An Approach to Measuring a System's Attack Surface

Abstract

Practical software security measurements and metrics are critical to the improvement of software security. We propose a metric to determine whether one software system is more secure than another similar system with respect to their attack surface. We use a system's attack surface measurement as an indicator of the system's security; the larger the attack surface, the more insecure the system. We measure a system's attack surface in terms of three kinds of resources used in attacks on the system: methods, channels, and data. We demonstrate the use of our attack surface metric by measuring the attack surfaces of two open source IMAP servers and two FTP daemons. We validated the attack surface metric by conducting an expert user survey and by performing statistical analysis of Microsoft Security Bulletins. Our metric can be used as a tool by software developers in the software development process and by software consumers in their decision making process.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Aug 01, 2007
Accession Number
ADA476805

Entities

People

  • Jeannette Wing
  • Kymie M. Tan
  • Pratyusa K. Manadhata
  • Roy A. Maxion

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Application Protocols
  • Application Software
  • Communication Channels
  • Computer Programs
  • Computer Science
  • Consumers
  • Data Analysis
  • Data Science
  • Indicators
  • Information Science
  • Measurement
  • Operating Systems
  • Regression Analysis
  • Security
  • Software Development
  • Statistical Analysis
  • Surveys

Fields of Study

  • Computer science
  • Engineering

Readers

  • Database Systems and Applications
  • Software Engineering.
  • Strategic Security Studies