Improve a bit our threat model
This commit is contained in:
jvoisin
parent
84277740a9
commit
120c3bf72f
@ -1,5 +1,6 @@
|
||||
Threat Model
|
||||
============
|
||||
|
||||
The Metadata Anonymisation Toolkit 2 adversary has a number
|
||||
of goals, capabilities, and counter-attack types that can be
|
||||
used to guide us towards a set of requirements for the MAT2.
|
||||
@ -13,17 +14,18 @@ Mat only removes standard metadata from your files, it does _not_:
|
||||
|
||||
- anonymise their content (the substance and the form)
|
||||
- handle watermarking
|
||||
- handle steganography
|
||||
- handle steganography nor homoglyphs
|
||||
- handle stylometry
|
||||
- handle any non-standard metadata field/system
|
||||
|
||||
If you really want to be anonymous format that does not contain any
|
||||
metadata, or better : use plain-text ASCII without trailing spaces.
|
||||
And as usual, think before clicking.
|
||||
|
||||
And as usual, think twice before clicking.
|
||||
|
||||
|
||||
Adversary
|
||||
------------
|
||||
---------
|
||||
|
||||
* Goals:
|
||||
|
||||
@ -40,17 +42,18 @@ Adversary
|
||||
to directly identify the author and/or source, his next
|
||||
goal is to determine the source of the equipment used
|
||||
to produce, copy, and transmit the document. This can
|
||||
include the model of camera used to take a photo, or
|
||||
which software was used to produce an office document.
|
||||
include the model of camera used to take a photo or a film,
|
||||
which software was used to produce an office document, …
|
||||
|
||||
|
||||
* Adversary Capabilities - Positioning
|
||||
|
||||
- The adversary created the document specifically for this
|
||||
user. This is the strongest position for the adversary to
|
||||
have. In this case, the adversary is capable of inserting
|
||||
arbitrary, custom watermarks specifically for tracking
|
||||
the user. In general, MAT cannot defend against this
|
||||
adversary, but we list it for completeness.
|
||||
the user. In general, MAT2 cannot defend against this
|
||||
adversary, but we list it for completeness' sake.
|
||||
|
||||
- The adversary created the document for a group of users.
|
||||
In this case, the adversary knows that they attempted to
|
||||
@ -59,29 +62,32 @@ Adversary
|
||||
users, but they certainly know the format used.
|
||||
|
||||
- The adversary did not create the document, the weakest
|
||||
position for the adversary to have. The file format is (most of the time)
|
||||
standard, nothing custom is added: MAT
|
||||
should be able to remove all meta-information from the
|
||||
file.
|
||||
position for the adversary to have. The file format is
|
||||
(most of the time) standard, nothing custom is added:
|
||||
MAT2 must be able to remove all metadata from the file.
|
||||
|
||||
|
||||
Requirements
|
||||
---------------
|
||||
------------
|
||||
|
||||
* Processing
|
||||
- The MAT2 *should* avoid interactions with information.
|
||||
|
||||
- MAT2 *should* avoid interactions with information.
|
||||
Its goal is to remove metadata, and the user is solely
|
||||
responsible for the information of the file.
|
||||
|
||||
- The MAT2 *must* warn when encountering an unknown
|
||||
- MAT2 *must* warn when encountering an unknown
|
||||
format. For example, in a zipfile, if MAT encounters an
|
||||
unknown format, it should warn the user, and ask if the
|
||||
file should be added to the anonymised archive that is
|
||||
produced.
|
||||
|
||||
- The MAT2 *must* not add metadata, since its purpose is to
|
||||
- MAT2 *must* not add metadata, since its purpose is to
|
||||
anonymise files: every added items of metadata decreases
|
||||
anonymity.
|
||||
|
||||
- The MAT2 *should* handle unknown/hidden metadata fields,
|
||||
- MAT2 *should* handle unknown/hidden metadata fields,
|
||||
like proprietary extensions of open formats.
|
||||
|
||||
- MAT2 *must not* fail silently. Upon failure,
|
||||
MAT2 *must not* modify the file in any way.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user