DistriNet Research Group 

KU Leuven

Dept. Computer Science 

Celestijnenlaan 200A (postbox 2402) 

200A B-3001 Heverlee BELGIUM 

  • White Facebook Icon
  • White Twitter Icon

© 2020  DistriNet KU Leuven

Downloads

Here you can find all downloadable material related to LINDDUN. This material consists of LINDDUN-specific information that supports the methodology (such as the mapping table and threat trees), as well as some pointers toward interesting tools and tricks. Also some worked out examples are provided.

We provide a full bundle, as well as an overview of LINDDUN-specific tables, the downloadable LINDDUN threat tree catalog, and the LINDDUN tutorial.

On the remainder of this page, you can find resources and tips grouped per LINDDUN step.

Downloads
  • LINDDUN bundled material

  • LINDDUN tutorial

  • LINDDUN tables (mapping, mitigation, solutions)

  • LINDDUN threat tree catalog (v2.0)

1. Model the system

In the first step of LINDDUN, a data flow diagram (DFD) needs to be created. This is a simple graphical representation that consists of boxes, circles, and arrows, and can be created in many different drawing tools.

Examples of such tools to draw DFDs are:

  • Microsoft threat modeling tool: The SDL threat modeling tool is designed for security analysis using STRIDE. As STRIDE also requires a DFD as starting point, this tool can evidently also be used for LINDDUN.

    • The tool generates a list of STRIDE threats based on the created DFD. It  also allows you to include your own templates​ for threat generation.

  • Visual Paradigm: supports DFDs (see "Business Modeling" - "Data Flow Diagram").

  • Other programs that have basic drawing support:

Tips

  • It is advised to use an ID (i.e. a number or other abbreviation) for each DFD element, to enable easy reference during the analysis.

  • While the use of bi-directional arrows help to reduce the complexity of the DFD, it is important to analyze per interaction (i.e. in both directions of the arrow).

  • There is no 'ideal' abstraction level for a DFD. It depends on the complexity of your system, the required level of detail of the analysis, etc. Note however that, in general, there is no need to have a fine-grained model of the internal processes for a privacy analysis. The main threats occur when crossing the trust boundaries.

2. Elicit threats

A. Map DFD elements to threat categories

For the mapping step, LINDDUN provides a generic mapping table that needs to be applied to a specific DFD.

You can also download a Word template (docx) that already contains a prepared mapping table that needs to be completed with system-specific DFD elements. The template also provides some tips and tricks.

B. Elicit privacy threats

To help the analyst find applicable threats, LINDDUN provides a set of threat trees that describe the most common attack paths. Each of the (leaf) nodes of the tree that apply to the system corresponds to a threat that should be documented.

C. Document privacy threats

Each ‘X’ in the mapping table should either be documented as (at least one) threat, or an assumption should be explicitly written down to explain why the threat is not susceptible to the given element. 

The LINDDUN threat template is based on misuse cases, but other documentation templates can be used as well.

Tips

  • Combining ‘X’s (reduction): In theory, each ‘X’ should be examined (and documented) individually. In practice however, it is advised to apply the technique of “reduction”. This implies that several ‘X’s can be combined when they apply to the same threat. This is possible for ‘X’s that involve DFD elements of the same DFD type (e.g. all data flows) and when the threat that corresponds to the ‘X’s is the same because it involves the same type of data (e.g. usernames and passwords, or non-sensitive or anonymous data, etc.) and it results in the same consequences (with the same level of priority). 

  • Assumptions should be made explicit in order to easily trace them when they would change throughout the development lifecycle. Each threat description should refer to those assumptions that are applicable.Do not limit yourself to a brief summary of assumptions, but also document the reasoning behind them.

Downloads
A. Map DFD elements to threat categories

  • LINDDUN mapping template

B. Elicit privacy threats
  • LINDDUN threat tree catalog

C. Document privacy threats

  • LINDDUN threat description template

  • LINDDUN assumptions template

3. Manage threats

A. Prioritize threats

B. Elicit mitigation strategies

C. Select corresponding solutions

3. Manage threats

A. Prioritize threats

Before determining ways to tackle identified threats, first prioritize them according to their risk.

LINDDUN does not provide any specific risk assessment method to allow integration with your preferred one. Some pointers are provided below.

B. Elicit mitigation strategies

The mitigation strategies taxonomy provides an overview of all strategies that can be used to ensure privacy.

The mitigation mapping table scopes the mitigation strategies that are applicable for each threat tree.

C. Select corresponding solutions

The table with privacy enhancing solutions is structured according to the mitigation strategies to ease the selection of suitable PETs.

Downloads
A. Prioritize threats
  • /

B. Elicit mitigation strategies
  • LINDDUN mitigation strategies taxonomy

  • LINDDUN mapping threats to mitigation strategies 

C. Select corresponding solutions

  • LINDDUN classification of PETs according to mitigation strategies

  • References (bibliography) of solutions table

Tips

  • The basic formula to calculate risk takes into account the likelihood and the impact of the threat: 
    Risk = impact x likelihood

  • If you want to learn more about risk assessment, you might want to have a look at OWASP risk rating, FAIR, etc.

LINDDUN examples

Below you can find a number of worked out examples of the LINDDUN methodology.

Note that currently these examples are still based on the original LINDDUN methodology and LINDDUN threat trees.

These examples thus do not yet take into account the updated solution-oriented steps, nor do they consider the updated LINDDUN threat trees, as they closely follow the methodology and threat trees described in the original LINDDUN paper.

Social network 2.0 – running example

The full running example is available in the LINDDUN paper. Note that in this example has been worked out using the original LINDDUN and thus not take into account the updated LINDDUN trees or the updated fifth step (mitigation strategies) of the methodology.

Patient communities example

A more extensive execution of LINDDUN is the step-by-step application of (the original) LINDDUN to a patient community system (steps 1-4). This document also illustrates the easy transition from the client-server diagram to the DFD required by LINDDUN.

Smart grid example

Another example involves a smart grid system that is being evaluated for privacy threats using LINDDUN. This document was actually used as baseline during a descriptive study (for the evaluation of LINDDUN). Step 3 (threat elicitation) is therefore the focus of this document.

Downloads

Social network 2.0 – running example

  • running example of original LINDDUN paper.

Patient communities example

  • LINDDUN applied to a patient communities example.

Smart grid example

  • LINDDUN applied to a smart grid example.