Measuring a System's Attack Surface

AbstractWe propose a metric to determine whether one version of a system is relatively more secure thananother with respect to the system’s attack surface. Intuitively, the more exposed the attack surface,the more likely the system could be successfully attacked, and hence the more insecure it is. Wedefine an attack surface in terms of the system’s actions that are externally visible to its usersand the system’s resources that each action accesses or modifies. To apply our metric in practice,rather than consider all possible system resources, we narrow our focus on a “relevant” subset ofresource types, which we call attack classes; these reflect the types of system resources that aremore likely to be targets of attack. We assign payoffs to attack classes to represent likelihoods ofattack; resources in an attack class with a high payoff value are more likely to be targets or enablersof an attack than resources in an attack class with a low payoff value. We outline a method toidentify attack classes and to measure a system’s attack surface. We demonstrate and validate ourmethod by measuring the relative attack surface of four different versions of the Linux operatingsystem.Keywords: Security metrics, attack, attack class, attack surface, threat modeling

[1]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[2]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[3]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[4]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[5]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[6]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[7]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[8]  Keith W. Miller,et al.  Defining an adaptive software security metric from a dynamic software failure tolerance measure , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[9]  Marc Dacier,et al.  Privilege Graph: an Extension to the Typed Access Matrix Model , 1994, ESORICS.

[10]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[11]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[12]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[14]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[15]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[16]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[17]  Pieter A. Cohen,et al.  The red hat. , 2006, Academic medicine : journal of the Association of American Medical Colleges.

[18]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[19]  Jim Alves-Foss,et al.  Assessing computer security vulnerability , 1995, OPSR.