SSM-Clock Stamp – Threat Scenarios & Attacker Playbook (6.2)

Purpose. Map realistic threats to Shunyaya Symbolic Mathematical Clock Stamp and show how each is detected or mitigated — deterministic, plain ASCII.

6.2.1 Byte-level file tamper

Attempt: modify original bytes after stamping.
Effect: h' != h_file.
Detection: HASH_OK=false via h' = H_algo(file_bytes).
Mitigation: verify before use; store golden copies; WORM storage.

6.2.2 Sidecar edit (stamp forgery)

Attempt: change iso_utc, rasi_idx, theta_deg, or chain.
Effect: clock or chain disagrees.
Detection:
- Clock: wrap360(x) = x - 360*floor(x/360) → theta'_deg, rasi'_idx = floor(theta'_deg/30); mismatch ⇒ CLOCK_OK=false.
- Chain rewalk: chain_k ?= H_chain( ascii(chain_{k-1} + "|" + stamp_core_k) ).
Mitigation: periodic rewalks; anchor daily.

6.2.3 Backdating (pick a convenient `iso_utc`)

Attempt: choose past UTC to influence theta_deg/rasi_idx.
Effect: without anchors, “not-before” unprovable.
Detection: differences vs prior anchors/witnesses.
Mitigation: publish daily anchors; bound window: max_backdating_window_sec <= anchor_period_sec.

6.2.4 Ledger deletion/reorder

Attempt: remove/swap rows in history.
Effect: recurrence breaks at first affected link.
Detection: rewalk fails at row k.
Mitigation: rebuild from sidecars starting chain_0 = "0"*64; use versioned/WORM storage.

6.2.5 Chain fork (alternate history)

Attempt: restart chain from an earlier tip.
Effect: diverges from witness_chain_tip and past rollup_D.
Detection: mismatch to published witnesses/anchors.
Mitigation: publish witness_chain_tip=<64-hex> in the daily note.

6.2.6 Orphan sidecar

Attempt: delete file, keep sidecar.
Effect: cannot recompute h'.
Detection: report orphan; no hash verdict.
Mitigation: backups; treat as audit red flag.

6.2.7 Stamp replay to another file

Attempt: reuse a sidecar on a different file.
Effect: H_algo(file_bytes) differs from recorded sha256(file).
Detection: HASH_OK=false.
Mitigation: none beyond verification (by design path-independent).

6.2.8 Precision/locale drift

Attempt: non-canonical float print or locale decimal.
Effect: theta_deg string mismatch.
Detection: fixed-digit, half-even compare fails.
Mitigation: print with exactly theta_prec digits (default 5), IEEE-754 binary64, decimal . only.

6.2.9 Timezone or skew encoding

Attempt: embed offsets or local time.
Effect: parse or clock mismatch.
Detection: require iso_utc = "YYYY-MM-DDThh:mm:ssZ" (UTC only).
Mitigation: emit strict Z; reject offsets/subseconds.

6.2.10 Hash preimage/collision games

Attempt: exploit digest weaknesses.
Effect: impractical under chosen sets; future risks exist.
Detection/Mitigation: move via kv:algo/kv:chain_algo ∈ {sha256, sha3_256, blake2b-256}; anchors stay sha256 on ASCII-join.

6.2.11 Anchor manipulation (subset/order)

Attempt: anchor a subset or wrong order.
Effect: recomputation detects mismatch.
Detection: canonical order (iso_utc, stamp_core, chain), join with |, compare rollup_D.
Mitigation: publish count=n; require parity ledger↔sidecars.

6.2.12 Malicious “resync”

Attempt: rebuild ledger to alter history.
Effect: must also rewrite sidecars; prior anchors will fail.
Detection: recomputed rollup_D' vs historical notes; witness_chain_tip mismatch.
Mitigation: treat anchors as immutable; keep sidecars read-only.

6.2.13 Non-ASCII/Unicode injection

Attempt: insert non-ASCII characters.
Effect: cross-platform parse/hash drift.
Detection: verifiers enforce ascii(...); reject others.
Mitigation: stick to 7-bit ASCII; avoid typographic quotes/dashes.

Takeaway (single line).
SSMCLOCK1|iso_utc|rasi_idx|theta_deg|sha256(file)|chain + chain_k = H_chain( ascii(chain_{k-1} + "|" + stamp_core) ) makes local tampering obvious; rollup_D = sha256( ascii(Stamp_1 "|" ... "|" Stamp_n) ) turns sets into public “no-later-than” claims.

Navigation
Back: SSM-Clock Stamp – Security Guarantees & Non-Guarantees (6.1)
Next: SSM-Clock Stamp – Hardening Options (6.3)