Attack Surface and Defense-in-Depth Metrics - July 2015

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams
Researchers: Kevin Campusano Gonzalez, Nuthan Munaiah, Jason King

HARD PROBLEM(S) ADDRESSED

• Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
• Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
• Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

PUBLICATIONS

ACCOMPLISHMENT HIGHLIGHTS

• Nuthan Munaiah completed his Research Potential Assessment with this research as his project. He defended his work to over 20 faculty members of the Golisano College of Computing and Information Science, including researchers from the Departments of Software Engineering, Computer Science, and Computing Security. Nuthan passed with flying colors and received very valuable feedback.
• Kevin Campusano defended his capstone project using Attack Surface metrics in Android. He compared Google Play review data with attack surface metrics defined specifically for Android. He also annotated the entire Android API so attack surface metrics can now be collected from Android apps.