CodeCow/sniffnet
1
0
Fork 0
mirror of https://github.com/GyulyVGC/sniffnet.git synced 2026-06-05 21:06:52 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
main
sniffnet/THREAT_MODEL.md
GyulyVGC 739ab44aad
Some checks failed
CodeQL / Analyze (${{ matrix.language }}) (none, actions) (push) Has been cancelled
Details
CodeQL / Analyze (${{ matrix.language }}) (none, rust, security-extended) (push) Has been cancelled
Details
update docs to include official sniffnet emails
2026-06-02 11:44:59 +02:00

8.5 KiB
Raw Permalink Blame History

Threat Model

This is Sniffnet's first threat model.
The model is intentionally scoped to a subset of the application — future iterations will expand coverage.

We'll use STRIDE, a widely adopted framework to help identify common types of threats:

  • Spoofing: Impersonating someone or something else (e.g., faking identity).
  • Tampering: Modifying data or code (e.g., altering a file, changing network packets).
  • Repudiation: Denying an action that occurred (e.g., a user denies making a transaction).
  • Information Disclosure: Revealing sensitive data to unauthorized individuals (e.g., leaking PII, credentials).
  • Denial of Service: Preventing legitimate users from accessing a service or resource (e.g., crashing a server, exhausting resources).
  • Elevation of Privilege: Gaining unauthorized access to higher-level permissions (e.g., a regular user becoming an administrator).

For how to report a vulnerability, see SECURITY.md.
For how incidents are handled, see INCIDENT_RESPONSE.md.

For all security-related communications, please write to security@sniffnet.app.

1. Project overview and scope of this document

  • Project name: Sniffnet
  • Brief description: Cross-platform desktop application to monitor Internet traffic.
  • Key features in scope of this model:
    • Packet capture and parsing from a local network adapter or imported PCAP file
    • User-provided files (custom MaxMind MMDB databases, IP blacklists, custom theme palettes)
    • Persisted and reloaded app configurations (settings, favorites, notification preferences, etc.)
    • Remote notifications sent to a user-configured HTTP endpoint

2. Assets to protect

Asset Why it matters
Host system integrity Sniffnet processes untrusted inputs (network traffic, user files). A vulnerability could lead to compromise of the user's system.
User's data privacy Sensitive data (including the captured traffic metadata and custom app configurations) could be exposed to a third party via a vulnerability or misconfiguration.
Application availability A crash during a monitoring session could cause loss of visibility into the user's network activity at a critical moment.
Project reputation A vulnerability that leads to compromise of user systems or data would damage trust in the project and its maintainers.

3. Threats (STRIDE)

# Component / Flow Spoofing Tampering Repudiation Information disclosure Denial of Service Elevation of Privilege
1 Packet capture and parsing T1 I1 D1 E1
2 Custom MMDB file T2
3 IP blacklist file T3 D3
4 Custom palette file T4
5 App configurations file T5 I5
6 Remote notifications POST S6 I6

Threat catalog

  • T1 — Malformed packet triggers parser bug. A crafted frame on the wire reaches LaxPacketHeaders::from_ethernet / from_ip / from_ether_type. A logic bug in etherparse (or in Sniffnet's post-parse handling) could produce memory-safety issues, incorrect attribution, or panics.
  • I1 — PCAP export discloses captured traffic. When the user enables Savefile, captured packets — headers, hostnames, DNS queries, and payloads — are written to disk unencrypted and can be read by any local process.
  • D1 — Packet flood DoS. High packet rates or many small packets force the parser thread to fall behind; GUI freezes or memory grows unboundedly.
  • E1 — Privilege escalation via parser RCE. If T1 becomes exploitable, the attacker gets code execution inside a process holding CAP_NET_RAW (Linux) or Npcap driver access (Windows). There is no privilege drop after capture handle creation.
  • T2 — Malicious MMDB. A crafted .mmdb targets the maxminddb reader (tree traversal, decoder). open_readfile memory-maps the file, so parser bugs touch privileged memory.
  • T3 — Blacklist tampering. Another process running as the user can edit the file loaded by IpBlacklist::from_file to remove entries for known-bad IPs (suppressing alerts) or add benign IPs (driving false positives). There is no signature, checksum, or integrity check on the blacklist contents.
  • D3 — Huge blacklist file. IpBlacklist::from_file loads the whole file into memory via tokio::fs::read_to_string — no streaming, no size cap. A multi-GB file would exhaust memory.
  • T4 — Palette tampering. Palette::from_file accepts any well-formed hex color without semantic validation. A tampered TOML can set alert colors to be indistinguishable from normal-traffic colors, or render the UI illegibly, causing the user to miss or misattribute security-relevant GUI state.
  • T5 — Config tampering. Another process running as the user can edit conf.toml to insert a malicious MMDB path, blacklist path, palette path, or remote webhook URL. On next launch Sniffnet trusts these paths.
  • I5 — Config discloses watch list. Favorites, custom file paths, and the webhook URL can be read by any local process.
  • S6 — Webhook impersonation. A tampered conf.toml redirects notifications to an attacker's server while the user still believes they're sending to their own bot / SIEM. The JSON body (LoggedNotification::to_json) contains host info, service, favorite metadata, and byte counts — i.e., the user's own network activity.
  • I6 — Webhook body discloses monitored assets. The JSON emitted by LoggedNotification::to_json includes favorited host country / ASN / domain and, for blacklist hits, the malicious IP, its reverse-resolved domain, and byte counts. A compromised webhook endpoint — or an on-path observer if the URL is plaintext — learns which assets the user watches and which security events have fired.

4. Mitigations

# Threat Mitigation Status
M1 T1 / E1 / T2 Keep etherparse, pcap, and maxminddb on the latest patched versions. Active — Dependabot monitors Cargo manifests.
M2 T1 / E1 Add fuzz targets for the packet ingestion entry points (from_ethernet, from_null, from_linux_sll) using cargo-fuzz. Not implemented.
M3 D1 Bound the pcap channel / parsing queue and drop oldest rather than growing memory unboundedly. Needs review of pcap_tx backpressure.
M4 D3 Cap the blacklist file size (e.g. 10 MB) before read_to_string. Not implemented.
M5 I6 Reject non-https:// webhook URLs in the settings UI. Not implemented.