代写COMP6236、代写C/C++，Java编程

日期：2023-05-17 08:31

COMP6236 2023

Assignment 3: Threat modelling for Privacy and Security

This assignment is divided into three tasks that progressively increase in length and mark

allocation. The three tasks are independent of each other and there is no overall length or

word count limits as this is coursework. However, a good rule of thumb would be to target

one paragraph for task one and two for task two. Task three is longer.

Notes

The following notes are intended to highlight some common ”gotchas”.

1. For each task, please stick to the requirements provided.

2. The edges of a graph can provide information about the nodes they connect to, especially if the

graph includes more than one type of edge.

3. For task two, remember that LINDDUN is prescriptive in its mapping and mitigation.

4. For task three we are expecting two DFDs of the same system, one at level 0 and one at level 1. It

must be clear how these relate to each other and that they are of the same system.

5. For task three, please review the examples provided in the STRIDE slide deck, as well as the

discussion around the meaning of DFD elements.

6. For task three, keep to system elements explicitly named in the scenario and remember that data

flows are also elements of the system and can be included in the seven you choose.

Marks Breakdown

Task 1 Five marks, consisting of:

2 Marks: For explaining non-repudiation.

3 Marks: For contrasting security and privacy concerns.

Task 2 Ten marks, consisting of:

3 Marks: For contrasting L df2 to L df3.

2 Marks: For explaining inter-tree and inter-model links.

5 Marks: For challenge description and mitigation(s).

Task 3 Twenty-five marks, consisting of:

10 Marks: For DFDs and DFD elements.

15 Marks: For threat identification and discussion/mitigation of seven threats.

That is three marks for a glaring security error and 2 marks for the other six.

Submission Instructions

Please use the template provided and submit using Turnitin on the module blackboard page at this link.

(You should be able to see the “Assignments” tab on the left panel)

1

Deadline

The coursework deadline is on 19-05-2023 at 16:00. Note that late submissions will be penalised using

the standard University rules (10% per working day) and that no work will be accepted that is more

than five days late.

Purpose of this coursework

The coursework maps to the following aims and objectives of COMP6236:

Knowledge and Understanding

A1. Common issues affecting the security of software systems

Subject-specific Intellectual and Research Skills

B1. Describe specific methods for exploiting software systems

Subject-specific Practical Skills

D1. Identify security weaknesses in software systems and applications

Academic Integrity

This coursework is an individual piece of work and the usual rules regarding individual coursework and

academic integrity apply. In particular, please note the University Academic Integrity Regulations. All

the reports will be checked for plagiarism by scanning them in Turnitin.

Marking Criteria

Your submission will be marked out of 40. The following criteria will be used.

Task Criteria Marking Scheme

Task 1

Ability to differentiate between

privacy and security-focused

threat analysis.

Up to 5 marks are awarded for

describing non-repudiation and

the contradictory positions held

by LINDDUN and STRIDE.

Task 2

Ability to navigate the LIND-

DUN threat tree.

Up to 10 marks are awarded for

describing key features and ap-

plying a second set of features.

Task 3

Ability to conduct STRIDE-

based threat modelling.

Up to 25 marks are awarded

building and asessing a threat

model at two levels of granual-

rity.

Marks calculation

This coursework counts for 40%

of the module mark.

File format

Submitted file is in PDF format,

the report is compliant with the

provided template. If the format

is not PDF, a 5 marks penalty

will be applied. If the report is

corrupted or cannot be opened,

0 mark will be awarded for the

coursework.

2

Task1 - Non-repudiation

Both STRIDE and LINDDUN directly address the concept of non-repudiation.

1. Explain briefly what non-repudiation is and why it is important.

2. Then explain how both STRIDE and LINDDUN view non-repudiation and why it’s different.

Task 2 - Linkability in LINDDUN

The threat tree included below is for the Linkability of data flows (L df).

1. Describe the similarities and differences between L df2 and L df3.

2. Most of the nodes on this threat tree are squares, but there is also a blue hexagon and a red circle.

Describe the functions of both the blue hexagon and the red circle.

Consider the following hypothetical. A new mobile payment system is currently in the design phase and

based on the excessive collection of personal data by the system and the transmission of that data to

data processors, you have determined that there is a significant threat under L df1 specifically.

1. Given that this is in the design phase, work from L df1 to the Mitigation strategies Taxonomy to

map strategies to threats and suggest four remedial actions.

2. Based on the previous, suggest a LINDDUN-linked Privacy Enhancing Technology (PET) that can

be deployed here.

Figure 1: Linkability of data flows on LINDDUN

3

Task 3 - STRIDE threat modelling

Scenario

A multinational conglomerate, Ecorp LLC, is currently designing a new fitness tracker and associated

smartphone app. Neither exists yet but the intended functionality is fairly typical for consumer smart

electronics. The fitness tracker is a watch-style device which records the wearer’s activity including walk-

ing, running, and cycling, but nothing else. This information is then passed via BlueTooth connection

to an associated smartphone hosting the device control app. The fitness tracker can only connect via

BlueTooth to the smartphone and has no other connections. The smartphone on the other hand can be

any modern smartphone and will therefore support mobile data, wifi, and BlueTooth.

The device control app is downloaded from an app store, installed on the user’s smartphone as normal,

and therefore shares the smartphone’s storage with other apps. The app store’s IP address is of the form

https://**.**.**.**. The device control app has read-and-write access to the smartphone’s data store

and by default asks for access to the user’s photos, location data, and crash reporting from the phone.

When the user installs the device control app they are prompted to create an account where they provide

personal details and also get credentials to log into both the app and the Ecorp website. The website’s

IP address is of the form https://**.**.**.**. During this process, the users are told that crash reports

are collected but no specifics are given. In practice, the Ecorp device control app includes the crashlytics

crash reporting and tracking app from Google. All crash reports are sent to a server in the United States

and its IP address is of the form https://**.**.**.**. Lastly, daily updates from the control app to the

Ecorp database are sent to a server with an IP address in the form http://**.**.**.**. These updates

use the POST method and contain two strings, the first is encrypted and can not be read while the

second is in clear text and is as follows: ”DEV-ID: 00:24:E4:FF:FF:FF”

Instructions

Please use the principles of STRIDE to prepare Data Flow Diagrams (DFDs) and threat analysis for the

scenario presented above. Use the MS Threat Modelling Tool or any other appropriate tool, to develop

your DFDs. Also, if you are using a tool that does not support double lines for a complex process that

is acceptable as long as your numbering from lvl 0 to lvl 1 is consistent.

1. Create two DFDs, one each for level 0 and level 1 of the scenario.

2. Provide a description of each node on the two DFDs and why you included it.

3. Map the appropriate threats to seven vulnerable DFD elements and propose mitigation(s) for

each. These are the seven elements with the most urgent issues according to you.

4. Do not use the automated analysis features of the MS Threat Modelling Tool or any other such

tool. Only use tooling to prepare the DFD, but not to perform analysis since some of the assump-

tions underlying such tooling would not be appropriate for the work presented here.

5. This is a STRIDE-only exercise, please do not reference LINDDUN here.