Tenant" and "WoT Servient - Multi-Tenant" of the WoT Security and Privacy - Guidelines specification [[WOT-SECURITY]]. + In practice, isolation of scripts and runtime instances from each other + this can be accomplished by running all instances + in a "sandboxed" environment that controls its access to the rest of the environment. + For more information see Sections "WoT Servient Single-Tenant" and "WoT Servient + Multi-Tenant" of the WoT Security and Privacy Guidelines specification [[?WOT-SECURITY]].
From ea2bf0c454e9154ce0ad1e7287f5cb01629be031 Mon Sep 17 00:00:00 2001 From: Michael McCool Date: Thu, 1 Sep 2022 09:49:41 -0300 Subject: [PATCH 4/8] fix typo --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 4fdb413c..cc056a4c 100644 --- a/index.html +++ b/index.html @@ -4198,7 +4198,7 @@
Cross-Script Security Risk
Runtime instances and their data from each other if a WoT device has more than one tenant. In practice, isolation of scripts and runtime instances from each other - this can be accomplished by running all instances + can be accomplished by running all instances in a "sandboxed" environment that controls its access to the rest of the environment. For more information see Sections "WoT Servient Single-Tenant" and "WoT Servient Multi-Tenant" of the WoT Security and Privacy Guidelines specification [[?WOT-SECURITY]]. From ae389e6959ccee813d234b02bd90ae412feb0be0 Mon Sep 17 00:00:00 2001 From: Michael McCool Date: Wed, 7 Sep 2022 13:22:30 -0300 Subject: [PATCH 5/8] fixes to section 10 and 11 --- index.html | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/index.html b/index.html index cc056a4c..dca84382 100644 --- a/index.html +++ b/index.html @@ -4293,14 +4293,15 @@
Security Credentials Storage Risk
In case there are more than one tenant on a single WoT-enabled device, a WoT Runtime - implementation should guarantee isolation of - each tenant's provisioned security credentials. + implementation SHOULD isolate + each tenant's provisioned security credentials + from other tenants. - Additionally, in order to minimize a risk that + In order to minimize a risk that provisioned security credentials get compromised, the WoT Runtime implementation SHOULD NOT expose any API for - scripts to query the provisioned security + scripts to query provisioned security credentials. Such credentials (or even better, @@ -4565,12 +4566,13 @@
Thing Description Personally Identifiable Distribution mechanisms for TDs SHOULD ensure they are only provided to authorized Consumers. - Note that the WoT Discovery mechanism is designed to address this - specific issue, as long as it is used with authentication and access + Note that the WoT Discovery mechanism is designed to address these + specific issues, as long as it is used with authentication and access controls on exploration services. - - Unnecessary information - SHOULD NOT be exposed in TDs whenever possible. + + As a general matter of policy, + unnecessary information + should not be exposed in TDs whenever possible. For example, explicit type and instance identifying information in TDs should only be included if it is needed by the use case. Even if required by the use case, From 2cab8dbafb79624f84c1a1253f39d35650087f96 Mon Sep 17 00:00:00 2001 From: Michael McCool Date: Wed, 7 Sep 2022 13:33:28 -0300 Subject: [PATCH 6/8] 11.2 downgrade to SHOULD --- index.html | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/index.html b/index.html index dca84382..712bd79b 100644 --- a/index.html +++ b/index.html @@ -4601,25 +4601,29 @@

Access to Personally Identifiable Information

Mitigation:
-Things returning data or metadata (such as TDs) associated with a person MUST use some form of access control. +Things returning data or metadata (such as TDs) associated with a person SHOULD use some form of access control. A special case of this is a Thing Description Directory, as described in [[WOT-DISCOVERY]], which is a Thing that returns Thing Descriptions as data. Such directory services are included in the above statement and - required to use access control if the TDs describe Things associated with + should use access control if the TDs describe Things associated with identifiable people. In the case of services returning Thing Descriptions, the following also applies: -Services returning Thing Descriptions with immutable IDs MUST use some form of access control. +Services returning Thing Descriptions with immutable IDs SHOULD use some form of access control. Specifically, in both of these situations, the nosec security - scheme described in [[WOT-THING-DESCRIPTION]] cannot be used, + scheme described in [[WOT-THING-DESCRIPTION]] should not be used, as it provides no access control. Following the principle that Thing Descriptions describing Things associated with specific persons should be treated as PII, even if they do not explictly contain it, this implies - that directories providing such TDs cannot use nosec. - Again it should be noted that access controls are generally only - effective when secure transport is also available; + that directories providing such TDs should not use nosec. + Generally speaking, + the only exceptions should be cases where access is controlled + by another mechanism not described in the TD itself, such as a + segmented network. + Again it should also be noted that access controls are generally only + effective when secure transport is also used; see . Use of access controls without secure transport, at best, only discourages casual access by unauthorized parties. From 5a55bf3e058edb42abc2f3659fae36da64df32f9 Mon Sep 17 00:00:00 2001 From: Michael Lagally <31951801+mlagally@users.noreply.github.com> Date: Thu, 8 Sep 2022 12:52:48 +0200 Subject: [PATCH 7/8] Update index.html --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 712bd79b..3a58566b 100644 --- a/index.html +++ b/index.html @@ -4169,7 +4169,7 @@
Cross-Script Security Risk
In basic WoT setups, all scripts running inside the WoT Runtime are considered trusted, distributed by the manufacturer, and therefore there - is no strong need to perform isolate + is no strong need to isolate script instances from each other. However, depending on device capabilities, deployment use case scenarios, and risk level it might be desirable From b0651836a7d5df76a7cadc6320532f8e3788a06b Mon Sep 17 00:00:00 2001 From: Michael Lagally <31951801+mlagally@users.noreply.github.com> Date: Thu, 8 Sep 2022 12:52:55 +0200 Subject: [PATCH 8/8] Update index.html --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 3a58566b..2a83f01e 100644 --- a/index.html +++ b/index.html @@ -4617,7 +4617,7 @@

Access to Personally Identifiable Information

Following the principle that Thing Descriptions describing Things associated with specific persons should be treated as PII, even if they do not explictly contain it, this implies - that directories providing such TDs should not use nosec. + that directories providing such TDs should use access control. Generally speaking, the only exceptions should be cases where access is controlled by another mechanism not described in the TD itself, such as a