COMP6236 隐私和安全的hreat模型

Posted 2023-05-18 ulbrr19

COMP6236 2023
Assignment 3: Threat modelling for Privacy and Security
This assignment is divided into three tasks that progressively increase in length and mark
allocation. The three tasks are independent of each other and there is no overall length or
word count limits as this is coursework. However, a good rule of thumb would be to target
one paragraph for task one and two for task two. Task three is longer.
Notes
The following notes are intended to highlight some common ”gotchas”.
1. For each task, please stick to the requirements provided.
2. The edges of a graph can provide information about the nodes they connect to, especially if the
graph includes more than one type of edge.
3. For task two, remember that LINDDUN is prescriptive in its mapping and mitigation.
4. For task three we are expecting two DFDs of the same system, one at level 0 and one at level 1. It
must be clear how these relate to each other and that they are of the same system.
5. For task three, please review the examples provided in the STRIDE slide deck, as well as the
discussion around the meaning of DFD elements.
6. For task three, keep to system elements explicitly named in the scenario and remember that data
flows are also elements of the system and can be included in the seven you choose.
Marks Breakdown
Task 1 Five marks, consisting of:
2 Marks: For explaining non-repudiation.
3 Marks: For contrasting security and privacy concerns.
Task 2 Ten marks, consisting of:
3 Marks: For contrasting L df2 to L df3.
2 Marks: For explaining inter-tree and inter-model links.
5 Marks: For challenge description and mitigation(s).
Task 3 Twenty-five marks, consisting of:
10 Marks: For DFDs and DFD elements.
15 Marks: For threat identification and discussion/mitigation of seven threats.
That is three marks for a glaring security error and 2 marks for the other six.
Submission Instructions
Please use the template provided and submit using Turnitin on the module blackboard page at this link.
(You should be able to see the “Assignments” tab on the left panel)
1
Deadline
The coursework deadline is on 19-05-2023 at 16:00. Note that late submissions will be penalised using
the standard University rules (10% per working day) and that no work will be accepted that is more
than five days late.
Purpose of this coursework
The coursework maps to the following aims and objectives of COMP6236:
Knowledge and Understanding
A1. Common issues affecting the security of software systems
Subject-specific Intellectual and Research Skills
B1. Describe specific methods for exploiting software systems
Subject-specific Practical Skills
D1. Identify security weaknesses in software systems and applications
Academic Integrity
This coursework is an individual piece of work and the usual rules regarding individual coursework and
academic integrity apply. In particular, please note the University Academic Integrity Regulations. All
the reports will be checked for plagiarism by scanning them in Turnitin.
Marking Criteria
Your submission will be marked out of 40. The following criteria will be used.
Task Criteria Marking Scheme
Task 1
Ability to differentiate between
privacy and security-focused
threat analysis.
Up to 5 marks are awarded for
describing non-repudiation and
the contradictory positions held
by LINDDUN and STRIDE.
Task 2
Ability to navigate the LIND-
DUN threat tree.
Up to 10 marks are awarded for
describing key features and ap-
plying a second set of features.
Task 3
Ability to conduct STRIDE-
based threat modelling.
Up to 25 marks are awarded
building and asessing a threat
model at two levels of granual-
rity.
Marks calculation
This coursework counts for 40%
of the module mark.
File format
Submitted file is in PDF format,
the report is compliant with the
provided template. If the format
is not PDF, a 5 marks penalty
will be applied. If the report is
corrupted or cannot be opened,
0 mark will be awarded for the
coursework.
2
Task1 - Non-repudiation
Both STRIDE and LINDDUN directly address the concept of non-repudiation.
1. Explain briefly what non-repudiation is and why it is important.
