10. Using STRIDE Threat Modeling to Analyze Security Risks in DDS Systems

10.1. Introduction to Threat Modeling

A threat model is an abstraction that helps you evaluate risks. Threat modeling is a structured process for identifying potential security threats and vulnerabilities, quantifying the risk of each, and prioritizing mitigation techniques. When developing a software product, having a defined threat model is key to a focused defense.

A critical part of threat modeling is to identify trust boundaries. A trust boundary is a logical boundary where program data or execution changes its level of trust. Knowing the trust boundaries of a system allows you to better focus the threat analysis in the areas of concern.

10.2. Simplified DDS Security Threat Model

We could summarize the OMG DDS Security specification threat model as “the network is the adversary”. The goal of the OMG DDS Security specification is to protect the data in motion exchanged between DDS applications through an untrusted network.

The DDS Security threat model is depicted in the following figure, where the area of interest is the untrusted network:

../_images/dds-security-threat-model.png — Figure 10.1 Simplified DDS Security Threat Model

For an overview of the potential DDS threats within the untrusted network, please refer to Description of DDS System Threats. For an in-depth review of the DDS Security threat model, please refer to Detailed DDS Security Threat Model.

10.3. Introduction to STRIDE

STRIDE is a threat modeling framework used to identify and categorize potential security threats in a system. It helps security teams analyze potential vulnerabilities and risks by breaking them down into six categories:

Spoofing (S): Unauthorized access by impersonating another user or system (e.g., fake authentication or identity theft).
Tampering (T): Malicious modification of data or code, either in transit or at rest (e.g., altering database records or files).
Repudiation (R): The ability for a user to deny their actions without any evidence, often due to a lack of proper logging or auditing (e.g., denying responsibility for an action like a transaction).
Information Disclosure (I): Unauthorized access to confidential or sensitive information (e.g., leaking sensitive data due to insufficient encryption or access controls).
Denial of Service (D): Disrupting or degrading the availability of a system or service, making it unavailable to legitimate users (e.g., flooding a server with traffic to overwhelm it).
Elevation of Privilege (E): Gaining unauthorized access to higher privileges or permissions than a user is supposed to have (e.g., exploiting a vulnerability to become an administrator).

This chapter explains how to use STRIDE to analyze the different threats that the Detailed DDS Security Threat Model considers and see how DDS Security Threat Protection helps protect your system against those threats.

10.4. Detailed DDS Security Threat Model

10.4.1. DDS Security Trust Boundaries

In the model we introduced earlier (Simplified DDS Security Threat Model) we established only one trust boundary (the one surrounding the untrusted network) as the focus of the DDS Security threat model. In reality, we can identify two additional kinds of trust boundaries within the unstrusted network trust boundary, which are derived from the data-centric approach of DDS:

Domain Trust Boundary: A logical boundary between what is inside a Domain (data, applications running authorized DomainParticipants) and what is outside the Domain.
Topic Trust Boundary: A logical boundary between what is inside a Topic (data, applications running authorized DataWriters and/or DataReaders) and what is outside the Topic.

../_images/dds-security-threat-model-detailed.png — Figure 10.2 Detailed DDS Security Threat Model [1]

Using the above boundaries, we can differentiate four unique attacker roles associated with a DDS system:

Attacker roles derived from the Domain Trust Boundary:

Domain Outsider: For a given Domain, a Domain Outsider refers to any actors with access to the physical network where the Domain runs, but which are not authorized to join the Domain. This includes (but is not limited to) any applications authorized to run on different Domains. As a generalization, a Domain Outsider is any actor that does not hold valid Domain credentials (i.e., the right PSK secret passphrase, and/or certificates & private keys associated with a Permissions Document’s Grant).
Domain Insider: Any actors with authorized access to a given Domain. An example Domain Insider is a malicious attacker that has stolen valid credentials for a Domain (i.e., certificates and private keys) and then creates a DomainParticipant using the stolen credentials. Another example is a malicious attacker that has compromised a device running a DomainParticipant with valid certificates, and therefore can operate with the same privileges as the compromised device’s DomainParticipant.

