Skip to main content
SpringerLink
Log in

On the Applicability of Security and Privacy Threat Modeling for Blockchain Applications

  • Conference paper
  • First Online:
Computer Security (CyberICPS 2019, SECPRE 2019, SPOSE 2019, ADIoT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11980))

Abstract

Elicitative threat modeling approaches such as Microsoft STRIDE and LINDDUN for respectively security and privacy use Data Flow Diagrams (DFDs) to model the system under analysis. Distinguishing between external entities, processes, data stores and data flows, these system models are particularly suited for modeling centralized, traditional multi-tiered system architectures.

This raises the question whether these approaches are also suited for inherently decentralized architectures such as distributed ledgers or blockchains, in which the processing, storage, and control flow is shared among many equal participants.

To answer this question, we perform an in-depth analysis of the compatibility between blockchain security and privacy threat types documented in literature and these threat modeling approaches. Our findings identify areas for future improvement of elicitative threat modeling approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege;

    LINDDUN: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.

References

  1. Almashaqbeh, G., Bishop, A., Cappos, J.: ABC: a cryptocurrency-focused threat modeling framework. arXiv preprint arXiv:1903.03422 (2019)

  2. Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 34–51. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_4

    Chapter  Google Scholar 

  3. Biryukov, A., Khovratovich, D., Pustogarov, I.: Deanonymisation of clients in Bitcoin P2P network. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 15–29. ACM (2014)

    Google Scholar 

  4. Biryukov, A., Pustogarov, I.: Bitcoin over Tor isn’t a good idea. In: 2015 IEEE Symposium on Security and Privacy, pp. 122–134. IEEE (2015)

    Google Scholar 

  5. Carson, B., Romanelli, G., Walsh, P., Zhumaev, A.: Blockchain beyond the hype: what is the strategic business value. McKinsey & Company (2018)

    Google Scholar 

  6. Conti, M., Kumar, E.S., Lal, C., Ruj, S.: A survey on security and privacy issues of Bitcoin. IEEE Commun. Surv. Tutorials 20(4), 3416–3452 (2018)

    Article  Google Scholar 

  7. Courtois, N.T., Bahack, L.: On subversive miner strategies and block withholding attack in Bitcoin digital currency. arXiv preprint arXiv:1402.1718 (2014)

  8. Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Eng. 16(1), 3–32 (2011)

    Article  Google Scholar 

  9. DuPont, J., Squicciarini, A.C.: Toward de-anonymizing Bitcoin by mapping users location. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 139–141. ACM (2015)

    Google Scholar 

  10. Eskandari, S., Clark, J., Barrera, D., Stobert, E.: A first look at the usability of Bitcoin key management. arXiv preprint arXiv:1802.04351 (2018)

  11. Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. Commun. ACM 61(7), 95–102 (2018)

    Article  Google Scholar 

  12. Finney, H.: Best practice for fast transaction acceptance-how high is the risk (2011)

    Google Scholar 

  13. Gervais, A., Capkun, S., Karame, G.O., Gruber, D.: On the privacy provisions of bloom filters in lightweight Bitcoin clients. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 326–335. ACM (2014)

    Google Scholar 

  14. Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on Bitcoin’s peer-to-peer network. In: 24th USENIX Security Symposium (2015)

    Google Scholar 

  15. Karame, G.O., Androulaki, E., Capkun, S.: Double-spending fast payments in bitcoin. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 906–917. ACM (2012)

    Google Scholar 

  16. Koshy, P., Koshy, D., McDaniel, P.: An analysis of anonymity in Bitcoin using P2P network traffic. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 469–485. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_30

    Chapter  Google Scholar 

  17. Kwon, Y., Kim, D., Son, Y., Vasserman, E., Kim, Y.: Be selfish and avoid dilemmas: fork after withholding (FAW) attacks on Bitcoin. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM (2017)

    Google Scholar 

  18. Meiklejohn, S., et al.: A fistful of Bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 127–140. ACM (2013)

    Google Scholar 

  19. Microsoft Corporation: Microsoft Threat Modeling Tool 2016 (2016). http://aka.ms/tmt2016

  20. Nakamoto, S., et al.: Bitcoin: a peer-to-peer electronic cash system (2008)

    Google Scholar 

  21. Nick, J.D.: Data-driven de-anonymization in Bitcoin. Master’s thesis, ETH-Zürich (2015)

    Google Scholar 

  22. Reid, F., Harrigan, M.: An analysis of anonymity in the Bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks, pp. 197–223. Springer, New York (2013). https://doi.org/10.1007/978-1-4614-4139-7_10

    Chapter  Google Scholar 

  23. Rosenfeld, M.: Analysis of bitcoin pooled mining reward systems. arXiv preprint arXiv:1112.4980 (2011)

  24. Shevchenko, N., Chick, T.A., O’Riordan, P., Scanlon, T.P., Woody, C.: Threat modeling: a summary of available methods (2018)

    Google Scholar 

  25. Shostack, A.: Threat Modeling: Designing for Security. Wiley Publishing, Indianapolis (2014)

    Google Scholar 

  26. Sion, L., Van Landuyt, D., Yskout, K., Joosen, W.: SPARTA: security & privacy architecture through risk-driven threat assessment. IEEE (2018)

    Google Scholar 

  27. Sion, L., Wuyts, K., Yskout, K., Van Landuyt, D., Joosen, W.: Interaction-based privacy threat elicitation. In: International Workshop on Privacy Engineering (2018)

    Google Scholar 

  28. Sion, L., Yskout, K., Van Landuyt, D., Joosen, W.: Solution-aware data flow diagrams for security threat modelling. In: SAC 2018: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, pp. 1425–1432, April 2018. https://doi.org/10.1145/3167132.3167285

  29. Tuma, K., Calikli, G., Scandariato, R.: Threat analysis of software systems: a systematic literature review. J. Syst. Softw. 144, 275–294 (2018)

    Article  Google Scholar 

Download references

Acknowledgments

This research is partially funded by the Research Fund KU Leuven and the imec-ICON BOSS research project.

Author information

Authors and Affiliations

  1. imec-DistriNet, KU Leuven, 3001, Leuven, Belgium

    Dimitri Van Landuyt, Laurens Sion, Emiel Vandeloo & Wouter Joosen

Authors
  1. Dimitri Van Landuyt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Laurens Sion
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Emiel Vandeloo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dimitri Van Landuyt .

Editor information

Editors and Affiliations

  1. Open University of Cyprus, Latsia, Cyprus

    Sokratis Katsikas

  2. IMT Atlantique, Brest, France

    Frédéric Cuppens

  3. IMT Atlantique, Brest, France

    Nora Cuppens

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  7. Georgia Institute of Technology, Atlanta, GA, USA

    Annie Antón

  8. University of Piraeus, Piraeus, Greece

    Stefanos Gritzalis

  9. Technical University of Berlin, Berlin, Germany

    Frank Pallas

  10. Alexander von Humboldt Institute for Internet and Society, Berlin, Germany

    Jörg Pohle

  11. Ruhr University Bochum, Bochum, Germany

    Angela Sasse

  12. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  13. University of Plymouth, Plymouth, UK

    Steven Furnell

  14. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Van Landuyt, D., Sion, L., Vandeloo, E., Joosen, W. (2020). On the Applicability of Security and Privacy Threat Modeling for Blockchain Applications. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE SPOSE ADIoT 2019 2019 2019 2019. Lecture Notes in Computer Science(), vol 11980. Springer, Cham. https://doi.org/10.1007/978-3-030-42048-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42048-2_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42047-5

  • Online ISBN: 978-3-030-42048-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation