xDECAF: An Extensible Data Flow Diagram Analysis Framework for Information Security
Summary
xDECAF is an extensible framework designed for architecture-based data flow analysis, specifically targeting information security. It integrates an extended Data Flow Diagram (DFD) metamodel featuring labeled flows and nodes, a domain-specific constraint language with various flow operations, and a browser-based editor powered by an analysis engine. The framework includes a tool library and a curated catalog of 26 example models, ranging from 7 to 923 nodes and 4 to 72 individual labels, complete with documented constraints and expected violations. This catalog serves as a reusable dataset for the community. xDECAF has been adopted across multiple research lines, demonstrating its utility in addressing security properties, integrating architectural modeling languages, supporting analysis composition, uncertainty modeling, automated mitigation of violations, and legal compliance scenarios. The tool, dataset, and a hosted online editor are all publicly available.
Key takeaway
For AI Security Engineers or Software Architects evaluating system designs for information security, xDECAF offers a robust, extensible framework. You can use its extended DFDs and constraint language to systematically assess security and compliance requirements at design time. This enables early identification of data flow violations and supports informed trade-off decisions, especially for complex systems or Zero Trust Architectures. Consider integrating xDECAF to enhance your threat modeling workflows and automate mitigation strategies.
Key insights
xDECAF provides an extensible DFD analysis framework for information security, enabling custom label propagation and constraint evaluation.
Principles
- DFDs can be extended with labels, pins, and assignments.
- User-defined semantics allow broad analysis beyond security.
- Decoupling label types from analysis logic enhances flexibility.
Method
xDECAF's core involves modeling DFDs with labels, pins, and assignments, propagating labels through flows, and then evaluating user-defined constraints using a domain-specific language to identify violations.
In practice
- Analyze Zero Trust Architecture compliance.
- Identify encryption-related vulnerabilities.
- Automate mitigation of DFD confidentiality violations.
Topics
- Data Flow Diagram Analysis
- Information Security
- Software Architecture Modeling
- Constraint Language
- Threat Modeling
- Automated Security Analysis
Code references
Best for: AI Architect, AI Scientist, Research Scientist, AI Security Engineer, Software Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.