Attacker roles derived from the Topic Trust Boundary:

Topic Outsider: For a given Topic, a Topic Outsider refers to any actors with authorized access to the Domain where the Topic belongs, but which are not authorized to interact with the Topic. An example of a Topic Outsider is a malicious attacker that has compromised a device running a DomainParticipant with valid credentials and permissions to join a Domain but without permissions to publish or subscribe to the attack target Topic.
Topic Insider: Any actors with authorized access to a given Topic. An example of Topic Insider is a malicious attacker that has stolen the credentials for a DomainParticipant with permissions to publish in a Topic and then creates a DomainParticipant using the stolen credentials.

10.4.2. DDS Traffic Categorization

Before moving into how DDS Security protects against different threats, it is essential to understand how the DDS databus operates. In a Domain, there are two kinds of data traffic exchanged to support the databus operation:

Meta Traffic: Data exchanged to support the operation of the Domain. It includes the traffic associated with builtin Topics supporting key functionality such as discovery, authentication, and liveliness. The Meta Traffic data contains information such as GUIDs, Topic names, type names, and locators.
User Traffic: Data exchanged between user application DataWriters and DataReaders. It includes traffic associated with user application Topics. The contents of the User Traffic data depend on the definition of the user DataWriters and DataReaders.

Warning

Confidentiality consideration: While the databus exchanges user data exclusively through User Traffic, Meta Traffic contains User Traffic-related information that could be sensitive depending on the system security policy (for example, the user Topics names could be sensitive according to policy).

Warning

Availability consideration: Since Meta Traffic is used to support the operation of the Domain, a proper risk evaluation for a given user Topic must consider Meta Traffic threats. For example, if a successful attack tampers with the discovery information associated with a user Topic, this could result in a successful D attack for that Topic.

10.4.3. DDS Security Threat Protection

DDS Security provides the following threat protection levels (derived from the trust boundaries and attacker roles defined in DDS Security Trust Boundaries, and ordered from a lower level of trust to higher level of trust):

Domain Outsider Protection: Also known as Domain-Level Protection, mitigates attacks initiated by actors not authorized to join the Domain. For example, actors without the right PSK secret passphrase to join the Domain.
Domain Insider Protection: A form of Granular Protection Inside Domains, mitigates attacks initiated by actors authorized to join the Domain. For example, a malicious actor that has stolen the right credentials to join a Domain and then creates a DomainParticipant using those credentials.
Topic Outsider Protection: A form of Granular Protection Inside Domains, mitigate attacks initiated by actors not authorized to publish and/or subscribe to/from a given Topic. For example, a malicious actor that has stolen the credentials for an Identity authorized to join a Domain, but not authorized to publish or subscribe to the attack target Topic.
Topic Insider Protection: A form of Granular Protection Inside Domains, mitigate attacks initiated by actors authorized to publish and/or subscribe to/from a given Topic. For example, a malicious actor that has stolen the credentials for an Identity authorized to join a Domain and publish to the attack target Topic.

In the following sections we will cover these protection levels in depth, detailing what Security Plugins features support these protection levels. In order to be effective, certain mechanisms associated with a given level of protection may require users to also enable certain lower-trust protection mechanisms (for example, D Topic Outsider Protection requires enabling Domain Insider Protection).

Note

While other combinations are possible to achieve similar levels of protection, in this section we prioritize the combinations that ensure the right level of protection while keeping the configuration as simple as possible.

10.4.4. Domain Outsider Protection

../_images/dds-security-threat-model-domain-outsider.png — Figure 10.3 Domain Outsider Attacker [1]

This level of protection mitigates attacks initiated by actors not authorized to join the Domain. This protection is effective against attacks targeting Meta Traffic and/or User Traffic.

Examples of preventable Domain Outsider attacks are:

STE :
- An attacker publishes user Topic data while impersonating a legitimate DomainParticipant.
- An attacker publishes malicious discovery information while impersonating a legitimate DomainParticipant, triggering user Topic data to be corrupted.
- An attacker publishes malicious liveliness information while impersonating a legitimate DomainParticipant, preventing legitimate DomainParticipants from detecting the disconnection of the impersonated DomainParticipant.
I:
- An attacker reads DDS application’s system meta information such as username.
- An attacker reads user Topic data.
D:
- An attacker exploits RTPS protocol operation to force legitimate DDS applications to flood the network with discovery messages.
- An attacker exploits RTPS sequence numbers to force legitimate DDS applications to drop any messages for a Topic.
- An attacker exploits a day-zero vulnerability in Connext to crash a DDS application by injecting malicious RTPS messages to the network.

