Skip to main content

Measuring Relative Attack Surfaces

  • Chapter

Abstract

We propose a metric for determining whether one version of a system is more secure than another with respcct to a fixed set of dimensions. Rather than count bugs at the code level or count vulnerability reports at the system level, we count a system's attack opportunities. We use this count as an indication of the system's “attackability,” likelihood that it will be successfully attacked. We describe a system's attack surface along three abstract dimensions: targets and enablers, channels and protocols, and access rights. Intuitively, the more exposed the system's surface, the more attack opportunities, and hence the more likely it will be a target of attack. Thus, one way to improve system security is to reduce its attack surface.

To validate our ideas, we recast Microsoft Security Bulletin MS02-005 using our terminology, and we show how Howard's Relative Attack Surface Quotient for Windows is an instance of our general metric.

Keywords

  • Security metrics
  • attacks
  • vulnerabilities
  • attack surface
  • threat modeling

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/0-387-24006-3_8
  • Chapter length: 29 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   129.00
Price excludes VAT (USA)
  • ISBN: 978-0-387-24006-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   169.00
Price excludes VAT (USA)
Hardcover Book
USD   169.00
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallen, and Dawson Engler (2001). An empirical study of operating systems errors. In ACM Symposium on Operating Systems Principles, pages 73–88, October.

    Google Scholar 

  2. J. Gray (1990). A census of tandem system availability between 1985 and 1990. IEEE Transactions on Software Engineering, 39(4), October.

    Google Scholar 

  3. I. Lee and R. Iyer (1993). Faults, symptoms, and software fault tolerance in the tandem GUARDIAN operating system. In Proceedings of the International Symposium on Fault-Tolerant Computing.

    Google Scholar 

  4. M. Sullivan and R. Chillarge (1991). Software defects and their impact on system 118 availability. In Proceedings of the International Symposium on Fault-Tolerant Computing, June.

    Google Scholar 

  5. Security Focus. http://www.securityfocus.com/vulns/stats.shtml.

    Google Scholar 

  6. CERT. CERT/CC Advisories. http://www.cert.org/advisories/.

    Google Scholar 

  7. MITRE. Common Vulnerabilities and Exposures. http://www.cve.mitre.org/.

    Google Scholar 

  8. Microsoft TechNet (2001). Microsoft Internet Information Server 4.0 Security Checklist, July. http://www.microsoft.com/technet/security/tools/chklist/iischk.asp.

    Google Scholar 

  9. Microsoft TechNet (2000). Secure Internet Informations Services 5 Checklist, June. http://www.microsoft.com/technet/security/tools/chklist/iis5chk.asp.

    Google Scholar 

  10. Microsoft TechNet (2001). Microsoft Security Bulletin MS01033, June. http://www.microsoft.com/technet/security/bulletin/MS-01-033.asp.

    Google Scholar 

  11. Butler Lampson (1974). Protection. Operating Systems Review, 8(1): pages 18–24, January.

    CrossRef  Google Scholar 

  12. Information Week (2001). Windows 2000 Security Represents a Quantum Leap, April. http://www.informationweek.com/834/winsec.htm.

    Google Scholar 

  13. Michael Howard (2003). Fending OR Future Attacks by Reducing the Attack Surface, February. http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dncode/html/secure02132003.asp.

    Google Scholar 

  14. Butler Lampson, Martin Abadi, Michael Burrows, and Edward Wobber (1992). Authentication in distributed systems: Theory and practice. ACM TOCS, 10(4):265–310, Novembe.

    CrossRef  Google Scholar 

  15. Microsoft Security Response Center. Security Bulletins. http://www.microsoft.com/technet/treeview/?url=/technet/security/current.asp?frame=true

    Google Scholar 

  16. Fred B. Schneider (1991). Trust in Cyberspace. National Academy Press, CSTB study edited by Schneider.

    Google Scholar 

  17. Shawn Butler (2003). Security Attribute and Evaluation Method. PhD thesis, Carnegie Mellon University, Pittsburgh, PA.

    Google Scholar 

  18. Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack (2002). Timing the application of security patches for optimal uptime. In 2002 LISA XVI, pages 101–110, November.

    Google Scholar 

  19. Hilary Browne, John McHugh, William Arbaugh, and William Fithen (2001). A trend analysis of exploitations. In IEEE Symposium on Security and Privacy, May. CS-TR-4200, UMIACS-TR-2000-76.

    Google Scholar 

  20. Jon Pincus and Jeannette M. Wing (2003). A Template for Microsoft Security Bulletins in Terms of an Attack Surface Model. Technical report, Microsoft Research, in progress.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2005 Springer Science+Business Media, Inc.

About this chapter

Cite this chapter

Howard, M., Pincus, J., Wing, J.M. (2005). Measuring Relative Attack Surfaces. In: Lee, D.T., Shieh, S.P., Tygar, J.D. (eds) Computer Security in the 21st Century. Springer, Boston, MA. https://doi.org/10.1007/0-387-24006-3_8

Download citation

  • DOI: https://doi.org/10.1007/0-387-24006-3_8

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-24005-3

  • Online ISBN: 978-0-387-24006-0

  • eBook Packages: Computer ScienceComputer Science (R0)