Visible to the public Risk-Based Attack Surface Approximation: How Much Data is Enough?Conflict Detection Enabled

TitleRisk-Based Attack Surface Approximation: How Much Data is Enough?
Publication TypeConference Paper
Year of PublicationSubmitted
AuthorsChristopher Theisen, Brendan Murphy, Kim Herzig, Laurie Williams
Corporate AuthorsBrendan Murphy, Kim Herzig
Conference NameInternational Conference on Software Engineering (ICSE) Software Engineering in Practice (SEIP) 2017
Date Published2017
PublisherACM
Conference LocationBuenos Aires, Argentina
KeywordsAttack Surface and Defense-in-Depth Metrics, Metrics, NCSU
Abstract

Proactive security reviews and test efforts are a necessary component of the software development lifecycle. Resource limitations often preclude reviewing the entire code
base. Making informed decisions on what code to review can improve a team's ability to find and remove vulnerabilities. Risk-based attack surface approximation (RASA) is a technique that uses crash dump stack traces to predict what code may contain exploitable vulnerabilities. The goal of this research is to help software development teams prioritize security efforts by the efficient development of a risk-based attack surface approximation. We explore the use of RASA using Mozilla Firefox and Microsoft Windows stack traces from crash dumps. We create RASA at the file level for Firefox, in which the 15.8% of the files that were part of the approximation contained 73.6% of the vulnerabilities seen for the product. We also explore the effect of random sampling of crashes on the approximation, as it may be impractical for organizations to store and process every crash received. We find that 10-fold random sampling of crashes at a rate of 10% resulted in 3% less vulnerabilities identified than using the entire set of stack traces for Mozilla Firefox. Sampling crashes in Windows 8.1 at a rate of 40% resulted in insignificant differences in vulnerability and file coverage as compared to a rate of 100%.

Citation Keynode-34568
Refereed DesignationRefereed

Other available formats:

CameraReady_RandomSampling.pdf
AttachmentTaxonomyKindSize
CameraReady_RandomSampling.pdfPDF document489.67 KBDownloadPreview
AttachmentSize
bytes