To enable Domain Outsider Protection, Security Plugins provides the following options:

Lightweight Builtin Security Plugins:
- Meta Traffic and User Traffic threat protection:
  - STDE protection requires:
    - Setting the dds.sec.access.rtps_psk_protection_kind property to a value other than NONE (default).
  - STIDE protection requires:
    - Setting the dds.sec.access.rtps_psk_protection_kind property to ENCRYPT.
Builtin Security Plugins:
- Meta Traffic and User Traffic threat protection:
  - STDE protection requires:
    - Setting the rtps_psk_protection_kind Governance Rule (see rtps_psk_protection_kind (domain_rule)) in the Governance Document to a value other than NONE (default).
  - STIDE protection requires:
    - Setting the rtps_psk_protection_kind Governance Rule (see rtps_psk_protection_kind (domain_rule)) in the Governance Document to ENCRYPT.
- User Traffic only threat protection:
  - STE protection requires:
    - Setting the rtps_protection_kind Governance Rule (see rtps_protection_kind (domain_rule)) in the Governance Document to a value other than NONE.
  - STIE protection requires:
    - Setting the rtps_protection_kind Governance Rule (see rtps_protection_kind (domain_rule)) in the Governance Document to ENCRYPT or ENCRYPT_WITH_ORIGIN_AUTHENTICATION.

10.4.5. Domain Insider Protection

../_images/dds-security-threat-model-domain-insider.png — Figure 10.4 Domain Insider Attacker [1]

This level of protection mitigates attacks initiated by actors authorized to join the Domain. This protection is effective against attacks targeting Meta Traffic and/or User Traffic.

Examples of preventable Domain Insider attacks are:

STE:
- An attacker publishes malicious discovery information while impersonating a legitimate DomainParticipant, triggering user Topic data to be corrupted.
- An attacker publishes malicious liveliness information while impersonating a legitimate DomainParticipant, preventing legitimate DomainParticipants from detecting the disconnection of the impersonated DomainParticipant.
D:
- An attacker exploits RTPS sequence numbers to force legitimate DDS applications to stop receiving discovery or liveliness information.

To enable Domain Insider protection, Security Plugins provides the following options:

Builtin Security Plugins:
- Meta Traffic and User Traffic threat protection:
  - STDE protection requires all of the following:
    - Setting enable_join_access_control to TRUE (see enable_join_access_control (within a domain_rule)).
    - Setting the rtps_protection_kind Governance Rule (see rtps_protection_kind (domain_rule)) in the Governance Document to SIGN_WITH_ORIGIN_AUTHENTICATION or ENCRYPT_WITH_ORIGIN_AUTHENTICATION.
- Meta Traffic only threat protection:
  - STDE protection requires all of the following:
    - Setting enable_join_access_control to TRUE (see enable_join_access_control (within a domain_rule)).
    - Setting the discovery_protection_kind Governance Rule (see discovery_protection_kind (domain_rule)) and the liveliness_protection_kind Governance Rule (see liveliness_protection_kind (domain_rule)) to SIGN_WITH_ORIGIN_AUTHENTICATION or ENCRYPT_WITH_ORIGIN_AUTHENTICATION.

Warning

Domain Insider Protection is only effective if every DomainParticipant in the Domain has unique credentials (i.e., Identity Certificate and the associated private keys cannot be shared across multiple DomainParticipants). DomainParticipants sharing credentials will share the same Identity and therefore no Domain Insider Protection is possible among them.

Note

If your Builtin Security Plugins system is configured with one unique set of credentials associated with all the DomainParticipants in the same Domain and this is acceptable by your security policy, you should consider switching to using Lightweight Builtin Security Plugins. Lightweight Builtin Security Plugins is a lightweight, easy to configure and deploy solution with an equivalent protection level (Domain Outsider Protection) to using Builtin Security Plugins with the same credentials for all of the DomainParticipants in the system.

