security: document threat model.

SECURITY.md

@@ -86,7 +86,9 @@ detect issues during their execution on ClusterFuzz. A soak period of 5 days pro
 guarantee, since we will invoke the security release process for medium or higher severity issues
 for these older bugs.
 
-### Confidentiality, integrity and availability
+### Threat model
+
+#### Confidentiality, integrity and availability
 
 We consider vulnerabilities leading to the compromise of data confidentiality or integrity to be our
 highest priority concerns. Availability, in particular in areas relating to DoS and resource
@@ -110,6 +112,52 @@ time, we will work towards improved safe-by-default configuration, but due to ba
 compatibility and performance concerns, this will require following the breaking change deprecation
 policy.
 
+#### Core and extensions
+
+Anything in the Envoy core may be used in both untrusted and trusted deployments. As a consequence,
+it should be hardened with this model in mind.  Security issues related to core code will usually
+trigger the security release process as described in this document.
+
+Some [extensions](EXTENSION_POLICY.md) are also widely used and deserve the same treatment as core.
+Examples include HTTP connection manager, TCP proxy, buffer filter, router filter, CORS, dynamic
+forward proxy, anything intended to enforce access control policies (RBAC, external authorization)
+and all transport socket extensions.
+
+Other extensions are only expected to be used in trusted environments today.  These include, but are
+not limited to most non-HTTP network filters (e.g.  Thrift, Dynamo, Mongo, Redis, Kafka, Dubbo,
+Zookeeper, MySQL), HTTP inspector and Squash. We will not treat any issues in these extensions
+as warranting invocation of the security release process.
+
+Envoy currently has two dynamic filter extensions that support loadable code; WASM and Lua. In both
+cases, we assume that the dynamically loaded code is trusted. We expect the runtime for Lua to be
+robust to untrusted data plane traffic with the assumption of a trusted script. WASM is still in
+development, but will eventually have a similar security stance.
+
+Please consult the PST if you have questions on which extensions are considered safe to use in the
+presence of untrusted traffic.
+
+#### Data and control plane
+
+We divide our threat model into data and control plane, reflecting the internal division in Envoy of
+these concepts from an architectural perspective. Our highest priority in risk assessment is the
+threat posed by untrusted downstream client traffic on the data plane. This reflects the use of
+Envoy in an edge serving capacity and also the use of Envoy as an inbound destination in a service
+mesh deployment.
+
+In addition, we have an evolving position towards any vulnerability that might be exploitable by
+untrusted upstreams. We recognize that these constitute a serious security consideration, given the
+use of Envoy as an egress proxy. We will activate the security release process for disclosures that
+appear to present a risk profile that is significantly greater than the current Envoy upstream
+hardening status quo.
+
+The control plane management server is generally trusted. We do not consider wire-level exploits
+against the xDS transport protocol to be a concern as a result. However, the configuration delivered
+to Envoy over xDS may originate from untrusted sources and may not be fully sanitized. An example of
+this might be a service operator that hosts multiple tenants on an Envoy, where tenants may specify
+a regular expression on a header match in `RouteConfiguration`. In this case, we expect that Envoy
+is resilient against the risks posed by malicious configuration from a confidentiality, integrity
+and availability perspective, as described above.
+
 ### Fix Team Organization
 
 These steps should be completed within the first 24 hours of disclosure.

bazel/envoy_build_system.bzl

@@ -6,6 +6,7 @@ load(":envoy_internal.bzl", "envoy_external_dep_path")
 load(
     ":envoy_library.bzl",
     _envoy_basic_cc_library = "envoy_basic_cc_library",
+    _envoy_cc_extension = "envoy_cc_extension",
     _envoy_cc_library = "envoy_cc_library",
     _envoy_cc_posix_library = "envoy_cc_posix_library",
     _envoy_cc_win32_library = "envoy_cc_win32_library",
@@ -171,6 +172,7 @@ envoy_cc_binary = _envoy_cc_binary
 
 # Library wrappers (from envoy_library.bzl)
 envoy_basic_cc_library = _envoy_basic_cc_library
+envoy_cc_extension = _envoy_cc_extension
 envoy_cc_library = _envoy_cc_library
 envoy_cc_posix_library = _envoy_cc_posix_library
 envoy_cc_win32_library = _envoy_cc_win32_library

bazel/envoy_library.bzl

@@ -29,6 +29,25 @@ def envoy_basic_cc_library(name, deps = [], external_deps = [], **kargs):
         **kargs
     )
 
+# All Envoy extensions must be tagged with their security hardening stance with
+# respect to downstream and upstream data plane threats. These are verbose
+# labels intended to make clear the trust that operators may place in
+# extensions.
+EXTENSION_SECURITY_POSTURES = [
+    "robust_to_untrusted_downstream",
+    "robust_to_untrusted_upstream",
+    "robust_to_untrusted_upstream_and_upstream",
+    "requires_trusted_downstream_and_upstream",
+]
+
+def envoy_cc_extension(
+        name,
+        security_posture,
+        **kwargs):
+    if security_posture not in EXTENSION_SECURITY_POSTURES:
+        fail("Unknown extension security posture: " + security_posture)
+    envoy_cc_library(name, **kwargs)
+
 # Envoy C++ library targets should be specified with this function.
 def envoy_cc_library(
         name,

source/extensions/filters/network/http_connection_manager/BUILD

@@ -6,14 +6,15 @@ licenses(["notice"])  # Apache 2
 
 load(
     "//bazel:envoy_build_system.bzl",
-    "envoy_cc_library",
+    "envoy_cc_extension",
     "envoy_package",
 )
 
 envoy_package()
 
-envoy_cc_library(
+envoy_cc_extension(
     name = "config",
+    security_posture = "robust_to_untrusted_upstream_and_upstream",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
     deps = [

source/extensions/filters/network/kafka/BUILD

@@ -5,6 +5,7 @@ licenses(["notice"])  # Apache 2
 
 load(
     "//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
     "envoy_cc_library",
     "envoy_package",
 )
@@ -22,8 +23,9 @@ envoy_cc_library(
     ],
 )
 
-envoy_cc_library(
+envoy_cc_extension(
     name = "kafka_request_codec_lib",
+    security_posture = "requires_trusted_downstream_and_upstream",
     srcs = ["request_codec.cc"],
     hdrs = [
         "request_codec.h",