2.8 KiB
2.8 KiB
Lab 1: Security Requirements
Metaverse User Stories
Metaverse Users
are referred to as users here.
User | Task | Goal | Context | Action | Outcomes |
---|---|---|---|---|---|
User | perform authorized payment transactions | only I can make transactions in my name | An adversary knows my payment information | he tries to pay with my info | the payment is declined if not authorized by me |
Developer | access user configurations (avatars, config) | personalize the user experience of my applications | |||
Teacher | make physical course material available in the metaverse | students can see them in virtual reality | |||
User | have a unique identification key in bound to my avatar | everyone can recognize my avatar | my avatar is public | my avatar is used by another user | the user cannot impersonate my identity because he doesn't know the key |
User | virtual home to be self or zero knowledge hosted | my privacy can not be intruded |
Corrections:
- User stories are more non-functional and should not contain less security aspects, rather the use-case functionality
User | Task | Goal |
---|---|---|
User | Perform a payment | Acquire a virtual/physical asset |
User | Add and remove friends | Keep track of what my friends are up to |
User | Set home privacy | Prevent strangers from entering my home |
User | Use voice chat | Communicate with other users |
User | Fast travel | Quickly get to another location in the virtual space |
User | Give another user an item | Sell/Gift assets |
As a 'Metaverse user', I want to add/remove friends (from/to my virtual friend list) So I can keep track of their activites
Integrity => Befriending strangers => disclosing personal information to strangers (HARM) ACTION => Unauthorized access (edit) to FList
Assets
- User identity
- User belongings
- Friends lists
- Public image of system
- Voice data
Harm analysis
"What HARM could come to [asset] from an [action] violating a [concern]?" assets from User Stories actions yield Avoid goals concerns from CIA+ principles
Action | Asset | Harm |
---|---|---|
Steal user credentials | User identity | User information compromised, belongings stolen |
Accept unwanted friend request | Friends lists | User information partially compromised, trust acquired |
Unmute user microphone without consent | Voice data | User privacy compromised |
'Achieve' goals
- Always use multi-factor authentication for users
Use Cases
Produced using Lucidchart.