COMP6236 2023
Assignment 3: Threat modelling for Privacy and Security
This assignment is divided into three tasks that progressively increase in length and mark
allocation. The three tasks are independent of each other and there is no overall length or
word count limits as this is coursework. However, a good rule of thumb would be to target
one paragraph for task one and two for task two. Task three is longer.
Notes
The following notes are intended to highlight some common ”gotchas”.
1. For each task, please stick to the requirements provided.
2. The edges of a graph can provide information about the nodes they connect to, especially if the
graph includes more than one type of edge.
3. For task two, remember that LINDDUN is prescriptive in its mapping and mitigation.
4. For task three we are expecting two DFDs of the same system, one at level 0 and one at level 1. It
must be clear how these relate to each other and that they are of the same system.
5. For task three, please review the examples provided in the STRIDE slide deck, as well as the
discussion around the meaning of DFD elements.
6. For task three, keep to system elements explicitly named in the scenario and remember that data
flows are also elements of the system and can be included in the seven you choose.
Marks Breakdown
Task 1 Five marks, consisting of:
2 Marks: For explaining non-repudiation.
3 Marks: For contrasting security and privacy concerns.
Task 2 Ten marks, consisting of:
3 Marks: For contrasting L df2 to L df3.
2 Marks: For explaining inter-tree and inter-model links.
5 Marks: For challenge description and mitigation(s).
Task 3 Twenty-five marks, consisting of:
10 Marks: For DFDs and DFD elements.
15 Marks: For threat identification and discussion/mitigation of seven threats.
That is three marks for a glaring security error and 2 marks for the other six.
Submission Instructions
Please use the template provided and submit using Turnitin on the module blackboard page at this link.
(You should be able to see the “Assignments” tab on the left panel)
1
Deadline
The coursework deadline is on 19-05-2023 at 16:00. Note that late submissions will be penalised using
the standard University rules (10% per working day) and that no work will be accepted that is more
than five days late.
Purpose of this coursework
The coursework maps to the following aims and objectives of COMP6236:
Knowledge and Understanding
A1. Common issues affecting the security of software systems
Subject-specific Intellectual and Research Skills
B1. Describe specific methods for exploiting software systems
Subject-specific Practical Skills
D1. Identify security weaknesses in software systems and applications
Academic Integrity
This coursework is an individual piece of work and the usual rules regarding individual coursework and
academic integrity apply. In particular, please note the University Academic Integrity Regulations. All
the reports will be checked for plagiarism by scanning them in Turnitin.
Marking Criteria
Your submission will be marked out of 40. The following criteria will be used.
Task Criteria Marking Scheme
Task 1
Ability to differentiate between
privacy and security-focused
threat analysis.
Up to 5 marks are awarded for
describing non-repudiation and
the contradictory positions held
by LINDDUN and STRIDE.
Task 2
Ability to navigate the LIND-
DUN threat tree.
Up to 10 marks are awarded for
describing key features and ap-
plying a second set of features.
Task 3
Ability to conduct STRIDE-
based threat modelling.
Up to 25 marks are awarded
building and asessing a threat
model at two levels of granual-
rity.
Marks calculation
This coursework counts for 40%
of the module mark.
File format
Submitted file is in PDF format,
the report is compliant with the
provided template. If the format
is not PDF, a 5 marks penalty
will be applied. If the report is
corrupted or cannot be opened,
0 mark will be awarded for the
coursework.
2
Task1 - Non-repudiation
Both STRIDE and LINDDUN directly address the concept of non-repudiation.
1. Explain briefly what non-repudiation is and why it is important.
2. Then explain how both STRIDE and LINDDUN view non-repudiation and why it’s different.
Task 2 - Linkability in LINDDUN
The threat tree included below is for the Linkability of data flows (L df).
1. Describe the similarities and differences between L df2 and L df3.
2. Most of the nodes on this threat tree are squares, but there is also a blue hexagon and a red circle.
Describe the functions of both the blue hexagon and the red circle.
Consider the following hypothetical. A new mobile payment system is currently in the design phase and
based on the excessive collection of personal data by the system and the transmission of that data to
data processors, you have determined that there is a significant threat under L df1 specifically.
1. Given that this is in the design phase, work from L df1 to the Mitigation strategies Taxonomy to
map strategies to threats and suggest four remedial actions.
2. Based on the previous, suggest a LINDDUN-linked Privacy Enhancing Technology (PET) that can
be deployed here.
Figure 1: Linkability of data flows on LINDDUN
3
Task 3 - STRIDE threat modelling
Scenario
A multinational conglomerate, Ecorp LLC, is currently designing a new fitness tracker and associated
smartphone app. Neither exists yet but the intended functionality is fairly typical for consumer smart
electronics. The fitness tracker is a watch-style device which records the wearer’s activity including walk-
ing, running, and cycling, but nothing else. This information is then passed via BlueTooth connection
to an associated smartphone hosting the device control app. The fitness tracker can only connect via
BlueTooth to the smartphone and has no other connections. The smartphone on the other hand can be
any modern smartphone and will therefore support mobile data, wifi, and BlueTooth.
The device control app is downloaded from an app store, installed on the user’s smartphone as normal,
and therefore shares the smartphone’s storage with other apps. The app store’s IP address is of the form
https://**.**.**.**. The device control app has read-and-write access to the smartphone’s data store
and by default asks for access to the user’s photos, location data, and crash reporting from the phone.
When the user installs the device control app they are prompted to create an account where they provide
personal details and also get credentials to log into both the app and the Ecorp website. The website’s
IP address is of the form https://**.**.**.**. During this process, the users are told that crash reports
are collected but no specifics are given. In practice, the Ecorp device control app includes the crashlytics
crash reporting and tracking app from Google. All crash reports are sent to a server in the United States
and its IP address is of the form https://**.**.**.**. Lastly, daily updates from the control app to the
Ecorp database are sent to a server with an IP address in the form http://**.**.**.**. These updates
use the POST method and contain two strings, the first is encrypted and can not be read while the
second is in clear text and is as follows: ”DEV-ID: 00:24:E4:FF:FF:FF”
Instructions
Please use the principles of STRIDE to prepare Data Flow Diagrams (DFDs) and threat analysis for the
scenario presented above. Use the MS Threat Modelling Tool or any other appropriate tool, to develop
your DFDs. Also, if you are using a tool that does not support double lines for a complex process that
is acceptable as long as your numbering from lvl 0 to lvl 1 is consistent.
1. Create two DFDs, one each for level 0 and level 1 of the scenario.
2. Provide a description of each node on the two DFDs and why you included it.
3. Map the appropriate threats to seven vulnerable DFD elements and propose mitigation(s) for
each. These are the seven elements with the most urgent issues according to you.
4. Do not use the automated analysis features of the MS Threat Modelling Tool or any other such
tool. Only use tooling to prepare the DFD, but not to perform analysis since some of the assump-
tions underlying such tooling would not be appropriate for the work presented here.
5. This is a STRIDE-only exercise, please do not reference LINDDUN here.