Measuring Relative Attack Surfaces

  • Michael Howard
  • Jon Pincus
  • Jeannette M. Wing


We propose a metric for determining whether one version of a system is more secure than another with respcct to a fixed set of dimensions. Rather than count bugs at the code level or count vulnerability reports at the system level, we count a system's attack opportunities. We use this count as an indication of the system's “attackability,” likelihood that it will be successfully attacked. We describe a system's attack surface along three abstract dimensions: targets and enablers, channels and protocols, and access rights. Intuitively, the more exposed the system's surface, the more attack opportunities, and hence the more likely it will be a target of attack. Thus, one way to improve system security is to reduce its attack surface.

To validate our ideas, we recast Microsoft Security Bulletin MS02-005 using our terminology, and we show how Howard's Relative Attack Surface Quotient for Windows is an instance of our general metric.


Security metrics attacks vulnerabilities attack surface threat modeling 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Chou et. al, 2001]
    Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallen, and Dawson Engler (2001). An empirical study of operating systems errors. In ACM Symposium on Operating Systems Principles, pages 73–88, October.Google Scholar
  2. [Gray, 1990]
    J. Gray (1990). A census of tandem system availability between 1985 and 1990. IEEE Transactions on Software Engineering, 39(4), October.Google Scholar
  3. [Lee and Iyer, 1993]
    I. Lee and R. Iyer (1993). Faults, symptoms, and software fault tolerance in the tandem GUARDIAN operating system. In Proceedings of the International Symposium on Fault-Tolerant Computing.Google Scholar
  4. [Sullivan and Chillarge, 1991]
    M. Sullivan and R. Chillarge (1991). Software defects and their impact on system 118 availability. In Proceedings of the International Symposium on Fault-Tolerant Computing, June.Google Scholar
  5. [SecurityFocus]
    Security Focus. Scholar
  6. [CERT]
    CERT. CERT/CC Advisories. Scholar
  7. [CVE]
    MITRE. Common Vulnerabilities and Exposures. Scholar
  8. [MS-IISv4]
    Microsoft TechNet (2001). Microsoft Internet Information Server 4.0 Security Checklist, July. Scholar
  9. [MS-IISv5]
    Microsoft TechNet (2000). Secure Internet Informations Services 5 Checklist, June. Scholar
  10. [MSB, 2001]
    Microsoft TechNet (2001). Microsoft Security Bulletin MS01033, June. Scholar
  11. [Jampson, 1974]
    Butler Lampson (1974). Protection. Operating Systems Review, 8(1): pages 18–24, January.CrossRefGoogle Scholar
  12. [IW, 2001]
    Information Week (2001). Windows 2000 Security Represents a Quantum Leap, April. Scholar
  13. [Howard, 2003]
    Michael Howard (2003). Fending OR Future Attacks by Reducing the Attack Surface, February. url=/library/en-us/dncode/html/secure02132003.asp.Google Scholar
  14. [Lampson et al., 1992]
    Butler Lampson, Martin Abadi, Michael Burrows, and Edward Wobber (1992). Authentication in distributed systems: Theory and practice. ACM TOCS, 10(4):265–310, Novembe.CrossRefGoogle Scholar
  15. [MSRC]
    Microsoft Security Response Center. Security Bulletins. Scholar
  16. [Schneider, 1991]
    Fred B. Schneider (1991). Trust in Cyberspace. National Academy Press, CSTB study edited by Schneider.Google Scholar
  17. [Butler, 2003]
    Shawn Butler (2003). Security Attribute and Evaluation Method. PhD thesis, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
  18. [Beattie et al., 2002]
    Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack (2002). Timing the application of security patches for optimal uptime. In 2002 LISA XVI, pages 101–110, November.Google Scholar
  19. [Browne et al., 2001]
    Hilary Browne, John McHugh, William Arbaugh, and William Fithen (2001). A trend analysis of exploitations. In IEEE Symposium on Security and Privacy, May. CS-TR-4200, UMIACS-TR-2000-76.Google Scholar
  20. [Pincus and Wing, 2003]
    Jon Pincus and Jeannette M. Wing (2003). A Template for Microsoft Security Bulletins in Terms of an Attack Surface Model. Technical report, Microsoft Research, in progress.Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  • Michael Howard
    • 1
  • Jon Pincus
    • 2
  • Jeannette M. Wing
    • 3
  1. 1.Security Business UnitMicrosoft CorporationRedmond
  2. 2.Microsoft ResearchMicrosoft CorporationRedmond
  3. 3.School of Computer ScienceCarnegie Mellon UniversityPittsburgh

Personalised recommendations