An Attack Surface Metric

Measurement of software security is a long-standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence, the need for metrics is more pressing now due to a growing demand for secure software. In this paper, we propose using a software system's attack surface measurement as an indicator of the system's security. We formalize the notion of a system's attack surface and introduce an attack surface metric to measure the attack surface in a systematic manner. Our measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes; we demonstrate our method by measuring the attack surfaces of small desktop applications and large enterprise systems implemented in C and Java. We conducted three exploratory empirical studies to validate our method. Software developers can mitigate their software's security risk by measuring and reducing their software's attack surfaces. Our attack surface reduction approach complements the software industry's traditional code quality improvement approach for security risk mitigation and is useful in multiple phases of the software development lifecycle. Our collaboration with SAP demonstrates the use of our metric in the software development process.

[1]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[2]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[3]  D. Campbell,et al.  Convergent and discriminant validation by the multitrait-multimethod matrix. , 1959, Psychological bulletin.

[4]  John McHugh Quality of protection: measuring the unmeasurable? , 2006, QoP '06.

[5]  Horst Zuse,et al.  Support of Experimentation by Measurement Theory , 1992, Experimental Software Engineering Issues.

[6]  Vassilis Prevelakis,et al.  Characterizing the 'security vulnerability likelihood' of software functions , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[7]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[8]  L. Briand,et al.  Theoretical and Empirical Validation of Software Product Measures , 1995 .

[9]  James D. Wright,et al.  Handbook of Survey Research. , 1985 .

[10]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[11]  Bharat B. Madan,et al.  A method for modeling and quantifying the security attributes of intrusion tolerant systems , 2004, Perform. Evaluation.

[12]  R. Likert “Technique for the Measurement of Attitudes, A” , 2022, The SAGE Encyclopedia of Research Design.

[13]  Elaine J. Weyuker,et al.  Comments on "Toward a Framework for Software Measurement Validation" , 1997, IEEE Trans. Software Eng..

[14]  Albert L. Baker,et al.  A mathematical perspective for software measures research , 1990, Softw. Eng. J..

[15]  Mark Sullivan,et al.  Software defects and their impact on system availability-a study of field failures in operating systems , 1991, [1991] Digest of Papers. Fault-Tolerant Computing: The Twenty-First International Symposium.

[16]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[17]  Joseph A. C. Delaney Sensitivity analysis , 2018, The African Continental Free Trade Area: Economic and Distributional Effects.

[18]  Victor R. Basili,et al.  Validation on an Approach for Improving Existing Measurement Frameworks , 2000, IEEE Trans. Software Eng..

[19]  Yukio Miyazaki,et al.  COCOMO evaluation and tailoring , 1985, ICSE '85.

[20]  Y. Haimes Risk Modeling, Assessment, and Management: Haimes/Risk Modeling, Assessment 2e , 2005 .

[21]  David A. Wagner,et al.  Setuid Demystified , 2002, USENIX Security Symposium.

[22]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[23]  David F. Bacon,et al.  Fast static analysis of C++ virtual function calls , 1996, OOPSLA '96.

[24]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[25]  Keith W. Miller,et al.  Defining an adaptive software security metric from a dynamic software failure tolerance measure , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[26]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[27]  David M. Nicol Modeling and Simulation in Security Evaluation , 2005, IEEE Secur. Priv..

[28]  Elaine J. Weyuker,et al.  Evaluating Software Complexity Measures , 2010, IEEE Trans. Software Eng..

[29]  Marc Dacier,et al.  Privilege Graph: an Extension to the Typed Access Matrix Model , 1994, ESORICS.

[30]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[31]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[32]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[33]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[34]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[35]  Shari Lawrence Pfleeger,et al.  Reply to: Comments on "Toward a Framework for Software Measurement Validation" , 1997, IEEE Trans. Software Eng..

[36]  Norman F. Schneidewind,et al.  Methodology For Validating Software Metrics , 1992, IEEE Trans. Software Eng..

