Skip to content

Commit 29a4a28

Browse files
committed
feat(spec): Add threat model for cross-domain agent authorization (Section 3.1)
Define comprehensive threat model for DCR specification including: - Protected assets requiring security controls (credentials, identity info, authorization decisions, trust relationships, audit trails) - Threat actor categories (malicious agents, compromised MCP servers, rogue IdPs/ASs, external attackers, insider threats) - Attack categories covering credential attacks, identity/metadata attacks, authorization attacks (confused deputy, privilege escalation, scope creep), availability attacks, and multi-agent specific attack vectors This threat model provides the foundational security analysis for the cross-domain authorization information sharing specification targeting IETF standardization. Section 3.1 of the DCR v1 Draft proposal. Signed-off-by: Nik Kale <nikkal@cisco.com>
1 parent dc1329b commit 29a4a28

1 file changed

Lines changed: 95 additions & 0 deletions

File tree

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
# Proposed Contribution: Threat Model (Section 3.1)
2+
3+
---
4+
5+
## 3.1. Threat Model
6+
7+
This section defines the threat model for cross-domain authorization information sharing in multi-agent systems. Understanding the adversarial landscape is essential for evaluating solution approaches and designing appropriate mitigations.
8+
9+
### 3.1.1. Protected Assets
10+
11+
The following assets require protection in cross-domain agent authorization:
12+
13+
**Authorization Credentials:** Verifiable Credentials, OAuth tokens, and client metadata documents that grant agents access to resources across domains.
14+
15+
**Agent Identity Information:** Claims about agent provenance, capabilities, compliance status, and operational parameters embedded in VCs or metadata.
16+
17+
**Authorization Decisions:** The integrity of access control determinations made by Authorization Servers based on presented credentials.
18+
19+
**Cross-Domain Trust Relationships:** The established trust between domains that enables agents to operate across organizational boundaries.
20+
21+
**Audit Trails:** Logs and records of authorization events necessary for compliance, forensics, and incident response.
22+
23+
### 3.1.2. Threat Actors
24+
25+
This specification considers the following threat actors:
26+
27+
**Malicious Agent:** An agent that has been compromised or intentionally deployed to exceed authorized scope, exfiltrate data, or abuse delegated permissions. The agent may possess valid credentials obtained through legitimate means.
28+
29+
**Compromised MCP Server:** An MCP Server that has been compromised by an attacker and may return malicious tool responses, leak sensitive data from authorized agents, or attempt to elevate privileges through the agents it serves.
30+
31+
**Rogue Identity Provider:** An IdP that issues fraudulent credentials, either through compromise or malicious operation. May issue VCs with false claims about agent capabilities or compliance status.
32+
33+
**Rogue Authorization Server:** An AS that makes incorrect authorization decisions, either through misconfiguration, compromise, or malicious intent. May grant excessive permissions or leak authorization metadata.
34+
35+
**External Attacker:** An attacker without legitimate access who attempts to intercept, replay, or forge authorization credentials through network-level attacks or exploitation of protocol vulnerabilities.
36+
37+
**Insider Threat:** A legitimate user or administrator who abuses their position to create over-privileged agents, bypass authorization controls, or exfiltrate authorization credentials.
38+
39+
### 3.1.3. Attack Categories
40+
41+
The following attack categories are relevant to cross-domain agent authorization:
42+
43+
#### 3.1.3.1. Credential Attacks
44+
45+
**Credential Replay:** An attacker captures a valid vc+jwt or access token and replays it to gain unauthorized access. This is particularly concerning for long-lived credentials in high-latency cross-domain scenarios.
46+
47+
**Credential Theft:** Exfiltration of agent credentials from storage, memory, or transit. Stolen credentials may be used to impersonate legitimate agents.
48+
49+
**Credential Forgery:** Attempts to create fraudulent VCs or metadata documents that appear valid. May exploit weak cryptographic implementations or compromised signing keys.
50+
51+
#### 3.1.3.2. Identity and Metadata Attacks
52+
53+
**Metadata Endpoint Compromise:** An attacker gains control of the URL hosting an agent's client-id metadata document and substitutes malicious metadata or VCs. The AS fetching this metadata would then provision an attacker-controlled identity.
54+
55+
**Metadata Poisoning:** Injection of false claims into legitimate metadata documents through supply chain attacks, DNS hijacking, or exploitation of the hosting infrastructure.
56+
57+
**Identity Correlation:** Linking agent activities across domains to build profiles of organizational operations, potentially revealing sensitive business processes or security postures.
58+
59+
#### 3.1.3.3. Authorization Attacks
60+
61+
**Confused Deputy:** An attacker tricks a trusted agent into performing actions on their behalf that the attacker is not authorized to perform directly. This is particularly relevant in multi-agent chains where Agent A invokes Agent B. (See: Norm Hardy, 1988)
62+
63+
**Privilege Escalation:** Exploiting gaps between claimed capabilities in VCs and actual enforcement at the AS or resource server to gain access beyond authorized scope.
64+
65+
**Scope Creep in Delegation:** In multi-hop agent workflows (A to B to C), downstream agents accumulate permissions beyond what the originating principal intended to delegate.
66+
67+
**Policy Skew:** An agent trusted in Domain A operates in Domain B where different security policies apply. The agent may inadvertently (or intentionally) perform actions that violate Domain B's policies while remaining within Domain A's authorized scope.
68+
69+
**Trust Score Manipulation:** Artificially inflating trust scores or compliance attestations in VCs to gain access to resources requiring higher trust levels.
70+
71+
#### 3.1.3.4. Availability Attacks
72+
73+
**Metadata Endpoint Denial:** Making the client-id metadata endpoint unavailable, preventing legitimate agents from authenticating or re-authenticating.
74+
75+
**Revocation Infrastructure Attacks:** Attacks against VC status endpoints or revocation registries that prevent detection of revoked credentials or cause false revocation signals.
76+
77+
#### 3.1.3.5. Multi-Agent Specific Attacks
78+
79+
**Delegation Chain Manipulation:** Altering or forging the chain of delegation in multi-agent workflows to obscure accountability or inject unauthorized agents into a workflow.
80+
81+
**Agent Spawning Abuse:** A compromised orchestrator agent creating numerous sub-agents with excessive permissions, amplifying the impact of the initial compromise.
82+
83+
**Cross-Domain Lateral Movement:** Using legitimate cross-domain authorization to pivot from a compromised position in Domain A to resources in Domain B that would not otherwise be accessible.
84+
85+
---
86+
87+
## Contributor Information
88+
89+
This section was contributed by:
90+
91+
**Nik Kale**
92+
Principal Engineer, Cisco Systems
93+
94+
---
95+

0 commit comments

Comments
 (0)