2. Then explain how both STRIDE and LINDDUN view non-repudiation and why it’s different.
Task 2 - Linkability in LINDDUN
The threat tree included below is for the Linkability of data flows (L df).
1. Describe the similarities and differences between L df2 and L df3.
2. Most of the nodes on this threat tree are squares, but there is also a blue hexagon and a red circle.
Describe the functions of both the blue hexagon and the red circle.
Consider the following hypothetical. A new mobile payment system is currently in the design phase and
based on the excessive collection of personal data by the system and the transmission of that data to
data processors, you have determined that there is a significant threat under L df1 specifically.
1. Given that this is in the design phase, work from L df1 to the Mitigation strategies Taxonomy to
map strategies to threats and suggest four remedial actions.
2. Based on the previous, suggest a LINDDUN-linked Privacy Enhancing Technology (PET) that can
be deployed here.
Figure 1: Linkability of data flows on LINDDUN
3
Task 3 - STRIDE threat modelling
Scenario
A multinational conglomerate, Ecorp LLC, is currently designing a new fitness tracker and associated
smartphone app. Neither exists yet but the intended functionality is fairly typical for consumer smart
electronics. The fitness tracker is a watch-style device which records the wearer’s activity including walk-
ing, running, and cycling, but nothing else. This information is then passed via BlueTooth connection
to an associated smartphone hosting the device control app. The fitness tracker can only connect via
BlueTooth to the smartphone and has no other connections. The smartphone on the other hand can be
any modern smartphone and will therefore support mobile data, wifi, and BlueTooth.
The device control app is downloaded from an app store, installed on the user’s smartphone as normal,
and therefore shares the smartphone’s storage with other apps. The app store’s IP address is of the form
https://**.**.**.**. The device control app has read-and-write access to the smartphone’s data store
and by default asks for access to the user’s photos, location data, and crash reporting from the phone.
When the user installs the device control app they are prompted to create an account where they provide
personal details and also get credentials to log into both the app and the Ecorp website. The website’s
IP address is of the form https://**.**.**.**. During this process, the users are told that crash reports
are collected but no specifics are given. In practice, the Ecorp device control app includes the crashlytics
crash reporting and tracking app from Google. All crash reports are sent to a server in the United States
and its IP address is of the form https://**.**.**.**. Lastly, daily updates from the control app to the
Ecorp database are sent to a server with an IP address in the form http://**.**.**.**. These updates
use the POST method and contain two strings, the first is encrypted and can not be read while the
second is in clear text and is as follows: ”DEV-ID: 00:24:E4:FF:FF:FF”
Instructions
Please use the principles of STRIDE to prepare Data Flow Diagrams (DFDs) and threat analysis for the
scenario presented above. Use the MS Threat Modelling Tool or any other appropriate tool, to develop
your DFDs. Also, if you are using a tool that does not support double lines for a complex process that
is acceptable as long as your numbering from lvl 0 to lvl 1 is consistent.
1. Create two DFDs, one each for level 0 and level 1 of the scenario.
2. Provide a description of each node on the two DFDs and why you included it.
3. Map the appropriate threats to seven vulnerable DFD elements and propose mitigation(s) for
each. These are the seven elements with the most urgent issues according to you.
4. Do not use the automated analysis features of the MS Threat Modelling Tool or any other such
tool. Only use tooling to prepare the DFD, but not to perform analysis since some of the assump-
tions underlying such tooling would not be appropriate for the work presented here.
5. This is a STRIDE-only exercise, please do not reference LINDDUN here.

