Abstract
Threat modelling is foundational to secure systems
engineering and should be done in consideration of the
context within which systems operate. On the other hand,
the continuous evolution of both the technical sophistication
of threats and the system attack surface is an inescapable
reality. In this work, we explore the extent to which realworld systems engineering reflects the changing threat context. To this end we examine the desktop clients of six widely
used end-to-end-encrypted mobile messaging applications to
understand the extent to which they adjusted their threat
model over space (when enabling clients on new platforms,
such as desktop clients) and time (as new threats emerged).
We experimented with short-lived adversarial access against
these desktop clients and analyzed the results with respect
to two popular threat elicitation frameworks, STRIDE and
LINDDUN. The results demonstrate that system designers
need to both recognise the threats in the evolving context
within which systems operate and, more importantly, to
mitigate them by rescoping trust boundaries in a manner
that those within the administrative boundary cannot violate
security and privacy properties. Such a nuanced understanding of trust boundary scopes and their relationship with
administrative boundaries allows for better administration
of shared components, including securing them with safe
defaults.
