CMU-ISRI-06-124
Institute for Software Research
School of Computer Science, Carnegie Mellon University



CMU-ISRI-06-124

Checking Threat Modeling Data Flow Diagrams
for Implementation Conformance and Security

Marwan Abi-Antoun*, Daniel Wang**, Peter Torr***

September 2006

CMU-ISRI-06-124.ps
CMU-ISRI-06-124.pdf

Keywords: Threat modeling, data flow diagrams, reflexion models, architecture-level security analysis, spoofing, tampering, information disclosure, denial of service


Threat modeling analyzes how an adversary might attack a system by supplying it with malicious data or interacting with it. The analysis uses a Data Flow Diagram (DFD) to describe how data moves through a system. Today, DFDs are represented informally, reviewed manually with security domain experts and may not reflect all the entry points in the implementation.

We designed an approach to check the conformance of an implementation with its security architecture. We extended Reflexion Models to compare as-built DFD recovered from the implementation and the as-designed DFD, by increasing its automation and thus its adoptability. We also designed an analysis to assist DFD designers validate their initial DFDs and detect common security design flaws in them.

An evaluation of the approach on subsystems from production code showed that it can find omitted or outdated information in existing DFDs.

21 pages

*This work was conducted while an intern at the Center for Software Excellence at Microsoft Research.
**Microsoft Research, Center for Software Research
***Microsoft Research


Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by reports@cs.cmu.edu