An Approach to Measuring a System's Attack Surface

Abstract : Practical software security measurements and metrics are critical to the improvement of software security. We propose a metric to determine whether one software system is more secure than another similar system with respect to their attack surface. We use a system's attack surface measurement as an indicator of the system's security; the larger the attack surface, the more insecure the system. We measure a system's attack surface in terms of three kinds of resources used in attacks on the system: methods, channels, and data. We demonstrate the use of our attack surface metric by measuring the attack surfaces of two open source IMAP servers and two FTP daemons. We validated the attack surface metric by conducting an expert user survey and by performing statistical analysis of Microsoft Security Bulletins. Our metric can be used as a tool by software developers in the software development process and by software consumers in their decision making process.

[1]  Keith W. Miller,et al.  Defining an adaptive software security metric from a dynamic software failure tolerance measure , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[2]  David M. Nicol Modeling and Simulation in Security Evaluation , 2005, IEEE Secur. Priv..

[3]  P. V. Marsden,et al.  Handbook of Survey Research , 1985 .

[4]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[5]  Jeffrey M. Woodbridge Econometric Analysis of Cross Section and Panel Data , 2002 .

[6]  John McHugh Quality of protection: measuring the unmeasurable? , 2006, QoP '06.

[7]  Steven M. Bellovin On the Brittleness of Software and the Infeasibility of Security Metrics , 2006, IEEE Security & Privacy Magazine.

[8]  James D. Wright,et al.  Handbook of Survey Research. , 1985 .

[9]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[10]  W. Shadish,et al.  Experimental and Quasi-Experimental Designs for Generalized Causal Inference , 2001 .

[11]  Miles McQueen,et al.  Measuring the attack surfaces of two FTP daemons , 2006, QoP '06.

[12]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[13]  G. R. Wilson Input and output methods , 2002 .

[14]  Marc Dacier,et al.  Privilege Graph: an Extension to the Typed Access Matrix Model , 1994, ESORICS.

[15]  Vassilis Prevelakis,et al.  Characterizing the 'security vulnerability likelihood' of software functions , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[16]  R. Likert “Technique for the Measurement of Attitudes, A” , 2022, The SAGE Encyclopedia of Research Design.

[17]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[18]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[19]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[20]  Shari Lawrence Pfleeger,et al.  Software Metrics : A Rigorous and Practical Approach , 1998 .

[21]  Jim Alves-Foss,et al.  Assessing computer security vulnerability , 1995, OPSR.