A Formal Model for a System’s Attack Surface

  • Pratyusa K. ManadhataEmail author
  • Jeannette M. Wing
Part of the Advances in Information Security book series (ADIS, volume 54)


Practical software security metrics and measurements are essential for secure software development. In this chapter, we introduce the measure of a software system’s attack surface as an indicator of the system’s security. The larger the attack surface, the more insecure the system. We formalize the notion of a system’s attack surface using an I/O automata model of the system and introduce an attack surface metric to measure the attack surface in a systematic manner. Our metric is agnostic to a software system’s implementation language and is applicable to systems of all sizes. Software developers can use the metric in multiple phases of the software development process to improve software security. Similarly, software consumers can use the metric in their decision making process to compare alternative software.


Entry Point Data Item Potential Attack Exit Point Input Action 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    J. Alves-Foss and S. Barbosa. Assessing computer security vulnerability. ACM SIGOPS Operating Systems Review, 29(3), 1995.Google Scholar
  2. 2.
    E. Asbeck and Y. Y. Haimes. The partitioned multiobjective risk method. Large Scale Systems, 6(1):13–38, 1984.MathSciNetzbMATHGoogle Scholar
  3. 3.
    M. Dacier and Y. Deswarte. Privilege graph: An extension to the typed access matrix model. In Proc. of European Symposium on Research in Computer Security, 1994.Google Scholar
  4. 4.
    N. E. Fenton and M. Neil. A critique of software defect prediction models. IEEE Transactions on Software Engineering, 25(5), 1999.Google Scholar
  5. 5.
    Norman E. Fenton and Shari Lawrence Pfleeger. Software Metrics: A Rigorous and Practical Approach. PWS Publishing Co., Boston, MA, USA, 1998.Google Scholar
  6. 6.
    Virgil D. Gligor. Personal communication, 2008.Google Scholar
  7. 7.
    Seymour E. Goodman and Herbert S. Lin, editors. Toward a Safer and More Secure Cyberspace. The National Academics Press, 2007.Google Scholar
  8. 8.
    R. Gopalakrishna, E. Spafford, and J. Vitek. Vulnerability likelihood: A probabilistic approach to software assurance. Technical Report 2005–06, CERIAS, Purdue Univeristy, 2005.Google Scholar
  9. 9.
    Y. Y. Haimes. Risk Modeling, Assessment, and Management. Wiley, 2004.Google Scholar
  10. 10.
    Curtis P. Haugtvedt, Paul M. Herr, and Frank R. Kardes, editors. Handbook of Consumer Psychology. Psychology Press, 2008.Google Scholar
  11. 11.
    M. Howard, J. Pincus, and J.M. Wing. Measuring relative attack surfaces. In Proc. of Workshop on Advanced Developments in Software and Systems Security, 2003.Google Scholar
  12. 12.
    Michael Howard. Fending off future attacks by reducing attack surface. http: // dncode/html/secure02132003.asp, 2003.Google Scholar
  13. 13.
    Michael Howard. Personal communication, 2005.Google Scholar
  14. 14.
    Barbara Kitchenham, Shari Lawrence Pfleeger, and Norman Fenton. Towards a framework for software measurement validation. IEEE Transactions on Software Engineering, 21(12):929– 944, 1995.Google Scholar
  15. 15.
    David John Leversage and Eric James Byres. Estimating a system’s mean time-tocompromise. IEEE Security and Privacy, 6(1), 2008.Google Scholar
  16. 16.
    Jason Levitt. Windows 2000 security represents a quantum leap. http://www., April 2001.
  17. 17.
    B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson J. Mc- Dermid, and D. Gollman. Towards operational measures of computer security. Journal of Computer Security, 2(2/3):211–230, 1993.Google Scholar
  18. 18.
    N. Lynch and M. Tuttle. An introduction to input/output automata. CWI-Quarterly, 2(3), September 1989.Google Scholar
  19. 19.
    Bharat B. Madan, Katerina Goseva-Popstojanova, Kalyanaraman Vaidyanathan, and Kishor S. Trivedi. Modeling and quantification of security attributes of software systems. In DSN, pages 505–514, 2002.Google Scholar
  20. 20.
    Pratyusa K. Manadhata. An Attack Surface Metric. PhD thesis, Carnegie Mellon University, December 2008.Google Scholar
  21. 21.
    Pratyusa K. Manadhata and Jeannette M. Wing. An attack surface metric. IEEE Transactions on Software Engineering, 99(PrePrints), 2010.Google Scholar
  22. 22.
    Gary McGraw. From the ground up: The DIMACS software security workshop. IEEE Security and Privacy, 1(2):59–66, 2003.MathSciNetCrossRefGoogle Scholar
  23. 23.
    Miles A. McQueen, Wayne F. Boyer, Mark A. Flynn, and George A. Beitel. Time-tocompromise model for cyber risk reduction estimation. In ACM CCS Workshop on Quality of Protection, September 2005.Google Scholar
  24. 24.
    David M. Nicol. Modeling and simulation in security evaluation. IEEE Security and Privacy, 3(5):71–74, 2005.Google Scholar
  25. 25.
    R. Ortalo, Y. Deswarte, and M. Kaˆaniche. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25(5), 1999.Google Scholar
  26. 26.
    Stuart Edward Schechter. Computer Security Strength & Risk: A Quantitative Approach. PhD thesis, Harvard University, 2004.Google Scholar
  27. 27.
    Bruce Schneier. Attack trees: Modeling security threats. Dr. Dobb’s Journal, 1999.Google Scholar
  28. 28.
    Sean W. Smith and Eugene H. Spafford. Grand challenges in information security: Process and output. IEEE Security and Privacy, 2:69–71, 2004.Google Scholar
  29. 29.
    Rayford B. Vaughn, Ronda R. Henning, and Ambareen Siraj. Information assurance measures and metrics - state of practice and proposed taxonomy. In Proc. of Hawaii International Conference on System Sciences, 2003.Google Scholar
  30. 30.
    J. Voas, A. Ghosh, G. McGraw, F. Charron, and K. Miller. Defining an adaptive software security metric from a dynamic software failure tolerance measure. In Proc. of Annual Conference on Computer Assurance, 1996.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  1. 1.HP LabsPrincetonUSA
  2. 2.Computer Science DepartmentCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations