Skip to content

USL Threat Model

Version: 1.0.0
Last Updated: January 15, 2026
Methodology: STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)

Executive Summary

This document identifies security threats to the USL compiler and generated applications, assesses their likelihood and impact, documents mitigations, and quantifies residual risk.

Risk Levels: - Critical: Immediate exploitation, high impact (data breach, system compromise) - High: Likely exploitation, significant impact (policy bypass, secret leakage) - Medium: Possible exploitation, moderate impact (DoS, limited disclosure) - Low: Unlikely exploitation, minimal impact (information leakage, configuration issues)

Threat Categories

1. Input Attacks

T1.1: Malicious USL Code Injection

Description: Attacker provides malformed or malicious USL source code to crash compiler or produce vulnerable output.

Attack Vectors: - Deeply nested structures (stack overflow) - Large inputs (memory exhaustion) - Unicode exploits (homograph attacks, control characters) - Invalid syntax (parser confusion)

STRIDE: Denial of Service, Tampering

Likelihood: Medium (easy to attempt, hard to succeed)

Impact: Medium (compiler crash, incorrect code generation)

Mitigation: - ✅ Lexer validates all tokens (E101-E199) - ✅ Parser enforces strict grammar rules - ✅ Bounded recursion (max 100 levels) - ✅ Input size limits (10MB max file size) - ✅ Fuzzing catches edge cases (500+ corpus) - ✅ Safe Rust (no buffer overflows)

Residual Risk: Low

Monitoring: Compilation failures logged, fuzzing runs nightly

T1.2: Import Declaration Exploits

Description: Attacker uses malicious import declarations to access unauthorized modules or create circular dependencies.

Attack Vectors: - Path traversal (import "../../etc/passwd") - Circular imports (A imports B, B imports A) - Namespace collision attacks - Trust boundary violations

STRIDE: Tampering, Elevation of Privilege

Likelihood: Low (validated by import checker)

Impact: Medium (unauthorized access, compilation failure)

Mitigation: - ✅ Import validator checks path safety (E501-E509) - ✅ Circular dependency detection - ✅ Namespace isolation enforced - ✅ Trust policies required for external imports - ✅ Layer boundaries prevent cross-layer imports

Residual Risk: Low

Monitoring: Import validation errors tracked

2. Policy Bypass Attacks

T2.1: Unauthorized Behavior Execution

Description: Attacker attempts to execute behaviors without proper authorization policies.

Attack Vectors: - Write behaviors without authorize statements - Incomplete policy coverage (missing edge cases) - Policy logic errors (always-true conditions) - Time-of-check/time-of-use vulnerabilities

STRIDE: Elevation of Privilege

Likelihood: Low (compile-time enforcement)

Impact: Critical (unauthorized data access/modification)

Mitigation: - ✅ E301: Behavior without policy fails compilation - ✅ E304: Policy totality proof (all paths authorized) - ✅ Runtime enforcement in generated middleware - ✅ No reflection/eval in generated code (no bypass) - ✅ 20 test cases for policy enforcement

Residual Risk: Low

Critical Success Factor: Policy totality proof must be sound

Monitoring: Policy violations logged at runtime

T2.2: Policy Logic Manipulation

Description: Attacker crafts policy logic that appears secure but contains vulnerabilities.

Attack Vectors: - Tautologies (user.id == user.id → always true) - Short-circuit evaluation exploits - Type confusion in policy expressions - External data dependencies (time, random values)

STRIDE: Elevation of Privilege

Likelihood: Medium (user error likely)

Impact: High (authorization bypass)

Mitigation: - ✅ Semantic analyzer validates policy logic - ✅ Proof engine detects tautologies and contradictions - ⚠️ Best practices documentation (user responsibility) - ⚠️ Static analysis warnings (future: v1.1)

Residual Risk: Medium

Recommendation: Add policy linting (detect common mistakes)

Monitoring: Policy complexity metrics tracked

3. Secret Leakage

T3.1: Secret Exposure in Error Messages

Description: Secrets leaked through error messages, logs, or stack traces.

Attack Vectors: - Exception messages containing secret values - Debug logs with sensitive data - Stack traces revealing secrets - Error responses to API clients

STRIDE: Information Disclosure

Likelihood: Low (compile-time detection)

Impact: Critical (credential theft, PII exposure)

Mitigation: - ✅ Secret flow analysis (E401-E404) - ✅ Automatic redaction in error messages - ✅ Generated code redacts secrets in logs - ✅ No serialization of Secret<T> types - ✅ 15 test cases for secret flow

Residual Risk: Low

Critical Success Factor: Secret flow analysis must be sound

Monitoring: Secret access logged (audit trail)

T3.2: Secret Leakage Through Type Coercion

Description: Attacker uses type coercion to convert Secret<T> to T and extract value.

