4. Security Considerations

• Overview

• Data Expiration

• Denial of Service

Overview

The channel security model of the L4 IDE relies on HTTPS. All API calls are SSL-encrypted. This security model is intended to defeat eavesdropping, replay, message insertion, deletion, modification, and man/woman/nonbinary-person-in-the-middle attacks on the transport layer.

The object security model of the L4 IDE relies on a secret UUID generated by the Code.gs caller and passed to the Pyrest API. Together with the IDs of the Google Sheets spreadsheet and sheet tab, Code.gs constructs a three-part compound identifier which is essential to every API call and response.

Each link in the sidebar contains this compound identifier. For example, the link to the Petri Net process workflow visualization can be broken down as follows:

default

backend server host name            https://cclaw.legalese.com
port running gunicorn / hello.py    :8081
constant for url routing            /workdir
client-generated UUID                       /92e2fe74-8425-4fd2-a5ea-2df53b33d1d3
Google Sheets spreadsheet ID                /1leBCZhgDsn-Abg2H_OINGGv-8Gpf9mzuX1RR56v0Sss
Google Sheets sheet ID                      /1779650637
static output file directory                /petri
static output file name             /LATEST.png

This implements “shared keys” security as described in §4.1.3 of RFC3552. The “shared keys” security model is secure only to the extent that a UUID is not easily guessed, and not exposed outside the API calls.

The client-generated secret UUID is cached by the Google Apps Script client-side, and rotates every 6 hours.

If the client-generated UUID is found by an attacker, and if the attacker has access to the Google Sheets spreadsheet ID and sheet ID, then the attacker can construct an entire URL to read the static output files and to run the Web Tool. It may be possible for a third-party Google Apps Script app to read the UUID, in a “cross-domain” style of attack. It may be possible for an intermediary ISP to read the URL if there is some kind of HTTPS proxy attack, or if the HTTPS transport mode is deliberately disabled. It may be possible for a browser plugin to likewise eavesdrop on browser activity and discover the UUID. If any of these attacks succeed, it will be possible for the attacker to read, or reverse-engineer, the contents of the particular L4 program being developed by the legal engineer.

Data Expiration

To further mitigate the possibility of data leakage, we recommend that a cron job be set to automatically delete directories for sessions more than 12 hours old.

Denial of Service

Denial-of-service attacks can succeed by flooding the backend servers on ports 8080, 8081, 800x, etc with TCP connections and/or CSV input. Such DOS attacks can be mitigated to some extent by adding a service token to the API URL, which is tied to a previously authenticated and authorized user ID. This service token strategy has not been implemented in the current API backend.