RocheDB Threat Model
RocheDB Threat Model
This is the canonical English threat model for the current pre-release RocheDB core. It is intentionally scoped to the open-source core and first-party drivers.
Assets
- Stored payloads, vectors, ring names, galaxy names, and atlas descriptions.
- Authentication credentials: username, password, auth token, and secret key.
- Backup artifacts:
roche.log, JSONL dumps, and encryptedroche.backupfiles. - Cluster transaction landing intents before owner apply.
- Warp belt jobs, progress cursors, retry state, acknowledgements, and dead-letter records.
- Operational metadata: health, metrics, ring summaries, and atlas maps.
Trust Boundaries
- Embedded mode: the application process is trusted. Local filesystem access is outside RocheDB’s control.
- Cluster mode: each
rochedprocess is trusted after authentication. The network between clients and nodes is not trusted until TLS is implemented. - Galaxy isolation: separate data directories, peer lists, credentials, and secret keys define isolation boundaries.
- Drivers: official drivers must not weaken authentication, ID parsing, or error handling compared with the wire protocol.
In Scope Threats
- Accidental WAL truncation, torn tail records, compact interruption, and partial transaction records.
- Cluster owner crash before asynchronous transaction apply.
- Unauthorized access with only username/password or only secret key.
- Backup leakage when plain
backup/dumpartifacts are copied outside the trusted environment. - Cross-galaxy confusion caused by connecting to the wrong peer list or data directory.
Current Controls
- Length-prefixed WAL records and replay repair for torn tails.
- Atomic embedded transactions: only transactions with a commit marker replay.
- Cluster landing intents: committed intents remain until applied and are retried after owner restart.
- Warp belt jobs are WAL-backed and restore progress / ack state after reopen. Acknowledged jobs can be pruned through a tombstone record.
- Read-your-writes fallback through landing intents for
get,query, andbatchGet. durStrong/--durability=strong: flush + fsync write boundaries for stronger crash durability.- Username/password authentication plus secret-key challenge response.
- Ring prefix authorization for named-ring wire operations with
roched --allow-ring=prefix[,prefix...]. - Minimal role authorization with
reader,writer, andadminthroughroched --role=user:password:role[:prefix1,prefix2]. - Wire frame bounds for header, payload, vector, and encrypted transport frame
lengths. Oversized, negative, or malformed frames return
ERRand close only the offending connection. - Deterministic malformed-frame smoke coverage in
scripts/cluster_wire_fuzz_smoke.sh. - Core and cluster smoke entry points are available through
scripts/test_core.shandscripts/test_all_smoke.sh. - nimsodium secretbox for auth transport and encrypted backups.
- Galaxy binding in persistent data directories.
Known Gaps
- TLS is not implemented. Do not expose
rocheddirectly on untrusted networks. - Rich role policies are intentionally not implemented. RocheDB’s primary isolation model is galaxy separation plus ring-prefix scope; roles are kept minimal for read/write/admin separation.
- Cluster transaction coordinator redundancy is not implemented; node0 landing remains a single point of failure.
- Dynamic membership and epoch migration are not implemented.
- General database-wide audit logs are not implemented. Warp jobs persist attempts, retry timing, acknowledgement, and dead-letter state, but that is job state rather than a complete access/change audit trail.
- Server-side warp scheduling is not implemented; applications must call
warpStep/warpDrainexplicitly in the current core. - Encrypted backup uses passphrase-derived secretbox encryption. External key management and rotation are not implemented.
- Plain
dumpand plainbackupremain intentionally available and must be treated as sensitive artifacts.
Deployment Guidance
- Use private networks or tunnels until TLS lands.
- Use separate galaxies, credentials, and secret keys for separate trust domains.
- Use
--durability=strongfor data where losing the last flush batch is unacceptable. - Prefer
backup-encryptedfor artifacts that leave the host or trusted storage boundary. - Keep ring and atlas descriptions free of secrets; they are routing metadata, not protected payload fields.
- Export
roche metricsoutput to CloudWatch, Cloud Monitoring, or a similar system and alert on transaction backlog, error growth, auth failures, WAL growth, connection pressure, and unexpected restarts.