Attack Vectors: - Explicit type casts (secret as String) - Implicit conversions in expressions - Comparison operators revealing values - Pattern matching on secrets

STRIDE: Information Disclosure

Likelihood: Low (compile-time prevention)

Impact: Critical (secret exposure)

Mitigation: - ✅ E402: Explicit secret conversion forbidden - ✅ E403: Secret comparison forbidden - ✅ Type checker prevents implicit coercion - ✅ Pattern matching on secrets forbidden

Residual Risk: Very Low

Monitoring: Secret flow violations logged

T3.3: Secret Leakage in API Responses

Description: Secrets inadvertently included in API responses or serialized data.

Attack Vectors: - JSON serialization of entities with secrets - GraphQL responses including secret fields - Database query results returned directly - Cached responses containing secrets

STRIDE: Information Disclosure

Likelihood: Low (automatic redaction)

Impact: Critical (secret exposure)

Mitigation: - ✅ Generated code excludes secrets from responses - ✅ Automatic field filtering in serializers - ✅ Secrets never included in OpenAPI schemas - ✅ Cache keys exclude secret fields

Residual Risk: Very Low

Monitoring: API responses audited for secrets

4. Escape Hatch Abuse

T4.1: Missing Adapter Exploitation

Description: Attacker uses escape hatches without implementing required adapters.

Attack Vectors: - Declare escape, skip adapter implementation - Mock adapter for testing, deploy without real adapter - Adapter returns incorrect types

STRIDE: Tampering, Denial of Service

Likelihood: Low (E902 error)

Impact: High (undefined behavior, runtime errors)

Mitigation: - ✅ E902: Missing adapter fails compilation - ✅ Adapter registry validated at compile-time - ⚠️ Runtime adapter verification (future: v1.1)

Residual Risk: Low

Monitoring: Adapter registrations tracked

T4.2: Malicious Adapter Code

Description: Attacker implements adapter that violates security assumptions.

Attack Vectors: - Adapter accesses secrets without authorization - Adapter performs unauthorized I/O - Adapter has vulnerabilities (injection, overflow) - Adapter leaks data to external services

STRIDE: Tampering, Information Disclosure, Elevation of Privilege

Likelihood: Medium (user-provided code)

Impact: Critical (arbitrary code execution)

Mitigation: - ⚠️ Adapters are trusted (user responsibility) - ⚠️ Documentation requires adapter auditing - ⚠️ Best practices guide for adapter development - ❌ No sandbox for adapter execution (future: v2.0)

Residual Risk: High

Critical Limitation: USL cannot verify adapter security

Recommendation: Sandboxed adapter execution (WebAssembly, v2.0)

Monitoring: Adapter usage logged

5. Generated Code Vulnerabilities

T5.1: SQL Injection in Generated Queries

Description: Generated SQL contains injection vulnerabilities.

Attack Vectors: - String concatenation instead of parameterization - Improper escaping of user input - Dynamic table/column names from user input - Second-order injection (stored XSS in DB)

STRIDE: Tampering, Information Disclosure, Elevation of Privilege

Likelihood: Low (parameterized queries)

Impact: Critical (data breach, data loss)

Mitigation: - ✅ All queries use parameterized statements - ✅ No string concatenation in SQL generation - ✅ Input validation in generated API code - ✅ 38 codegen tests including injection attempts - ✅ Code review of all SQL generation

Residual Risk: Low

Critical Success Factor: All SQL generation must use parameters

Monitoring: Query patterns reviewed in code audits

T5.2: Cross-Site Scripting (XSS) in Generated API

Description: Generated API responses contain unsanitized user input.

Attack Vectors: - Unescaped HTML in JSON responses - Reflected XSS in error messages - Stored XSS in database fields - JSONP callback injection

STRIDE: Tampering, Information Disclosure

Likelihood: Medium (depends on frontend usage)

Impact: High (session hijacking, phishing)

Mitigation: - ✅ Generated APIs return JSON (not HTML) - ✅ Content-Type headers set correctly - ✅ CSP headers in deployment configs - ⚠️ Frontend responsible for output encoding

Residual Risk: Low (backend API only)

Note: XSS risk primarily in frontend (out of scope)

Monitoring: API response headers validated

T5.3: Authentication/Authorization Bypass in Generated Code

Description: Generated middleware has flaws allowing unauthorized access.

