Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Threat Model

The following model evaluates the security of MindSafe against common adversary profiles and attack vectors.

1. The “Physical Thief” (High Protection)

  • Scenario: Your laptop is stolen while the app is closed.
  • Threat: The attacker has full disk access and attempts to read your sqlite database or configuration files.
  • MindSafe Defense: Because every note is encrypted with XChaCha20-Poly1305 and the Master Key is wrapped with Argon2id, the attacker sees only high-entropy ciphertext. Without your master password, the data is mathematically equivalent to random noise.
  • Status: Protected.

2. The “Forensic Investigator” (Medium/High Protection)

  • Scenario: An attacker gains access to your device and uses forensic tools to scan the RAM or unallocated disk space for remnants of deleted notes.
  • Threat: Sensitive data remains in memory after the app is closed or remains on the disk after a note is deleted.
  • MindSafe Defense: We utilize Memory Zeroization in Rust to overwrite sensitive buffers with zeros as soon as they are dropped. For disk remnants, the “History” feature ensures that even if old blocks exist, they remain encrypted.
  • Status: Protected (Limited only by OS-level swap file handling).

3. The “Clipboard Sniffer” (High Protection)

  • Scenario: You have a malicious background process or a “free” utility app installed that monitors your system clipboard to steal passwords or private text.
  • Threat: Copying a sensitive note to paste it elsewhere exposes the plaintext to the malicious app.
  • MindSafe Defense: The Safe Copy feature ensures that data residing in the clipboard is encrypted. Only a MindSafe-aware paste action can decrypt the content, leaving the “sniffer” with useless ciphertext.
  • Status: Protected.

4. The “Remote Data Siphoner” (Total Protection)

  • Scenario: A background process tries to “exfiltrate” (upload) your database to a remote server.
  • Threat: Stealthy data theft via the internet.
  • MindSafe Defense: MindSafe is built with a Hardened Offline Boundary. The application contains no networking code and does not link against network libraries. Even if an attacker moves the files, they remain encrypted (see Scenario 1).
  • Status: Protected.

5. The “OS-Level Compromise” (No Protection)

  • Scenario: Your operating system is infected with a Kernel-level keylogger or a screen-recorder.
  • Threat: The attacker records your keystrokes as you type your master password or takes screenshots of your decrypted notes while the app is open.
  • MindSafe Boundary: No application can fully protect against a compromised host Operating System. If your OS is infected at the kernel level, the attacker can see what you see on your screen.
  • Status: Out of Scope. (Users are advised to maintain OS integrity and use hardware-level security where possible).

6. The “Brute Force / Dictionary Attack” (High Protection)

  • Scenario: An attacker uses a supercomputer to guess millions of password combinations per second against your vault.
  • Threat: Cracking the master password.
  • MindSafe Defense: Argon2id is a memory-hard function. By forcing the CPU to use significant RAM and time for every single guess, we make large-scale brute-force attacks economically and computationally unfeasible.
  • Status: Protected.