DEOS Trust Substrate — Consolidated Threat Model v1

Status: v1.1 — drafted 2026-05-05 Spec URI: https://projectmaya.deoscomputing.io/threat-model/v1 Maintainer: DEOS Computing (did:web:deos.computing)

The consolidated threat model for the v1.1 substrate. Extends and references the per-spec security-considerations sections, organized as a STRIDE-style matrix so a security reviewer can see the full picture in one place.


1. System under analysis

The Trust Substrate consists of:


2. Trust boundaries

[ Issuer (agent, principal) ]
  │ signs Statements / UCAN tokens
  ↓
[ TLS proxy (operator-controlled) ]
  │ terminates TLS
  ↓
[ Substrate process ]                     ← attack surface 1: process compromise
  │ holds key.json or HSM-backed key      ← attack surface 2: secret exposure
  │ signs receipts + Receipts             ← attack surface 3: mis-signing
  │ MMR + persistence                     ← attack surface 4: log corruption
  ↓
[ OTS calendar(s) ]                       ← attack surface 5: calendar lying
  │
  ↓
[ Bitcoin chain ]                         ← attack surface 6: chain reorg / SPV trust

[ Verifier ]                              ← attack surface 7: verifier compromise / cache poisoning

3. STRIDE matrix

3.1 Spoofing

Threat Mitigation Reference
Attacker forges a receipt by signing as the substrate. Substrate's signing key is pinned via published trust-root + history; a forged receipt under a key not in trust-root-history is rejected. v1.2 HSM/KMS makes the key non-extractable. /key-rotation/v1 §3
Attacker forges a UCAN token claiming authority from a principal. Token's s.sig verifies against principal's published kid; chain continuity + per-token signature checks. /ucan/tokens/v1 §4
Attacker spoofs a substrate by serving a different /trust-root. TLS pinning via cert fingerprint + did:deos resolver. operator TLS-termination spec
Attacker spoofs a witness in the gossip protocol. Witness signature on observation; verifiers pin witness verifying keys. /mmr/transparency/v1 §7.5

3.2 Tampering

Threat Mitigation Reference
Substrate operator rewrites past receipts in receipts/{id}.json. Receipt id is content-addressed; the MMR commits to the canonical bytes. Tampering is detectable on any verifier with a cached copy. /receipts/format/v1 §4, /merkle/log/v1
Substrate operator silently rewrites the MMR snapshot. Snapshot has a trailing checksum (BLAKE3 for legacy MMR, SHA-256 for SCITT MMR). Corruption causes startup to fail loud. /merkle/log/v1 §7
Substrate operator forks the log (publishes two non-extending roots). Consistency proofs + witness gossip + log-of-logs detect equivocation. /mmr/transparency/v1 §3, §4
Substrate operator falsifies issued_at to bypass token expiry. OTS anchor bounds issued_at from above; UCAN tokens have short exp. /anchor/bitcoin/v1 §3.4
Tombstone abuse (operator redacts incriminating receipts). Tombstone-event itself is logged in the operator's admin-events log; verifiers with a pre-redaction copy retain proof. operator deployment-topology spec
DID document silently rewritten to swap an agent's key. DID document anchoring via did_event leaves in receipt MMR; verifiers detect by comparing latest_did_event_id. /did/deos/v1 §11

3.3 Repudiation

Threat Mitigation Reference
Issuer denies having signed a Statement. Statement's COSE_Sign1 signature + chain validation. /interop/scitt/v1 §3
Substrate denies having registered a Statement. Substrate's signature on the Receipt + MMR inclusion proof + OTS anchor. /interop/scitt/v1 §4
Operator denies having performed an admin action. Append-only admin-events log carries every admin POST with body_hash + token_hash + request_id. operator deployment-topology spec

