Threat Model
STRIDE-lite threat assessment for the localLOOP lab infrastructure. Covers the key threat categories relevant to federated node communication, material data handling, and API exposure in a controlled lab environment.
Scope
Environment
Lab-only infrastructure — not a production deployment assessment
Method
STRIDE-lite: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege
Status
Living document — reviewed alongside spec changes
Threat Model (Lab Baseline)
This threat model is a lab-only baseline for the LOOP protocol. It is not a production security assessment.
System boundaries
- LOOP Node API (lab demo): handles MaterialDNA, Offer, Match, Transfer.
- Event log: immutable audit trail for lab events.
- Public interest registry: optional contact data.
Assets
- Protocol payloads (MaterialDNA, Offer, Match, Transfer)
- Event logs and timestamps
- Optional contact data (interest submissions)
Threats (STRIDE-lite)
| Threat | Example | Mitigation (lab) |
|---|---|---|
| Spoofing | Fake node identity | Mutual TLS / signed requests (future), allowlist in lab |
| Tampering | Offer payload modified | Schema validation, server-side logging |
| Repudiation | Deny match acceptance | Immutable event log with timestamps |
| Information disclosure | PII leaks | Data minimization, redact logs |
| Denial of service | Flood endpoints | Rate limits, request size limits |
| Elevation of privilege | Abuse admin endpoints | Auth scaffolding (future), least privilege |
Residual risk (lab stage)
Risks remain due to the early TRL level and the absence of production-grade identity, key management, and audit tooling. This document should be revisited before any pilot deployments.