Pratyusa K. Manadhata

Thesis Title: An Attack Surface Metric
Degree Type: Ph.D. in Computer Science
Advisor(s): Jeannette M.Wing
Graduated: December 2008

Abstract:

Measurement of security has been a long standing challenge to the research community. Practical security measurements and metrics are critical to the improvement of software security. Hence the need for security metrics has recently become more pressing.

In this thesis, we introduce the measure of a software system's attack surface as an indicator of the system's security. The larger the attack surface, the more insecure the system. We formalize the notion of a system's attack surface using an I/O automata model of the system and introduce an attack surface metric to measure the attack surface in a systematic manner.

Our attack surface measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes. In this thesis, we measure the attack surfaces of software implemented in C and Java. We also demonstrate that the method scales to enterprise-scale software by measuring the attack surfaces of complex SAP business applications.

Validation of security metrics is challenging and is a relatively unexplored territory. In this thesis, we conduct three exploratory empirical studies to validate our measurement method and measurements results: an expert user survey, a statistical analysis of Microsoft Security Bulletins, and an analysis of security vulnerability patches of popular open source software.

Both software developers and software consumers can use the attack surface metric. We demonstrate the use of the metric in software consumers' decision making process by comparing the attack surface measurements of two IMAP servers and two FTP daemons. Our collaboration with SAP demonstrates the use of the metric in the software development process.

Thesis Committee:
Jeannette M. Wing (Chair)
Virgil D. Gligor
Roy A. Maxion
Michael K. Reiter (University of North Carolina at Chapel Hill)

Peter Lee, Head, Computer Science Department
Randy Bryant, Dean, School of Computer Science

Keywords:
Security metrics, attack surface, attack surface measurement, attack surface metric, entry point, exit point, damage potential-effort ratio, metrics, validation, software security, software quality, risk mitigration

CMU-CS-08-152.pdf (1.07 MB) ( 165 pages)
Copyright Notice