Attack Surface and Defense-in-Depth Metrics - October 2014

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams
Researchers: Kevin Campusano Gonzalez, Nuthan Munaiah, Jason King

HARD PROBLEM(S) ADDRESSED

• Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
• Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
• Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

ACCOMPLISHMENT HIGHLIGHTS

• We are in process of implementing and experimenting with new, actionable metrics for attack surfaces. Our focus is on metrics that are easy to interpret for developers, easy to track over time, and with the ability to drill down to a change in source code and all the way up to the status of an entire project. We have designed these metrics. They are in the process of implementation, and new empirical results on their effectiveness are expected in the coming months.
• We are investigating a technique to identify those areas believed to be most susceptible areas of the attack surface through the analysis of crash dumps. The goal of this research is to aid developers in narrowing the set of potentially vulnerable code artifacts by mining stack traces and building a set of these artifacts for targeted security activities.  They are in the process of implementation, and new empirical results on their effectiveness are expected in the coming months.