none
Help With DFD Creation - Making Sense of the Diagram Validation RRS feed

  • Question

  • We are trying to create a DFD of our software using the Threat Modeling Tool Version: 3.1.4.0. The issue we have is that the Diagram Validation window is always yelling at us and we don't understand what we are doing wrong. For example, we have a factory encrypted firmware update file that is created by a separate dev team and sent to the user for installing into the application. Thus it seems to us that the firmware update File should be a data store that crosses a trust boundary into the update process in our application. But if we do that, we get the following errors:

    <!-- [if gte mso 10]> <mce:style>

    Firmware Upgrade Files

    All data should come from outside the system.

    Firmware Upgrade Files

    Nothing writes into this data store.

    Having the User be the input into the Firmware Update files (as in storing them on the computer file system after recieving them via email), gives the error that only processes can input into data stores. Similarly, having our Firmware Dev Team as an entity causes errors. I guess we could model their file dev process for them, but this seems a bit excessive.

    We'd just ignore this if it was the only issue, but there are a significant number of input files that are giving us concern and warnings and we want to be sure we are doing this correctly before we ignore about 50 warnings. Some are Public Keys built into the application for checking that the update file is valid so we created a "Key Store" Data Store object where these key live in the application memory. Again these get the same errors, along with another one that puzzles us - "All data should come from outside the system."

    On that note, is there any more information on creating DFDs for TM? The excellent resources on the TM process (such as Michael Howard teaches threat modeling ) seem to start with a fully formed DFD. We are still struggling on the DFD stage.

    Thanks

    Eric

     

     

    • Moved by Hengzhe Li Tuesday, June 21, 2011 12:00 PM Forum Consolidate (From:Microsoft Security Development Lifecycle (SDL) - Threat Modeling)
    Tuesday, November 30, 2010 5:43 PM

Answers

  • Eric - The validation logic is strict and may not always work in your context. We are working on identifying how to loosen up the validation logic and provide more concrete guidance on how to address the specific issue around the message - "All data should come from outside the system".

    Wthout looking at your data flow diagram and application context, I am guessing that your conclusion on using a process element to represent the file dev process may work but with the side effect that the tool will generate threats for that process as well. If you are concerned about dealing with the extra threats that are generated as a result of the process element addition, you could leverage the feature in the tool that allows you to turn off threats against specific elements and document your reasons. 

    To some extent, drawing the correct diagram requires a bit of a learning curve and we hope to ease that curve by a combination of improved validation logic, better guidance and features that provide the flexibility users need.

     

    Hope that helps.


    Ashish Popli
    • Proposed as answer by Ashish Popli Wednesday, May 18, 2011 4:41 PM
    • Marked as answer by Ashish Popli Tuesday, June 7, 2011 10:38 PM
    Monday, May 16, 2011 7:01 PM

All replies

  • Hey Eric,

    Can you either post an image of the DFD or send me a .tms with just the elements in question that produces the errors you are seeing? I can take a quick look and better understand what you are talking about. If you want to email that part of the Threat Model privately, send it to my MVP email addr of dana(a)vulscan.com.

    Tuesday, January 18, 2011 7:16 PM
  • Eric - The validation logic is strict and may not always work in your context. We are working on identifying how to loosen up the validation logic and provide more concrete guidance on how to address the specific issue around the message - "All data should come from outside the system".

    Wthout looking at your data flow diagram and application context, I am guessing that your conclusion on using a process element to represent the file dev process may work but with the side effect that the tool will generate threats for that process as well. If you are concerned about dealing with the extra threats that are generated as a result of the process element addition, you could leverage the feature in the tool that allows you to turn off threats against specific elements and document your reasons. 

    To some extent, drawing the correct diagram requires a bit of a learning curve and we hope to ease that curve by a combination of improved validation logic, better guidance and features that provide the flexibility users need.

     

    Hope that helps.


    Ashish Popli
    • Proposed as answer by Ashish Popli Wednesday, May 18, 2011 4:41 PM
    • Marked as answer by Ashish Popli Tuesday, June 7, 2011 10:38 PM
    Monday, May 16, 2011 7:01 PM