Attack Vectors: - Missing authentication checks - Incorrect role/permission validation - JWT validation errors - Session fixation vulnerabilities

STRIDE: Elevation of Privilege

Likelihood: Low (generated from policies)

Impact: Critical (unauthorized access)

Mitigation: - ✅ Authentication required for all protected endpoints - ✅ JWT validation in generated middleware - ✅ Role-based access control (RBAC) enforced - ✅ Session management best practices - ✅ 22 runtime tests for auth/authz

Residual Risk: Low

Critical Success Factor: Generated auth code must be correct

Monitoring: Authentication failures logged

T5.4: Insecure Default Configuration

Description: Generated deployment manifests have insecure defaults.

Attack Vectors: - Default passwords/secrets - Permissive CORS policies - Disabled TLS/HTTPS - Exposed admin endpoints - Missing rate limiting

STRIDE: Spoofing, Information Disclosure, Elevation of Privilege

Likelihood: Medium (user misconfiguration)

Impact: High (unauthorized access, data exposure)

Mitigation: - ✅ No default passwords (require user configuration) - ✅ Strict CORS policies by default - ✅ TLS enforced in production mode - ✅ Admin endpoints require authentication - ⚠️ Rate limiting configurable (not enforced by default)

Residual Risk: Medium

Recommendation: Enforce rate limiting by default (v1.1)

Monitoring: Configuration validated at deploy time

6. Supply Chain Attacks

T6.1: Compromised Dependencies

Description: Malicious code injected through compromised Rust crates.

Attack Vectors: - Typosquatting (similar crate names) - Account compromise (crates.io maintainer) - Malicious updates to legitimate crates - Dependency confusion attacks

STRIDE: Tampering, Elevation of Privilege

Likelihood: Low (Rust ecosystem trust)

Impact: Critical (arbitrary code execution)

Mitigation: - ✅ cargo audit scans for known vulnerabilities - ✅ cargo deny checks advisories and licenses - ✅ cargo vet supply chain verification - ✅ Minimal dependencies (60 crates) - ✅ Weekly dependency updates reviewed - ✅ Lockfile committed (Cargo.lock)

Residual Risk: Low

Monitoring: Dependabot alerts, weekly cargo audit

T6.2: Unmaintained Dependencies

Description: Dependencies with known vulnerabilities or no security updates.

Attack Vectors: - Old crate versions with CVEs - Unmaintained crates (no updates in 2+ years) - Abandoned projects

STRIDE: Various (depends on vulnerability)

Likelihood: Medium (inevitable with time)

Impact: Medium to High (depends on vulnerability)

Mitigation: - ✅ cargo outdated identifies old dependencies - ✅ Quarterly dependency review and updates - ✅ Replace unmaintained crates within 30 days - ✅ Test suite ensures compatibility with updates

Residual Risk: Medium

Monitoring: Quarterly dependency audits

7. Denial of Service (DoS)

T7.1: Resource Exhaustion (Compilation)

Description: Attacker provides input that causes excessive CPU/memory usage during compilation.

Attack Vectors: - Exponential proof complexity - Large entity definitions (1000+ fields) - Deeply nested types (recursive types) - Infinite loops in proof search

STRIDE: Denial of Service

Likelihood: Medium (easy to attempt)

Impact: Medium (compilation fails, CI/CD blocked)

Mitigation: - ✅ Compilation timeouts (5 minutes default) - ✅ Memory limits (4GB default) - ✅ Bounded recursion (max 100 levels) - ✅ Proof search limits (10,000 steps) - ✅ Fuzzing tests for hangs/crashes

Residual Risk: Low

Monitoring: Compilation times tracked (metrics)

T7.2: Resource Exhaustion (Generated API)

Description: Attacker exploits generated API to consume resources.

Attack Vectors: - Large request payloads (1GB+ JSON) - Expensive queries (unbounded joins) - Slowloris attacks (slow HTTP requests) - Amplification attacks

STRIDE: Denial of Service

Likelihood: High (common attack vector)

Impact: High (service unavailable)

Mitigation: - ✅ Request size limits (10MB default) - ⚠️ Query pagination enforced (configurable) - ⚠️ Rate limiting configurable (not default) - ⚠️ Connection timeouts (60 seconds) - ❌ DDoS protection (infrastructure responsibility)

Residual Risk: Medium

Recommendation: Enable rate limiting by default (v1.1)

Monitoring: API metrics (latency, throughput)

8. Additional Threats

T8.1: Time-of-Check/Time-of-Use (TOCTOU)

Description: Policies checked at compile-time but data changes at runtime.

Attack Vectors: - User permissions revoked after compilation - Data modified between policy check and action - Race conditions in concurrent access

STRIDE: Elevation of Privilege

Likelihood: Low (runtime enforcement exists)

Impact: Medium (unauthorized access)

Mitigation: - ✅ Both compile-time and runtime enforcement - ✅ Generated code re-checks policies at runtime - ✅ Database transactions ensure consistency - ⚠️ Real-time policy updates not supported (future: v1.1)

Residual Risk: Low

Monitoring: Policy check timing logged

T8.2: Side-Channel Attacks

Description: Information leakage through timing, resource usage, or behavior.

Attack Vectors: - Timing attacks on policy evaluation - Memory usage revealing secret lengths - Error message timing differences - Cache timing attacks

STRIDE: Information Disclosure

Likelihood: Low (requires sophisticated attacker)

Impact: Low (limited information leakage)

Mitigation: - ⚠️ Constant-time operations not enforced (Rust limitation) - ⚠️ Timing attacks possible in policy evaluation - ❌ Side-channel resistance not a design goal (v1.0)

Residual Risk: Medium

Note: Side-channel resistance is complex and performance-impacting

Future Work: Constant-time policy evaluation (v2.0)

T8.3: Social Engineering

Description: Attacker tricks users into deploying insecure configurations or adapters.

Attack Vectors: - Fake adapters from untrusted sources - Malicious examples copied from internet - Phishing for deployment credentials - Supply chain social engineering

STRIDE: Various

Likelihood: Medium (human factor)

Impact: High (deployment compromise)

Mitigation: - ⚠️ Documentation emphasizes security best practices - ⚠️ Adapter verification guide provided - ⚠️ Example applications clearly marked as demos - ❌ Technical controls limited (user responsibility)

Residual Risk: Medium

Recommendation: Adapter marketplace with verified adapters (v1.2)

Threat Summary

Critical Risks (Immediate Attention Required)

None identified. All critical threats have strong mitigations.

High Risks (Address in Next Release)

  1. T4.2: Malicious Adapter Code - Residual Risk: High
  2. Mitigation Plan: Sandboxed adapter execution (WebAssembly, v2.0)
  3. Timeline: Q4 2026

Medium Risks (Monitor and Improve)

  1. T2.2: Policy Logic Manipulation - Residual Risk: Medium
  2. Mitigation Plan: Policy linting and complexity warnings (v1.1)

  3. Timeline: Q2 2026

  4. T5.4: Insecure Default Configuration - Residual Risk: Medium

  5. Mitigation Plan: Enforce rate limiting by default (v1.1)

  6. Timeline: Q2 2026

  7. T7.2: Resource Exhaustion (Generated API) - Residual Risk: Medium

  8. Mitigation Plan: Default rate limiting and query limits (v1.1)

  9. Timeline: Q2 2026

  10. T8.2: Side-Channel Attacks - Residual Risk: Medium

  11. Mitigation Plan: Constant-time policy evaluation (v2.0)

  12. Timeline: Q4 2026

  13. T8.3: Social Engineering - Residual Risk: Medium

  14. Mitigation Plan: Verified adapter marketplace (v1.2)
  15. Timeline: Q3 2026

Low Risks (Acceptable)

All other threats have acceptable residual risk.

Recommendations

Immediate Actions (v1.0.1 - January 2026)

  1. ✅ Complete this threat model review
  2. ✅ Run comprehensive security audit (external firm)
  3. ✅ Document adapter security best practices
  4. ✅ Add security warnings to configuration generator

Short-Term (v1.1 - Q2 2026)

  1. Implement policy linting (detect tautologies, complexity)
  2. Enable rate limiting by default in generated APIs
  3. Add runtime policy update support
  4. Implement real-time security monitoring SDK

Medium-Term (v1.2 - Q3 2026)

  1. Formal verification of codegen correctness
  2. Verified adapter marketplace
  3. Certified dependency set (cargo-vet integration)
  4. Enhanced fuzzing with corpus generation

Long-Term (v2.0 - Q4 2026)

  1. Sandboxed adapter execution (WebAssembly)
  2. Constant-time policy evaluation
  3. Zero-knowledge proof support
  4. Differential privacy primitives

Version History

  • v1.0.0 (2026-01-15): Initial threat model
  • Document scheduled for quarterly review

Next Review: April 15, 2026

For questions or to report threats, contact: security@usl-lang.org