10.4.6. Topic Outsider Protection

../_images/dds-security-threat-model-topic-outsider.png — Figure 10.5 Topic Outsider Attacker [1]

This level of protection mitigates attacks initiated by actors not authorized to publish and/or subscribe to/from a given Topic. This protection is effective against attacks targeting User Traffic.

Examples of preventable Topic Outsider attacks are:

STE:
- An attacker publishes user Topic data while impersonating a legitimate DomainParticipant.
I:
- An attacker reads user Topic data.
D:
- An attacker exploits RTPS sequence numbers to force legitimate DDS applications to drop any messages for a user Topic.

Additionally, examples of preventable Meta Traffic related Topic Outsider attacks are:

STDE:
- An attacker publishes malicious discovery information while impersonating a legitimate DomainParticipant, triggering user Topic data to be corrupted.
- An attacker exploits RTPS sequence numbers to force legitimate DDS applications to stop receiving discovery or liveliness information for a user Topic.

To enable Topic Outsider Protection, Security Plugins provides the following options:

Builtin Security Plugins:
- User Traffic only threat protection:
  - STDE protection requires all of the following:
    - Setting enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) to TRUE.
    - Setting the metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) in the Governance Document to a value other than NONE.
  - I protection requires all of the following:
    - Setting enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) to TRUE.
    - Setting the metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) to ENCRYPT or ENCRYPT_WITH_ORIGIN_AUTHENTICATION.
      - Alternatively (only needed if using Persistence Service), granted by setting the data_protection_kind Governance Rule (see data_protection_kind (topic_rule)) to ENCRYPT.
- Meta Traffic related threat protection:
  - STDE protection requires all of the following:
    - Enabling Domain Insider Protection (at least, for the Meta Traffic).
    - Setting enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) to TRUE.
    - Setting enable_discovery_protection (see enable_discovery_protection (topic_rule)) and enable_liveliness_protection to TRUE (see enable_liveliness_protection (topic_rule)).
    - Setting the metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) to a value other than NONE.

Warning

Topic Outsider Protection is only effective if every DomainParticipant in the Domain has unique credentials (i.e., Identity Certificate and the associated private keys cannot be shared across multiple DomainParticipants). DomainParticipants sharing credentials will share the same Identity and Permissions Grants and therefore no Topic Outsider Protection is possible among them.

10.4.7. Topic Insider Protection

../_images/dds-security-threat-model-topic-insider.png — Figure 10.6 Topic Insider Attacker [1]

This level of protection mitigates attacks initiated by actors authorized to publish and/or subscribe to/from a given Topic. This protection is effective against attacks targeting User Traffic.

Examples of preventable Topic Insider attacks are:

STE:
- An attacker without write permission for a Topic publishes user Topic data to the Topic.
- An attacker with write permissions for a Topic publishes user Topic data while impersonating a legitimate DomainParticipant.
I:
- An attacker reads from a Topic while only having permissions for writing (not reading).
D:
- An attacker exploits RTPS sequence numbers to force legitimate DDS applications to drop messages from a different legitimate DomainParticipant.

Additionally, examples of preventable Meta Traffic related Topic Insider attacks are:

STDE:
- An attacker publishes malicious discovery information while impersonating a legitimate DomainParticipant, triggering user Topic data to be corrupted.
- An attacker exploits RTPS sequence numbers to force legitimate DDS applications to stop receiving discovery or liveliness information for a user Topic.

To enable Topic Insider Protection, Security Plugins provides the following options:

Builtin Security Plugins:
- User Traffic only threat protection:
  - STDE protection requires all of the following:
    - Setting enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) to TRUE.
    - Setting the metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) to a value other than NONE in combination with either:
      - setting the rtps_protection_kind Governance Rule (see rtps_protection_kind (domain_rule)) in the Governance Document to SIGN_WITH_ORIGIN_AUTHENTICATION or ENCRYPT_WITH_ORIGIN_AUTHENTICATION, or
      - setting the metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) to SIGN_WITH_ORIGIN_AUTHENTICATION or ENCRYPT_WITH_ORIGIN_AUTHENTICATION
  - I by unauthorized actors with publish permissions to the Topic protection requires all of the following:
    - Setting enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) to TRUE.
    - Setting the metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) to ENCRYPT or ENCRYPT_WITH_ORIGIN_AUTHENTICATION.
      - Alternatively (only needed if using Persistence Service), granted by setting the data_protection_kind Governance Rule (see data_protection_kind (topic_rule)) to ENCRYPT, in combination with setting publish-only permissions for applications that are only authorized to write (not read) to a Topic.
- Meta Traffic related threat protection:
  - STDE protection requires all of the following (same configuration as in Topic Outsider Meta Traffic related ST DE protection):
    - Enabling Domain Insider Protection (at least, for the Meta Traffic).
    - Setting enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) to TRUE.
    - Setting enable_discovery_protection (see enable_discovery_protection (topic_rule)) and enable_liveliness_protection to TRUE (see enable_liveliness_protection (topic_rule)).
    - Setting the metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) to a value other than NONE.