3.4 Information disclosure

Threat Mitigation Reference
Receipt content (action.metadata, capability chain) leaks sensitive data. Substrate stores content references via hashes only; the issuer is responsible for what they put in metadata. Document in onboarding runbook. /receipts/format/v1 §1
key.json plaintext on disk readable by any process on the host. --key-from-env keeps the secret off disk; HSM/KMS adapter (v1.2) keeps it out of process memory entirely. operator signing-provider spec
Bearer token leak via /proc/PID/environ. --admin-token-file (read once at startup, not in env) + hidepid=2 mount option. operator signing-provider spec
Side-channel (timing) on signature verification reveals key material. Constant-time verify in ed25519-dalek + aws-lc-rs (FIPS path). External pen test verifies. external pentest scope
OTS calendar reveals correlation between a substrate's submission and a Bitcoin block. Inherent to OTS; mitigated by submitting only the MMR root, not individual receipts. /anchor/v1

3.5 Denial of service

Threat Mitigation Reference
Unbounded body POST OOMs the substrate. --max-body-size 1 MiB default. reference implementation
Concurrent /append requests serialize behind the write lock. RwLock + thread pool. Reads parallelize. reference implementation
OTS calendar rate-limits the substrate, breaking timestamping. Background worker batches submissions per --anchor-interval-s. /anchor/v1
Attacker requests many large consistency proofs. Rate-limit + cache common pairs. /mmr/transparency/v1 §7.4
Storage-fill on substrate disk. Operator runbook covers archival / pruning. operator deployment-topology spec
Verifier offline during revocation propagation. Normative offline tolerance window. /revocation/v1 §5.1

3.6 Elevation of privilege

Threat Mitigation Reference
Caveat bypass via ** wildcard escalation. --allow-unbounded-can flag (off by default); narrow wildcards encouraged. /capability/caveats/v1 §9.1
Caveat-path injection in caveat-revocation. Path validated against token's actual structure. /capability/caveats/v1 §9.3
Replay of a captured signed Statement against a different substrate. tree_id check + substrate-DID binding in the Statement's iss/sub claims. /receipts/format/v1 §2.1, /interop/scitt/v1 §6.3
Replay of a captured admin POST. Network-replay nonce on /append is a v1.2 item; mTLS in front of admin endpoints in the meantime. operator TLS-termination spec
Privilege escalation via fork + new substrate identity. Verifier-pinned (substrate_did, fingerprint) pair + log-of-logs. /mmr/transparency/v1 §5

4. Threat model deltas vs SCITT architecture v22 §10

The SCITT architecture's threat model covers the SCITT-shaped surface generically. DEOS adds:


5. Out-of-scope threats

The substrate explicitly does NOT defend against:


6. Threat-actor profiles

6.1 Curious external observer

Goal: read receipts. Capabilities: HTTP requests to public endpoints. Defense: receipts are public by design; hashes-only payloads contain no sensitive content.

6.2 Network MITM

Goal: substitute a fake substrate's identity to verifiers. Capabilities: control over network path between verifier and substrate. Defense: TLS with cert pinning (operator TLS-termination spec).

6.3 Compromised operator

Goal: rewrite history, suppress evidence, mis-issue receipts. Capabilities: full control of substrate process + secret key. Defense: append-only MMR + OTS anchoring + log gossip + log-of-logs make rewriting detectable. HSM/KMS migration limits secret exposure. Cannot fully prevent — gossip + multi-witness is the structural answer.

6.4 Malicious issuer

Goal: forge actions claiming authority they don't have. Capabilities: any agent with a UCAN token. Defense: Registration Policy chain validation rejects mis-shaped chains; capability narrowing rules prevent privilege escalation.

6.5 Insider with substrate disk access

Goal: extract secrets, plant tampered state. Capabilities: file-system read on the substrate's host. Defense: file-permissions + filesystem encryption + HSM/KMS for secrets. Tampered state detected at startup via snapshot checksums.

6.6 Compromised verifier (downstream)

Goal: misrepresent verification results to a third party. Capabilities: verifier process compromise. Defense: verifier signs its own attestations of what it verified; downstream parties consume the verifier's signed attestations and apply their own pinning. Out of substrate scope.


7. Test coverage

External penetration testing covers the threat model. The team is asked to:

A conformance vector suite exercises the cryptographic primitives' edge cases. A fuzzing harness exercises canonicalization, MMR, UCAN parser, and caveat evaluation against random inputs.


8. References


9. Maintainer

DEOS Computing — threat-model updates and pen-test reports to github.com/DEOS-Computing.

License: CC BY 4.0 (text), Apache-2.0 (reference code).