Visible to the public Attack Surface and Defense-in-Depth Metrics - April 2015Conflict Detection Enabled

Submitted by drwright on Sun, 03/22/2015 - 1:10pm

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams
Researchers: Kevin Campusano Gonzalez, Nuthan Munaiah, Jason King

HARD PROBLEM(S) ADDRESSED

  • Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
  • Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
  • Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

 

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

No publications this quarter.

ACCOMPLISHMENT HIGHLIGHTS

  • We conducted an empirical analysis on how attack surface metrics associate with vulnerabiltiies. Our results were weak, but show promise with some counter-intuitive results. We submitted our results to the International Symposium on Mining Software Repositories, received positive feedback but were ultimate declined for publication. We are currently working on a revision.
  • We have expanded our test bed to a second project: libcurl. A second case study expands the generalizability of the metrics and drives us to improve the quality of our measurement tool.
  • We have formulated defense-in-depth simulation using random-walk network centrality measures. This is a powerful simulation with many opportunities for adjustment.
  • We are near completion for attack surface metric definitions for Android applications. We are currently conducting a large-scale study of the Google Play store by reverse-engineering thousands of Android applications.
  • We have shown that the components of the attack surface can be approximated by the paths through the code executed in a crash dump.

 

Groups: