Skip to content

Threat Model

This document describes the threat model, assumptions, and mitigations for NovaKey-Daemon.

NovaKey is designed to safely inject secrets into local applications using a paired remote device (e.g. phone) while minimizing the risk of misuse, exfiltration, or privilege escalation.


Audience

This document is intended for:

  • Security-conscious users
  • Administrators exposing NovaKey on a LAN
  • Auditors reviewing NovaKey’s safety properties
  • Contributors working on protocol or injection logic

End users who only need basic setup may prefer the Configuration guide.


Assets Protected

NovaKey aims to protect the following:

  • Secrets (passwords, tokens, recovery keys)
  • Typing context integrity (ensuring secrets go to the intended application)
  • User intent (preventing unintended or automated injections)
  • Local system safety (preventing privilege escalation or command execution)

Trust Boundaries

Component Trust Level
Local NovaKey daemon Trusted
Local OS + windowing system Mostly trusted
Paired phone Semi-trusted
LAN Untrusted
Other LAN devices Untrusted
Focused application/window Potentially hostile

“Potentially hostile” reflects the fact that NovaKey does not control the focused application and must assume it could be the wrong target or behave unexpectedly.


Primary Attack Surfaces

1) Network listener (listen_addr)

  • Accepts incoming encrypted protocol connections
  • May be bound to localhost or LAN
  • Exposed to packet injection, replay, or abuse if misconfigured

2) Paired device (phone)

  • Can send arm + inject messages
  • May be compromised, lost, or maliciously modified

3) Focused application/window

  • Determines where injected text lands
  • May change between arming and injection
  • May be intentionally spoofed (window title tricks)

4) Clipboard fallback

  • Can leak secrets outside intended context
  • OS-level behavior varies across platforms

Threat Scenarios & Mitigations

Threat: Remote secret injection into unintended application

Example

  • NovaKey listens on LAN
  • Attacker or compromised phone injects into a terminal or admin prompt

Mitigations

  • target_policy_enabled
  • Allow / deny process lists
  • Built-in allowlist fallback
  • Two-man approval

Threat: Injection into terminal or shell (command execution)

Example

  • Secret injected into bash, zsh, cmd.exe
  • Newlines cause command execution

Mitigations

  • allow_newlines: false
  • Deny terminal process names
  • Two-man approval
  • Arm window + consume-on-inject

Threat: Race condition / focus switch attack

Example

  • User arms NovaKey
  • Focus changes before injection
  • Secret lands in wrong window

Mitigations

  • Short arm_duration_ms
  • Target policy enforcement at injection time
  • Two-man approval requires human confirmation
  • Deny window title rules

Threat: Replay or repeated inject attempts within arm window

Example

  • Attacker reuses a valid arm window
  • Attempts multiple injections before it expires

Mitigations

  • Arm window timeout
  • arm_consume_on_inject: true
  • Per-device rate limiting
  • Two-man approval

Threat: Compromised or stolen phone

Example

  • Attacker gains control of paired device
  • Attempts repeated injections

Mitigations

  • Arm gate (time-limited)
  • Per-device rate limiting
  • Target policy
  • Two-man approval
  • Ability to revoke device pairing

Threat: LAN attacker attempts injection

Example

  • NovaKey bound to 0.0.0.0
  • Attacker sends protocol messages

Mitigations

  • Mutual authentication via pairing keys
  • Per-device rate limiting
  • Target policy
  • Arm gate
  • Built-in allowlist

LAN should always be considered hostile.


Threat: Clipboard exfiltration

Example

  • Injection fails
  • Secret copied to clipboard
  • Clipboard manager or malware reads it

Mitigations

  • allow_clipboard_when_disarmed: false
  • allow_clipboard_on_inject_failure configurable
  • Prefer injection over clipboard when possible

Threat: Log leakage

Example

  • Secrets appear in logs
  • Logs written to disk or system journal

Mitigations

  • Log redaction (log_redact)
  • Secrets registered with redaction system
  • Minimal logging of payloads

Threat: Persistent credential theft from disk

Example

  • Attacker reads devices.json
  • Extracts long-term secrets

Mitigations

  • Sealed device store
  • require_sealed_device_store: true
  • OS-backed encryption where available

Non-Goals / Out of Scope

NovaKey does not attempt to protect against:

  • Fully compromised local OS
  • Kernel-level malware
  • Keyloggers running with user privileges
  • Malicious accessibility APIs
  • Physical attacker with unlocked session

NovaKey assumes:

  • The local user session is trusted
  • The OS focus reporting is mostly accurate
  • The user can visually confirm the focused application

Security Design Principles

NovaKey follows these principles:

  • Fail closed where possible
  • Short-lived authority (arm windows, approvals)
  • Defense in depth
  • Explicit user intent
  • Least privilege injection

Threat Recommended Controls
LAN exposure Target policy + built-in allowlist
Focus race Short arm window + two-man
Terminal injection Deny terminals + no newlines
Phone compromise Two-man + arm consume
Clipboard leaks Disable clipboard fallback

STRIDE Threat Analysis

This section maps NovaKey threats to the STRIDE model
(Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).

NovaKey’s design intentionally focuses on Spoofing, Tampering, Information Disclosure, and Elevation of Privilege, as these represent the highest-risk outcomes for secret injection systems.


STRIDE Table

STRIDE Category Threat Scenario Impact NovaKey Mitigations
Spoofing Attacker pretends to be a paired device Unauthorized injections Mutual pairing keys, per-device identity, rate limiting
Spoofing Window title spoofing Secret injected into wrong app Target policy, deny rules, two-man approval
Tampering Payload modification in transit Corrupted or altered secrets Encrypted protocol, authenticated messages
Tampering Injection altered by newline execution Command execution allow_newlines: false, deny terminals
Repudiation Device denies having injected secret Limited auditability Best-effort logging, device identity tracking (full non-repudiation is a non-goal)
Information Disclosure Clipboard leaks secret Secret exfiltration Clipboard policy flags, injection-first design
Information Disclosure Logs contain secrets Credential leakage Log redaction, secret registration
Information Disclosure Disk theft of device store Persistent credential compromise Sealed device store, fail-closed option
Denial of Service Flood of pairing or inject requests Resource exhaustion Rate limiting, pairing limits
Denial of Service Continuous arming without inject User disruption Arm window timeout, consume-on-inject
Elevation of Privilege Injection into terminal Arbitrary command execution Target policy, deny rules, no newlines
Elevation of Privilege Injection into admin dialog Privilege escalation Target policy, two-man approval

STRIDE Coverage Summary

Category Coverage
Spoofing ✅ Strong
Tampering ✅ Strong
Repudiation ⚠️ Limited (by design)
Information Disclosure ✅ Strong
Denial of Service ⚠️ Partial
Elevation of Privilege ✅ Strong

NovaKey intentionally does not provide non-repudiation or full audit logging. The system is designed for interactive, intentional use, not forensic reconstruction.


Threat → Configuration Mapping Cheat Sheet

This section answers the question:

“If I’m worried about X, which settings should I enable?”

Minimum viable defense

If NovaKey is listening on anything other than 127.0.0.1, enable target policy at minimum:

target_policy_enabled: true
use_built_in_allowlist: true

❗ Injection into terminal / shell

Threat: Command execution, privilege escalation

Config:

target_policy_enabled: true
denied_process_names:
  - terminal
  - bash
  - zsh
  - cmd
  - powershell
allow_newlines: false


❗ Injection into wrong application (focus race)

Threat: Secret typed into unintended window

Config:

target_policy_enabled: true
use_built_in_allowlist: true
two_man_enabled: true
arm_duration_ms: 10000

❗ LAN attacker attempts injection

Threat: Remote misuse over local network

Config:

listen_addr: "0.0.0.0:60768"
target_policy_enabled: true
use_built_in_allowlist: true
require_sealed_device_store: true

❗ Compromised or stolen phone

Threat: Unauthorized injections

Config:

two_man_enabled: true
arm_consume_on_inject: true
max_requests_per_min: 30

❗ Clipboard exfiltration

Threat: Clipboard manager or malware reads secret

Config:

allow_clipboard_when_disarmed: false
allow_clipboard_on_inject_failure: false

❗ Persistent credential theft from disk

Threat: Attacker reads device store

Config:

require_sealed_device_store: true

❗ Over-permissive defaults on LAN

Threat: False sense of security

Config:

target_policy_enabled: true
use_built_in_allowlist: true

“Secure by Intent” Presets

Minimal friction (safe for home LAN)

listen_addr: "0.0.0.0:60768"
target_policy_enabled: true
use_built_in_allowlist: true

High-assurance workstation

listen_addr: "127.0.0.1:60768"
require_sealed_device_store: true

target_policy_enabled: true
allowed_process_names:
  - 1password
  - bitwarden

two_man_enabled: true
arm_duration_ms: 10000
allow_newlines: false

“Paranoid mode”

listen_addr: "127.0.0.1:60768"
require_sealed_device_store: true

target_policy_enabled: true
allowed_process_names:
  - 1password

denied_process_names:
  - terminal
  - powershell
  - cmd

two_man_enabled: true
arm_consume_on_inject: true
allow_clipboard_on_inject_failure: false
allow_newlines: false

Unsupported configurations

The following configurations are strongly discouraged and may be considered unsafe:

  • Listening on LAN with target_policy_enabled: false
  • Allowing terminal injection while allow_newlines: true
  • Enabling clipboard fallback in high-assurance environments

These configurations are supported for flexibility but not recommended.


Final Notes

NovaKey is safest when:

  • Listening on localhost or
  • Target policy is enabled
  • Arm windows are short
  • Two-man approval is enabled for sensitive systems

Security is a configuration choice — NovaKey provides the tools, but defaults must be respected and understood.