Abstract
Practical software security metrics and measurements are essential for secure software development. In this chapter, we introduce the measure of a software system’s attack surface as an indicator of the system’s security. The larger the attack surface, the more insecure the system. We formalize the notion of a system’s attack surface using an I/O automata model of the system and introduce an attack surface metric to measure the attack surface in a systematic manner. Our metric is agnostic to a software system’s implementation language and is applicable to systems of all sizes. Software developers can use the metric in multiple phases of the software development process to improve software security. Similarly, software consumers can use the metric in their decision making process to compare alternative software.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
J. Alves-Foss and S. Barbosa. Assessing computer security vulnerability. ACM SIGOPS Operating Systems Review, 29(3), 1995.
E. Asbeck and Y. Y. Haimes. The partitioned multiobjective risk method. Large Scale Systems, 6(1):13–38, 1984.
M. Dacier and Y. Deswarte. Privilege graph: An extension to the typed access matrix model. In Proc. of European Symposium on Research in Computer Security, 1994.
N. E. Fenton and M. Neil. A critique of software defect prediction models. IEEE Transactions on Software Engineering, 25(5), 1999.
Norman E. Fenton and Shari Lawrence Pfleeger. Software Metrics: A Rigorous and Practical Approach. PWS Publishing Co., Boston, MA, USA, 1998.
Virgil D. Gligor. Personal communication, 2008.
Seymour E. Goodman and Herbert S. Lin, editors. Toward a Safer and More Secure Cyberspace. The National Academics Press, 2007.
R. Gopalakrishna, E. Spafford, and J. Vitek. Vulnerability likelihood: A probabilistic approach to software assurance. Technical Report 2005–06, CERIAS, Purdue Univeristy, 2005.
Y. Y. Haimes. Risk Modeling, Assessment, and Management. Wiley, 2004.
Curtis P. Haugtvedt, Paul M. Herr, and Frank R. Kardes, editors. Handbook of Consumer Psychology. Psychology Press, 2008.
M. Howard, J. Pincus, and J.M. Wing. Measuring relative attack surfaces. In Proc. of Workshop on Advanced Developments in Software and Systems Security, 2003.
Michael Howard. Fending off future attacks by reducing attack surface. http: //msdn.microsoft.com/library/default.asp?url=/library/en-us/ dncode/html/secure02132003.asp, 2003.
Michael Howard. Personal communication, 2005.
Barbara Kitchenham, Shari Lawrence Pfleeger, and Norman Fenton. Towards a framework for software measurement validation. IEEE Transactions on Software Engineering, 21(12):929– 944, 1995.
David John Leversage and Eric James Byres. Estimating a system’s mean time-tocompromise. IEEE Security and Privacy, 6(1), 2008.
Jason Levitt. Windows 2000 security represents a quantum leap. http://www. informationweek.com/834/winsec.htm, April 2001.
B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson J. Mc- Dermid, and D. Gollman. Towards operational measures of computer security. Journal of Computer Security, 2(2/3):211–230, 1993.
N. Lynch and M. Tuttle. An introduction to input/output automata. CWI-Quarterly, 2(3), September 1989.
Bharat B. Madan, Katerina Goseva-Popstojanova, Kalyanaraman Vaidyanathan, and Kishor S. Trivedi. Modeling and quantification of security attributes of software systems. In DSN, pages 505–514, 2002.
Pratyusa K. Manadhata. An Attack Surface Metric. PhD thesis, Carnegie Mellon University, December 2008.
Pratyusa K. Manadhata and Jeannette M. Wing. An attack surface metric. IEEE Transactions on Software Engineering, 99(PrePrints), 2010.
Gary McGraw. From the ground up: The DIMACS software security workshop. IEEE Security and Privacy, 1(2):59–66, 2003.
Miles A. McQueen, Wayne F. Boyer, Mark A. Flynn, and George A. Beitel. Time-tocompromise model for cyber risk reduction estimation. In ACM CCS Workshop on Quality of Protection, September 2005.
David M. Nicol. Modeling and simulation in security evaluation. IEEE Security and Privacy, 3(5):71–74, 2005.
R. Ortalo, Y. Deswarte, and M. Kaˆaniche. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25(5), 1999.
Stuart Edward Schechter. Computer Security Strength & Risk: A Quantitative Approach. PhD thesis, Harvard University, 2004.
Bruce Schneier. Attack trees: Modeling security threats. Dr. Dobb’s Journal, 1999.
Sean W. Smith and Eugene H. Spafford. Grand challenges in information security: Process and output. IEEE Security and Privacy, 2:69–71, 2004.
Rayford B. Vaughn, Ronda R. Henning, and Ambareen Siraj. Information assurance measures and metrics - state of practice and proposed taxonomy. In Proc. of Hawaii International Conference on System Sciences, 2003.
J. Voas, A. Ghosh, G. McGraw, F. Charron, and K. Miller. Defining an adaptive software security metric from a dynamic software failure tolerance measure. In Proc. of Annual Conference on Computer Assurance, 1996.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Manadhata, P.K., Wing, J.M. (2011). A Formal Model for a System’s Attack Surface. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds) Moving Target Defense. Advances in Information Security, vol 54. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-0977-9_1
Download citation
DOI: https://doi.org/10.1007/978-1-4614-0977-9_1
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-0976-2
Online ISBN: 978-1-4614-0977-9
eBook Packages: Computer ScienceComputer Science (R0)