Warning

Topic Insider Protection is only effective if every DomainParticipant in the Domain has unique credentials (i.e., Identity Certificate and the associated private keys cannot be shared across multiple DomainParticipants). DomainParticipants sharing credentials will share the same Identity and therefore no Topic Insider Protection is possible among them.

10.5. Configuration Examples for Common Threat Scenarios

To reinforce the concepts introduced in previous sections, we now provide a set of example scenarios with different threat requirements and we provide the recommended configuration to address those risks.

10.5.1. Automotive Network Insider

Automotive system example where we need to protect the vehicle’s monitoring and control Domain from unauthorized Domain Outsiders’ STIDE threats in the form of malicious actors with physical access to the network in which the Domain is running.

../_images/threat-model-automotive.png — Figure 10.7 Automotive Network Insider

For examples of threats at this level, refer to Domain Outsider Protection.

10.5.1.1. Configuration

Lightweight Builtin Security Plugins: This is the recommended configuration if you don’t need to provide protection for other threat levels (Domain Insider, Topic Outsider, Topic Insider). This configuration provides a lightweight, easy to configure and deploy solution that effectively addresses the identified threats:
- dds.sec.access.rtps_psk_protection_kind property set to ENCRYPT.

10.5.1.2. Resulting protection

Table 10.1 Automotive example threat protection
Protection level	Threats protected
Domain Outsider Protection	STIDE
Domain Insider Protection	NONE
Topic Outsider Protection	NONE
Topic Insider Protection	NONE

10.5.2. Industrial Automation Malicious 3rd-Party App

Industrial automation example where we need to protect the monitoring and control Domain from unauthorized Domain Outsiders STIDE. The Domain also runs medium-trust 3rd-party applications, and therefore we need to protect a particularly security-sensitive user Topic from malicious Topic Outsider I threats. In the event of a security breach in one of the 3rd-party applications, temporary service disruption by a Domain Insider is ok, but the user Topic data shall never be leaked, as it contains proprietary secrets.

../_images/threat-model-industrial.png — Figure 10.8 Industrial Automation Malicious 3rd-Party App

For examples of threats at this level, refer to Domain Outsider Protection and Topic Outsider Protection.

10.5.2.1. Configuration

Builtin Security Plugins:
- To ensure protection against this scenario’s Domain Outsider threats:
  - enable_join_access_control (see enable_join_access_control (within a domain_rule)) in the Governance Document set to TRUE.
  - rtps_psk_protection_kind Governance Rule (see rtps_psk_protection_kind (domain_rule)) in the Governance Document set to ENCRYPT.
- To ensure protection against this scenario’s Topic Outsider threats:
  - enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) set to TRUE.
  - metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) set to ENCRYPT.