 

腾讯数据安全专家谈联邦学习开源项目FATE：通往隐私保护理想未来的桥梁

数据孤岛、数据隐私以及数据安全，是目前人工智能和云计算在大规模产业化应用过程中绕不开的“三座大山”。

 

“联邦学习”作为新一代的人工智能算法，能在数据不出本地的情况下，实现共同建模，提升AI模型的效果，从而保证数据隐私安全，突破数据孤岛和小数据的限制，这无疑成为了跨越“三座大山”的途径之一。因此，作为联邦学习全球首个工业级开源项目，FATE也受到了各方关注，开发者们对加入社区建设纷纷表示期待。（FATE开源社区地址：https://github.com/FederatedAI/FATE）

 

而在贡献者激励机制推出以后，FATE开源社区迎来了首位一级贡献者——来自腾讯云的刘洋。联邦学习怎样赋能行业数据安全？隐私保护从业者怎样评价FATE？刘洋博士在采访中表达了自己的看法。

 

 

 

 

 

数据运算提效70% 加速企业应用落地

 

博士毕业于澳大利亚国立大学的刘洋，同时是腾讯云的高级研究员，负责腾讯神盾沙箱的隐私保护算法部分。刘洋表示，因自身从业领域的缘故，从年初就开始密切关注着“联邦学习”。

 

也因此，FATE进入了其视野，受到了刘洋及腾讯云团队的重点关注。在对FATE进行深入了解后，刘洋认为腾讯神盾沙箱打造的隐私安全+分布式学习的理念，与FATE要解决的“数据安全”“数据隐私”“数据合规”三大问题不谋而合，并逐步开始使用FATE满足神盾沙箱的功能需求。

 

 

 

 

刘洋表示，经过长期接触后，对FATE的逻辑回归和XGBoost算法流十分认同，因此也开始加入FATE开源社区建设，提出了优化建议——利用对称的仿射密码替代Paillier密码，将训练时间提升70%以上，从而给同态运算“减负”。未来合作企业在应用优化过后的FATE版本时，可以有效降低数据运算的时间成本，提升企业在AI时代的技术竞争能力。

 

行业负重前行 数据安全迫在眉睫

 

AI应用场景中，将多方数据中心式合并处理的传统合作方式，存在着严重的隐私泄露问题，这一症结甚至成为了企业大规模应用AI的关键阻碍。

 

在刘洋看来，破局关键仍在于数据安全问题的解决，即数据privacy和utility的折衷问题。具体来说，数据要想安全的从孤岛分享出去，必须经历某些“蒙面”操作：通过密码学工具将有效数据转换成乱码，privacy保住了，但密钥在谁手中，极大的影响数据的utility；用噪声混淆原始数据也可以，例如差分隐私，噪声越大，越保证privacy，但使用者拿到数据发挥的utility越低。怎样在privacy和utility中寻求一条折衷之路，是数据安全流通的关键问题之一。

 

未来理想的状态是，任何数据使用者能够在自由流动和聚合的分布式数据之上，进行高效的数据挖掘操作，而丝毫感觉不到隐私保护的羁绊。在MPC（Multi-party Computation，多方安全计算）领域，目前行业还停留在混淆电路、可信计算等解决方案，虽然支持的计算任务具有一般性，但需要额外的硬件支持，学习成本较高，阻碍了规模化应用的同时，也不利于安全数据联盟的形成。

 

而联邦学习在具有普适性的联邦框架中，针对每一种或每一类机器学习算法进行订制化的隐私保护改造，使它们的使用无异于经典的中心式机器学习模型。相比之下，联邦学习在稳住成本的基础上，确保了易用性。刘洋称，对于企业而言，联邦学习提供的解决方案更具吸引力；对于行业而言，更便捷的操作将吸引更多开发人员的投入，从而推进安全数据联盟的构建。

 

FATE生态×腾讯云 数据安全未来可期

 

今年5月初起，FATE和腾讯云神盾沙箱就开始进行业务往来和技术交流，目前神盾沙箱的核心计算模块由FATE提供。在搭建平台过程中，双方紧密合作。刘洋在采访中表示，团队在使用FATE框架、算法时，会将有效建议贡献到FATE开源项目中，参与开源社区建设。

 

 

 

这种带有“互助互惠，开源共筑”特色的合作形式，在促进了神盾沙箱的产品打磨和FATE项目的完善的同时，也给其他技术项目或团队提供了很好的样板示范——以开放的姿态拥抱新的技术，不仅于自身有利，也将助推整个行业的发展。

 

在刘洋的设想中，未来两者可以在提升技术影响力和业务落地等方面进行更深层次的协作，例如合作发表重要论文、提交专利和联手接手内外部实际业务，形成“学术”“业界”两开花的美好局面。

随着越来越多贡献者加入FATE理论标准与行业应用的建设，FATE势必会迎来更广阔的前景。对此，刘洋表示，神盾沙箱和FATE的联手将会加速数据安全的扎根与生长，在数据孤岛之上构建起安全数据联盟的未来可期。