This is an automated email from the ASF dual-hosted git repository.

chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory.git


The following commit(s) were added to refs/heads/main by this push:
     new b7aa2200b docs: add threat model + SECURITY.md/AGENTS.md 
discoverability (#3734)
b7aa2200b is described below

commit b7aa2200b5a8ab025ac8e70d1bccd5bd8b788e5a
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat Jun 20 21:34:42 2026 -0400

    docs: add threat model + SECURITY.md/AGENTS.md discoverability (#3734)
    
    ## What this is
    
    A **draft threat model** for Apache Fory, proposed by the ASF Security
    team for the Fory PMC to review, correct, or reject. It is a starting
    point for discussion, not a finished document.
    
    This PR:
    - adds `THREAT_MODEL.md` — the draft model, following the [ASF Security
    threat-model
    rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573);
    - adds `SECURITY.md` — a short security policy that links the threat
    model;
    - appends a `## Security` section to `AGENTS.md`, so the chain
    `AGENTS.md → SECURITY.md → THREAT_MODEL.md` is mechanically discoverable
    by automated security scanners.
    
    ## How to read it
    
    Every claim is provenance-tagged: *(documented)* (from Fory's own
    docs/repo), *(inferred)* (reasoned from the architecture, **not yet
    confirmed**), *(maintainer)* (confirmed by the PMC). This v0 is ~20
    documented / ~26 inferred. The **§14 Open questions** section collects
    every inferred claim into waves for the PMC to confirm or correct — that
    is where review time is best spent. The highest-impact ones:
    
    - whether "under the default `requireClassRegistration(true)`, only
    registered types are instantiated from untrusted bytes" is a committed
    property, and whether findings that require
    `requireClassRegistration(false)` are out-of-model / non-default (wave
    1);
    - per-language memory safety on malformed input — in particular the C++
    decoder (wave 2);
    - the cross-language (xlang) peer-trust assumption and the resource/DoS
    line beyond `maxDepth` (waves 2).
    
    Nothing here is a requirement — the model is for the PMC to own. Comment
    inline, edit the branch, or reply on the email thread.
    
    ## AI Usage Disclosure
    
    - **Substantial AI assistance: yes.**
    - **What:** `THREAT_MODEL.md` was drafted by the ASF Security team's
    threat-model tooling (Claude) from Apache Fory's public documentation
    and repository, following the Scovetta rubric. `SECURITY.md` and the
    `AGENTS.md` Security section are templated scaffolding.
    - **Review model:** the document is deliberately presented as a *draft
    for line-by-line maintainer review* — every claim carries a provenance
    tag, and all unverified *(inferred)* claims are surfaced as explicit
    open questions (§14) for the PMC to ratify, correct, or strike. It is
    not offered as finished or authoritative content.
    - **Provenance / licensing:** content is original to this engagement,
    carries the ASF license header, and is intended to comply with the [ASF
    Generative Tooling
    Guidance](https://www.apache.org/legal/generative-tooling.html).
    
    ---------
    
    Co-authored-by: chaokunyang <[email protected]>
---
 AGENTS.md                        | 11 +++++
 SECURITY.md                      | 31 +++++++++++++
 docs/README.md                   |  3 +-
 docs/security/deserialization.md | 37 +++++++++++++++-
 docs/security/index.md           | 14 ++++--
 docs/security/threat-model.md    | 95 ++++++++++++++++++++++++++++++++++++++++
 6 files changed, 185 insertions(+), 6 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 830db1f56..a1d207b6a 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -9,6 +9,9 @@ This is the entry point for AI guidance in Apache Fory. Read 
this file first, th
 - `.agents/docs-and-formatting.md`: documentation, specification, and markdown 
rules.
 - `.agents/ci-and-pr.md`: CI triage, PR expectations, and commit conventions.
 - `.agents/testing/integration-tests.md`: `integration_tests/` prerequisites, 
regeneration rules, and commands.
+- `docs/security/index.md`: security model index.
+- `docs/security/threat-model.md`: project-level trust boundaries, non-goals,
+  and downstream responsibilities.
 - `docs/security/deserialization.md`: security boundaries for untrusted 
deserialization classification.
 - `.agents/languages/java.md`
 - `.agents/languages/csharp.md`
@@ -183,3 +186,11 @@ This is the entry point for AI guidance in Apache Fory. 
Read this file first, th
 - PR titles must follow Conventional Commits; `.github/workflows/pr-lint.yml` 
enforces this.
 - Performance changes should use the `perf` type and include benchmark data.
 - See `.agents/ci-and-pr.md` for GitHub CLI triage commands and commit message 
examples.
+
+## Security
+
+Security models start at `docs/security/index.md`. Read
+`docs/security/threat-model.md` for project-level trust boundaries, non-goals,
+and downstream responsibilities. For untrusted deserialization, read
+`docs/security/deserialization.md` before reporting or changing allocation,
+stream filling, skip, reference, metadata, or policy validation behavior.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..321a1673a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+`apache/fory` follows the [Apache Software Foundation security 
process](https://www.apache.org/security/). Please report suspected
+vulnerabilities privately to `[email protected]`; do not open public
+GitHub issues or pull requests for security reports.
+
+## Security Models
+
+Apache Fory security models are documented under
+[docs/security](docs/security/index.md). Start with the
+[project threat model](docs/security/threat-model.md); for detailed untrusted
+deserialization classification rules, see the
+[deserialization security model](docs/security/deserialization.md).
diff --git a/docs/README.md b/docs/README.md
index 27500ed94..15d039336 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -10,7 +10,8 @@
   [Kotlin](guide/kotlin/index.md) guides.
 - For row format, see the [row format spec](specification/row_format_spec.md).
 - For using Apache Fory™ with GraalVM native image, see [graalvm 
support](guide/java/graalvm-support.md) doc.
-- For deserialization security boundaries, see the [security 
model](security/deserialization.md).
+- For security models and deserialization boundaries, see the
+  [security docs](security/index.md).
 
 ## Fory IDL Schema
 
diff --git a/docs/security/deserialization.md b/docs/security/deserialization.md
index 041610b29..97d47b981 100644
--- a/docs/security/deserialization.md
+++ b/docs/security/deserialization.md
@@ -1,6 +1,6 @@
 ---
 title: Deserialization Security Model
-sidebar_position: 2
+sidebar_position: 3
 ---
 
 This document defines the security model for Apache Fory deserialization. It is
@@ -52,6 +52,41 @@ Fory security boundaries do not include:
   shape, unless rejecting other shapes is an explicit owner policy or protects
   one of the boundaries above.
 
+## Type And Class Policy
+
+Type, class, function, method, registration, and deserialization policies are
+security boundaries when they are intended to restrict what untrusted bytes may
+materialize.
+
+For untrusted data, a bypass is security-relevant when encoded bytes can
+materialize a type, function, method, class, or dynamic object that the active
+Fory policy should reject. This includes bypasses of class or type
+registration, allow-list checkers, strict-mode checks, or language-specific
+deserialization policies.
+
+Disabling registration or dynamic-type checks for trusted data is a caller
+configuration choice. That choice only removes the arbitrary-type 
materialization
+claim provided by that policy; it does not remove Fory's runtime-safety,
+resource, cleanup, retained-state, or no-progress-loop requirements for
+untrusted deserialization paths.
+
+Fory is not a sandbox for application-owned types. If a registered type or
+serializer is allowed by the active policy, the application owns whether that
+type's construction, hooks, setters, finalizers, or other logic is safe for the
+application's trust boundary.
+
+## Depth And Progress
+
+Deserialization paths that recurse through objects, metadata, containers, or
+references should enforce the runtime's configured depth limit before crafted
+nesting can exhaust the call stack or bypass cleanup. A malformed input that
+exceeds the configured depth should fail the root operation instead of
+continuing unbounded recursion.
+
+Loops that consume encoded data should guarantee byte progress, logical
+progress, or a terminal error. Inputs that can keep a reader in a no-progress
+loop are security-relevant even when they do not allocate memory.
+
 ## Security Invariants
 
 Deserialization code must prevent the following outcomes for untrusted input:
diff --git a/docs/security/index.md b/docs/security/index.md
index c75b58353..66f8cc7e5 100644
--- a/docs/security/index.md
+++ b/docs/security/index.md
@@ -3,9 +3,9 @@ title: Security
 sidebar_position: 1
 ---
 
-This directory documents Apache Fory security models and security invariants.
-It is not a vulnerability disclosure area and does not list CVE details,
-exploit samples, issue timelines, or implementation history.
+This directory documents Apache Fory security models and security invariants. 
It
+is not a vulnerability disclosure area and does not list CVE details, exploit
+samples, issue timelines, or implementation history.
 
 Security model documents describe how Fory should classify and prevent security
 risks while preserving the performance characteristics expected from Fory
@@ -13,4 +13,10 @@ serialization runtimes.
 