<?xml version="1.0" encoding="UTF-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.3.0/dds_security_governance.xsd">
  <domain_access_rules>
    <domain_rule>
      <domains>
        <id_range>
          <min>0</min>
        </id_range>
      </domains>
      <allow_unauthenticated_participants>
        FALSE
      </allow_unauthenticated_participants>
      <enable_join_access_control>TRUE</enable_join_access_control>
      <discovery_protection_kind>NONE</discovery_protection_kind>
      <liveliness_protection_kind>NONE</liveliness_protection_kind>
      <rtps_protection_kind>NONE</rtps_protection_kind>
      <rtps_psk_protection_kind>ENCRYPT</rtps_psk_protection_kind>
      <topic_access_rules>
        <topic_rule>
          <topic_expression>Propietary Secrets Topic</topic_expression>
          <enable_discovery_protection>FALSE</enable_discovery_protection>
          <enable_liveliness_protection>FALSE</enable_liveliness_protection>
          <enable_read_access_control>TRUE</enable_read_access_control>
          <enable_write_access_control>TRUE</enable_write_access_control>
          <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
          <data_protection_kind>NONE</data_protection_kind>
        </topic_rule>
        <topic_rule>
          <topic_expression>*</topic_expression>
          <enable_discovery_protection>FALSE</enable_discovery_protection>
          <enable_liveliness_protection>FALSE</enable_liveliness_protection>
          <enable_read_access_control>FALSE</enable_read_access_control>
          <enable_write_access_control>FALSE</enable_write_access_control>
          <metadata_protection_kind>NONE</metadata_protection_kind>
          <data_protection_kind>NONE</data_protection_kind>
        </topic_rule>
      </topic_access_rules>
    </domain_rule>
  </domain_access_rules>
</dds>

10.5.2.2. Resulting protection

Table 10.2 Industrial automation example threat protection
Protection level	Threats protected
Domain Outsider Protection	STIDE
Domain Insider Protection	NONE
Topic Outsider Protection	I (complete) STDE (limited: related Domain Insider Meta Traffic attacks are still possible)
Topic Insider Protection	NONE

10.5.3. Medical System Malicious Device

Medical example where we need to protect the medical system Domain from unauthorized Domain Outsiders STDE. Also, we need to protect the patient monitoring topic from being STDE from a potential hacked security camera within the hospital (which runs in the same Domain, but uses a different Topic).

../_images/threat-model-medical.png — Figure 10.9 Medical System Malicious Device

For examples of threats at this level, refer to Domain Outsider Protection, Domain Insider Protection, and Topic Outsider Protection.

10.5.3.1. Configuration

Builtin Security Plugins:
- To ensure protection against this scenario’s Domain Outsider threats:
  - enable_join_access_control (see enable_join_access_control (within a domain_rule)) in the Governance Document set to TRUE.
  - rtps_psk_protection_kind Governance Rule (see rtps_psk_protection_kind (domain_rule)) in the Governance Document set to SIGN.
- To ensure protection against this scenario’s Domain Insider threats:
  - discovery_protection_kind Governance Rule (see discovery_protection_kind (domain_rule)) and the liveliness_protection_kind Governance Rule (see liveliness_protection_kind (domain_rule)) to SIGN_WITH_ORIGIN_AUTHENTICATION.
- To ensure protection against this scenario’s Topic Outsider threats:
  - enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) set to TRUE.
  - enable_discovery_protection (see enable_discovery_protection (topic_rule)) and enable_liveliness_protection (see enable_liveliness_protection (topic_rule)) set to TRUE.
  - metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) set to SIGN.

<?xml version="1.0" encoding="UTF-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.3.0/dds_security_governance.xsd">
  <domain_access_rules>
    <domain_rule>
      <domains>
        <id_range>
          <min>0</min>
        </id_range>
      </domains>
      <allow_unauthenticated_participants>
        FALSE
      </allow_unauthenticated_participants>
      <enable_join_access_control>TRUE</enable_join_access_control>
      <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
      <liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
      <rtps_protection_kind>NONE</rtps_protection_kind>
      <rtps_psk_protection_kind>SIGN</rtps_psk_protection_kind>
      <topic_access_rules>
        <topic_rule>
          <topic_expression>Patient Monitoring Topic</topic_expression>
          <enable_discovery_protection>TRUE</enable_discovery_protection>
          <enable_liveliness_protection>TRUE</enable_liveliness_protection>
          <enable_read_access_control>TRUE</enable_read_access_control>
          <enable_write_access_control>TRUE</enable_write_access_control>
          <metadata_protection_kind>SIGN</metadata_protection_kind>
          <data_protection_kind>NONE</data_protection_kind>
        </topic_rule>
        <topic_rule>
          <topic_expression>*</topic_expression>
          <enable_discovery_protection>FALSE</enable_discovery_protection>
          <enable_liveliness_protection>FALSE</enable_liveliness_protection>
          <enable_read_access_control>FALSE</enable_read_access_control>
          <enable_write_access_control>FALSE</enable_write_access_control>
          <metadata_protection_kind>NONE</metadata_protection_kind>
          <data_protection_kind>NONE</data_protection_kind>
        </topic_rule>
      </topic_access_rules>
    </domain_rule>
  </domain_access_rules>
</dds>

