Add Mullvad VPN loader thret at model document

Mention threat model in security.md

Co-authored-by: Markus Pettersson <markus.pettersson@mullvad.net>

2 files changed, 81 insertions, 0 deletions

diff --git a/docs/security.md b/docs/security.md
index e95af26a0b..0771b6b3d4 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -337,6 +337,9 @@ The GUI only communicates with the system service (`mullvad-daemon`), it makes n
 network connections. Except when the user sends a problem report, then it spawn the
 `mullvad-problem-report` tool, which in turn communicate over TLS with our API.
 
+## Mullvad VPN loader
+
+See the threat model [document](../mullvad-update/threat-model.md) for the Mullvad VPN loader.
 
 [disconnected]: #disconnected
 [connecting]: #connecting
diff --git a/mullvad-update/threat-model.md b/mullvad-update/threat-model.md
new file mode 100644
index 0000000000..f978fa4b4d
--- /dev/null
+++ b/mullvad-update/threat-model.md
@@ -0,0 +1,78 @@
+# Introduction
+
+This threat model describes the code backing Mullvad VPN loader and in-app updates on the two
+platforms it supports (Windows and macOS). The loader is a graphical application used by Mullvad
+users to install and upgrade the Mullvad VPN app on their devices, and in-app updates allows users
+to update the app from within the app. The library crate `mullvad-update` is responsible for
+verifying the integrity of the software that it downloads and installs on the user's device to
+ensure that the software has not been tampered with. It allows the app to be hosted on untrusted
+third-party CDNs without compromising security.
+
+These tools perform network requests towards Mullvad API endpoints and above mentioned third-party
+CDNs, and requires both read & write access to the target device file system.
+
+## Acquiring Mullvad VPN loader
+
+The loader application is initially downloaded from Mullvad’s website or the Mullvad VPN app GitHub
+repository. For the installation artifacts on our website and GitHub, we provides detached PGP
+signatures for integrity verification.
+
+# Who do we trust
+
+Some Mullvad employees - Access to publish metadata information to be consumed by `mullvad-update`
+is segmented and has been granted to select individuals which are trusted within the company to make
+app releases.
+
+
+# Who is the attacker
+
+## Nation states and law enforcement
+
+With the goal of de-anonymizing individuals in order to track them and disarm “dissidents”.
+
+## Crooks
+
+With the goal to …
+
+* Install malware on target devices
+
+* Make our users part of botnets
+
+* Steal users' information (crypto wallets etc)
+
+# Capabilities of the attacker
+
+* Serving malicious software via the third-party CDNs
+
+* Serving legitimate old or unexpected versions of the app on third-party CDNs, e.g.
+  downgrading to versions with known vulnerabilities or development builds
+
+* Serving files large enough to fill up the target's disk
+
+* Compromising the Mullvad API, and (e.g.) returning outdated or fake version metadata
+
+# Countermeasures
+
+Here are countermeasures we have identified against the above attackers which have been implemented
+in the loader:
+
+* The version metadata / Mullvad API response is cryptographically verified to be signed
+
+* The version metadata has an expiry date
+
+* The checksum of software packages downloaded via third-party CDNs is cryptographically verified to
+  be the same as the checksum in the metadata
+
+* Only allow trusted people to publish metadata via secured Qubes machines
+
+* When relevant, only read/use downloaded software artifacts from a location that the loader (or
+  admin) controls, to prevent privilege escalation
+
+* The size of the downloaded software package is checked to be the correct size, and if larger the
+  download is aborted
+
+# Out of scope
+
+* Most attacks involving physical access to the user's computer are not covered by the threat model
+
+* Malicious code that runs as your user account