[37]  Jeannette M. Wing,et al.  Report: Measuring the Attack Surfaces of Enterprise Software , 2009, ESSoS.

[38]  Yanguo Michael Liu Properties for Security Measures of Software Products , 2007 .

[39]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[40]  Jim Alves-Foss,et al.  Assessing computer security vulnerability , 1995, OPSR.

[41]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[42]  Linda A. Macaulay,et al.  A Rule-Based Approach to Developing Software Development Prediction Models , 1998, Automated Software Engineering.

[43]  M WingJeannette,et al.  An Attack Surface Metric , 2011 .

[44]  Miles A. McQueen,et al.  Time-to-Compromise Model for Cyber Risk Reduction Estimation , 2006, Quality of Protection.

[45]  Mark R. Crispin Internet Message Access Protocol - Version 4rev1 , 1996, RFC.

[46]  YangJunfeng,et al.  An empirical study of operating systems errors , 2001 .

[47]  Shari Lawrence Pfleeger,et al.  Towards a Framework for Software Measurement Validation , 1995, IEEE Trans. Software Eng..

[48]  Ravishankar K. Iyer,et al.  Faults, symptoms, and software fault tolerance in the Tandem GUARDIAN90 operating system , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[49]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[50]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[51]  Shin Ta Liu,et al.  Risk Modeling, Assessment, and Management , 1999, Technometrics.

[52]  Chris F. Kemerer,et al.  An empirical validation of software cost estimation models , 1987, CACM.

[53]  Bharat B. Madan,et al.  Modeling and quantification of security attributes of software systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[54]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .

[55]  Jeffrey M. Wooldridge,et al.  Solutions Manual and Supplementary Materials for Econometric Analysis of Cross Section and Panel Data , 2003 .

[56]  Norman E. Fenton,et al.  A Critique of Software Defect Prediction Models , 1999, IEEE Trans. Software Eng..

[57]  Atanas Rountev,et al.  Building a whole-program type analysis in Eclipse , 2005, eclipse '05.

[58]  David John Leversage,et al.  Estimating a System's Mean Time-to-Compromise , 2008, IEEE Security & Privacy.

[59]  Thomas J. Bouchard,et al.  Unobtrusive Measures , 1976 .

[60]  R Day,et al.  The eclipse open-development platform , 2008 .

[61]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[62]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[63]  Jim Gray,et al.  A census of Tandem system availability between 1985 and 1990 , 1990 .

[64]  Feiyi Wang,et al.  SITAR: a scalable intrusion-tolerant architecture for distributed services , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[65]  Sushil Jajodia,et al.  Toward measuring network security using attack graphs , 2007, QoP '07.

[66]  G NeumannPeter,et al.  Toward a safer and more secure cyberspace , 2007 .

[67]  Jan Vitek,et al.  Vulnerability likelihood: a probabilistic approach to software assurance , 2005 .

[68]  V. Rich Personal communication , 1989, Nature.

[69]  Shari Lawrence Pfleeger,et al.  Software Metrics : A Rigorous and Practical Approach , 1998 .

[70]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[71]  Michael E. Fagan Design and Code Inspections to Reduce Errors in Program Development , 1976, IBM Syst. J..

[72]  David Wright,et al.  Towards Operational Measures of Computer Security: Concepts , 1995 .

[73]  P. V. Marsden,et al.  Handbook of Survey Research , 1985 .

[74]  W. Shadish,et al.  Experimental and Quasi-Experimental Designs for Generalized Causal Inference , 2001 .

[75]  Arlene Fink,et al.  How to Conduct Surveys: A Step-by-Step Guide. Sixth Edition. , 1985 .

[76]  Steven M. Bellovin On the Brittleness of Software and the Infeasibility of Security Metrics , 2006, IEEE Security & Privacy Magazine.

[77]  Michael Yanguo Liu Quantitative security analysis for service-oriented software architectures , 2008 .