10.5.3.2. Resulting protection

Table 10.3 Medical example threat protection
Protection level	Threats protected
Domain Outsider Protection	STDE
Domain Insider Protection	STDE
Topic Outsider Protection	STDE
Topic Insider Protection	NONE

10.5.4. Aviation Services Malicious Device

Aviation example where we need to protect the aviation services Domain from unauthorized Domain Outsider STDE attacks. Also, we need to protect the ATC positioning topic from unauthorized writes or reads from planes that publish into that Topic (i.e., STIDE Topic Insider Protection).

../_images/threat-model-aviation.png — Figure 10.10 Aviation Services Malicious Device

For examples of threats at this level, refer to Domain Outsider Protection, Domain Insider Protection, Topic Outsider Protection, and Topic Insider Protection.

10.5.4.1. Configuration

Builtin Security Plugins:
- To ensure protection against this scenario’s Domain Outsider threats:
  - enable_join_access_control (see enable_join_access_control (within a domain_rule)) in the Governance Document set to TRUE.
  - rtps_psk_protection_kind Governance Rule (see rtps_psk_protection_kind (domain_rule)) in the Governance Document set to SIGN.
- To ensure protection against this scenario’s Domain Insider threats (also a requirement to protect against Topic Insider threats):
  - rtps_protection_kind Governance Rule (see rtps_protection_kind (domain_rule)) in the Governance Document set to SIGN_WITH_ORIGIN_AUTHENTICATION.
- To ensure protection against this scenario’s Topic Outsider and Topic Insider threats:
  - enable_read_access_control (see enable_read_access_control (topic_rule)) and enable_write_access_control (see enable_write_access_control (topic_rule)) set to TRUE.
  - enable_discovery_protection (see enable_discovery_protection (topic_rule)) and enable_liveliness_protection (see enable_liveliness_protection (topic_rule)) set to TRUE.
  - metadata_protection_kind Governance Rule (see metadata_protection_kind (topic_rule)) set to ENCRYPT.

<?xml version="1.0" encoding="UTF-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.3.0/dds_security_governance.xsd">
  <domain_access_rules>
    <domain_rule>
      <domains>
        <id_range>
          <min>0</min>
        </id_range>
      </domains>
      <allow_unauthenticated_participants>
        FALSE
      </allow_unauthenticated_participants>
      <enable_join_access_control>TRUE</enable_join_access_control>
      <discovery_protection_kind>NONE</discovery_protection_kind>
      <liveliness_protection_kind>NONE</liveliness_protection_kind>
      <rtps_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
      <rtps_psk_protection_kind>SIGN</rtps_psk_protection_kind>
      <topic_access_rules>
        <topic_rule>
          <topic_expression>ATC Position Topic</topic_expression>
          <enable_discovery_protection>TRUE</enable_discovery_protection>
          <enable_liveliness_protection>TRUE</enable_liveliness_protection>
          <enable_read_access_control>TRUE</enable_read_access_control>
          <enable_write_access_control>TRUE</enable_write_access_control>
          <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
          <data_protection_kind>NONE</data_protection_kind>
        </topic_rule>
        <topic_rule>
          <topic_expression>*</topic_expression>
          <enable_discovery_protection>FALSE</enable_discovery_protection>
          <enable_liveliness_protection>FALSE</enable_liveliness_protection>
          <enable_read_access_control>FALSE</enable_read_access_control>
          <enable_write_access_control>FALSE</enable_write_access_control>
          <metadata_protection_kind>NONE</metadata_protection_kind>
          <data_protection_kind>NONE</data_protection_kind>
        </topic_rule>
      </topic_access_rules>
    </domain_rule>
  </domain_access_rules>
</dds>

10.5.4.2. Resulting protection

Table 10.4 Aviation example threat protection
Protection level	Threats protected
Domain Outsider Protection	STDE
Domain Insider Protection	STDE
Topic Outsider Protection	STIDE
Topic Insider Protection	STDE + I (from write-only applications)