The LINDDUN privacy engineering framework provides systematic support for the elicitation and mitigation of privacy threats in software systems. Its main strength is its combination of methodological guidance and privacy knowledge support.
The LINDDUN methodology consists of 3 main steps: Model the system, Elicit threats, and Manage threats.
Model the system
You need to have a good understanding of the system in order to analyze its privacy. LINDDUN uses a Data Flow Diagram (DFD) as graphical model of the system-under-analysis.
systematically iterate over the DFD elements to identifiy privacy threats
Find suitable solutions to tackled the uncovered threats
The elicitation and mitigation steps are strengthened by privacy knowledge support structured according to the 7 privacy threat categories encapsulated within LINDDUN's acronym: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.
LINDDUN threat categories
The provided knowledge support is divided into 7 threat categories, which are encapsulated in the LINDDUN acronym.
An adversary is able to link two items of interest without knowing the identity of the data subject(s) involved.
An adversary is able to identify a data subject from a set of data subjects through an item of interest.
The data subject is unable to deny a claim (e.g., having performed an action, or sent a request).
An adversary is able to distinguish whether an item of interest about a data subject exists or not, regardless of being able to read the contents itself.
Disclosure of information
An adversary is able to learn the content of an item of interest about a data subject.
The data subject is unaware of the collection, processing, storage, or sharing activities (and corresponding purposes) of the data subject’s personal data.
The processing, storage, or handling of personal data is not compliant with legislation, regulation, and/or policy.
LINDDUN knowledge base
In its current version, LINDDUN provides knowledge support in the form of:
a mapping template highlighting potential privacy issues within a LINDDUN threat category for a specific DFD element type.
a catalog of threat trees containing an overview of the most common attack paths structured according to the LINDDUN threat categories
a taxonomy of mitigation strategies to be used to tackle identified threats. The strategies are linked back to the high-level LINDDUN threat categories they aim to resolve
a classification of privacy solutions (privacy enhancing technologies (PETs)) structured according to the mitigation strategies for easy navigation
The LINDDUN methodology consists of 3 main steps: (1) Model the system, (2) Elicit threats, and (3) Manage threats.
Note that these 3 main steps capture the 6 detailed steps that are described in the original LINDDUN documentation.
1. Model the system
You need to have a good understanding of the system in order to analyze its privacy. LINDDUN uses, similar to STRIDE (Microsoft's security threat modeling method), a Data Flow Diagram (DFD) as a model to capture the most relevant system knowledge for the privacy analysis.
A DFD is a structured, graphical representation of the system using 4 major types of building blocks: external entities (i.e. users or third party services external to the system), data stores (i.e. passive containers of information), processes (i.e. computation units), and data flows (indicating how the information is propagated through the system). In addition, trust boundaries can be used to indicate a logical or physical division of the system.
In the example below, the high-level DFD of a simplistic social networking system is shown. In the DFD, the user is represented as an entity to interact with the system. The social network application contains two processes (the portal and the service) and one data store that contains all the personal information of the users.
The data flow diagram (DFD) of a simple Social Network application
2. Elicit threats
Once the system is described, each DFD element should be systematically analyzed for privacy threats.
First a mapping table will be created to guide this process of systematic privacy threat elicitation.
2A. Map DFD elements to threat categories
The second step of the methodology uses the LINDDUN mapping template as shown in the table below as a guide to determine the threats that correspond to the DFD created in the previous step.
The analyst should create a "personalized" table, based on LINDDUN's mapping template, which contains a row for each of the individual elements of the created DFD. This table can then be used as checklist throughout the elicitation phase, as each "x" in the table highlights a potential threat to the system that requires further analysis.
LINDDUN mapping template
2B. Elicit and document threats
Each of the X's in the mapping table of step 2 are examined to determine whether they pose a threat to the system. To this aim, LINDDUN provides a set of privacy threat tree patterns. These trees represent the most common attack paths for a specific LINDDUN threat category and DFD element type. An example tree is shown below.
You can find all the LINDDUN threat trees in the LINDDUN threat tree catalog.
The analyst should examine each of the branches of the tree with the specified DFD element in mind. Each of the leaf nodes (or branches) that are applicable are considered a threat.
2C. Document threats
Each identified threat should be documented. (LINDDUN suggest misuse cases as appropriate description template).
Note that leaf nodes and branches that are not applicable should also be explicitly documented as assumptions. When one of the assumptions is altered in the process, it is important to easily track the required changes in the privacy analysis results.
LINDDUN threat tree - linkability of data flow
3. Manage threats
In the final phase, identified threats are tackled.
3A. Prioritize threats
Furthermore, all the potential privacy threats that are suggested by the privacy threat trees are evaluated and prioritized via risk assessment. Note that LINDDUN does not provide explicit risk analysis support. We merely refer the analyst to established risk assessment techniques.
3B. Select suitable mitigation strategy
Each identified threat should be tackled. LINDDUN provides a taxonomy of mitigation strategies to scope the solution space. A mapping is provided between LINDDUN threat trees and the mitigation strategies taxonomy to easy the selection of a suitable strategy.
Check the mitigation strategies and solutions page to get more details.
LINDDUN mitigation stategies taxonomy
3C. Select privacy enhancing solution
Finally, the classification of privacy enhancing technologies according to the mitigation strategies to which they adhere enables a more focused selection of suitable privacy enhancing solutions. If required, the mitigation strategies can also be translated into privacy requirements, instead of being directly implemented as solutions.
We refer to the webpage on mitigation strategies and solutions for more information on this step.
Example execution of LINDDUN
Walk-through example of LINDDUN privacy threat assessment