BASIS/Threat Model

Threat Model

STRIDE analysis with 20+ threats and mitigations

Overview

This document defines the security threat model for BASIS-conformant implementations. It identifies threats, attack vectors, and required mitigations for AI agent governance systems.

STRIDE Analysis

CategoryDescriptionApplicable Components
SSpoofingAuthentication, Entity IDs
TTamperingTrust scores, Proofs, Policies
RRepudiationAudit logs, Proof chain
IInformation DisclosureAPI responses, Logs
DDenial of ServiceAll API endpoints
EElevation of PrivilegeTrust scoring, Capability gating

Key Threats

T-TRUST-001Trust Score ManipulationCritical

Direct Score Modification

Attacker directly modifies trust scores in the database via SQL injection, credential theft, or insider threat.

Mitigations

  • Trust score modifications MUST go through ENFORCE layer
  • Database credentials MUST use principle of least privilege
  • All score changes MUST be logged in PROOF layer
T-INTENT-001Intent ManipulationCritical

Prompt Injection

Attacker embeds malicious instructions in action requests to manipulate INTENT layer parsing.

Mitigations

  • INTENT layer MUST treat all input as untrusted
  • Implement prompt injection detection patterns
  • Use structured extraction, not free-form interpretation
  • Never execute trust modifications from intent content
T-PROOF-001Proof Chain AttacksCritical

Proof Tampering

Attacker modifies existing proof records to hide actions or change history.

Mitigations

  • Proof storage MUST be append-only
  • Proof records MUST be cryptographically chained
  • Implement hash verification on read
  • Separate proof storage from operational database
T-AUTH-001AuthenticationCritical

Entity Spoofing

Attacker impersonates a trusted entity to leverage their trust score.

Mitigations

  • Strong authentication required for all entities
  • Implement entity-specific API keys
  • Session binding to IP/device where possible
  • MFA for high-privilege operations

Security Requirements Summary

Authentication

  • All API endpoints require authentication
  • Tokens expire within 24 hours
  • Failed auth attempts logged

Cryptographic

  • TLS 1.2+ for all transport
  • SHA-256 for proof hashing
  • RSA-2048 or ECDSA P-256 for signing

Audit

  • Log all authentication attempts
  • Log all ENFORCE decisions
  • Logs retained minimum 1 year

Input Validation

  • Validate all input against schema
  • Parameterize all database queries
  • Implement prompt injection detection

For the complete threat model with all 20+ threats, incident response procedures, and compliance mapping, see the full document on GitHub.

View Full Threat Model on GitHub