 ## Models
 
-- [Deserialization Security Model](deserialization.md)
+- [Threat Model](threat-model.md): project-level trust boundaries, non-goals,
+  and downstream responsibilities.
+- [Deserialization Security Model](deserialization.md): concrete rules for
+  classifying and preventing untrusted deserialization risks.
+
+For vulnerability reporting, see the repository
+[security policy](../../SECURITY.md).
diff --git a/docs/security/threat-model.md b/docs/security/threat-model.md
new file mode 100644
index 000000000..5fea13505
--- /dev/null
+++ b/docs/security/threat-model.md
@@ -0,0 +1,95 @@
+---
+title: Threat Model
+sidebar_position: 2
+---
+
+This document describes Apache Fory's project-level security boundaries and
+non-goals. It is the high-level entry point for Fory security models; concrete
+untrusted deserialization classification rules live in the
+[deserialization security model](deserialization.md).
+
+Fory is an in-process serialization library. Applications link Fory into their
+own process, configure serializers and type policies, and call Fory APIs to
+serialize application-owned objects or deserialize encoded Fory data. Fory does
+not provide a standalone network service, daemon, authentication system, or
+transport protocol.
+
+Fory can generate service companions for application-provided gRPC runtimes.
+Those companions provide Fory serialization for request and response objects;
+the application and gRPC stack still own listeners, channels, credentials,
+authentication, authorization, deadlines, retries, and transport lifecycle.
+
+## Trust Boundaries
+
+Fory's primary security boundary is encoded bytes or streams passed to
+deserialization APIs from untrusted or partially trusted sources. The embedding
+application owns where those bytes come from and which Fory configuration,
+registered types, schemas, and policies are used to read them.
+
+The adversary model for untrusted deserialization is a sender that can craft
+encoded bytes or stream behavior presented to a Fory read API. It does not 
assume
+the sender can change the embedding application's Fory configuration, 
registered
+type set, `TypeChecker` or equivalent allow-list policy, schema definitions,
+classloader, or other active policy objects unless the application itself 
exposes
+those controls.
+
+Fory security boundaries include:
+
+- Runtime safety, including avoiding crashes, panics, undefined behavior, and
+  out-of-bounds memory access.
+- Resource ownership, including memory, CPU progress, stream buffers, native
+  allocations, callbacks, and retained read-side state.
+- Explicit Fory policy checks, such as class, type, function, method,
+  registration, or deserialization policies that restrict what may be
+  materialized.
+- Cleanup boundaries, where state created during a failed root operation must
+  not leak into later operations.
+
+Runtime serializer code generation and JIT compilation are not paths for
+executing encoded input. They operate on types and schemas after the active
+registration check, `TypeChecker`, schema check, or policy check has accepted 
the
+type surface. When class registration is disabled, `TypeChecker` or an
+equivalent allow-list policy is the relevant gate. Generated serializer code is
+derived from checked type descriptors rather than from attacker-controlled byte
+contents.
+
+The [deserialization security model](deserialization.md) defines how to
+classify these boundaries for untrusted deserialization paths.
+
+## Non-Goals
+
+Fory does not provide:
+
+- Encoded-data authenticity, integrity, confidentiality, signing, MACs, or
+  encryption.
+- Transport security or protection for bytes while they are stored or moved
+  outside Fory, including transport security for generated service companions.
+- Application-level authorization or validation for the business meaning of a
+  successfully deserialized value.
+- A sandbox for user-registered classes, functions, constructors, setters,
+  finalizers, or other application-owned logic.
+
+Applications that receive Fory data from untrusted sources should authenticate
+or integrity-check those bytes before passing them to Fory when authenticity or
+tamper resistance matters.
+
+## Downstream Responsibilities
+
+Applications are responsible for:
+
+- Choosing whether a byte source is trusted enough for the configured
+  deserialization mode.
+- Keeping class or type registration enabled for untrusted data unless another
+  explicit Fory policy owns the accepted type surface.
+- Registering only types and serializers that are safe for the application's
+  trust boundary.
+- Configuring depth and resource limits for the largest data shape the
+  application intends to accept.
+- Treating cross-language peers and schemas as part of the application's trust
+  relationship.
+
+Disabling registration or using dynamic deserialization on trusted data is a
+configuration choice. For untrusted data, bypassing an explicit Fory policy,
+crashing, leaking resources, retaining attacker-controlled state, or allocating
+disproportionately remains security-relevant as described in the
+[deserialization security model](deserialization.md).


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to