Visible to the public Attack Surface and Defense-in-Depth Metrics - October 2015Conflict Detection Enabled

Submitted by drwright on Mon, 09/21/2015 - 9:03am

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams
Researchers: Kevin Campusano Gonzalez, Nuthan Munaiah, Jason King, Chris Theisen

HARD PROBLEM(S) ADDRESSED

  • Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
  • Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
  • Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

 

PUBLICATIONS

Theisen, C., Automated Attack Surface Approximation, ACM Student Research Competition at Foundations of Software Engineering Conference (FSE) 2015, First place winner.

 

ACCOMPLISHMENT HIGHLIGHTS

  • Our new approach that uses random walks has improved our prediction capabilities and gives insight into attacker behavior too. Our results showed that our attack surface metrics improved when a vulnerability is fixed, and degrade when vulnerabilities are introduced. The probablistic nature of our random walk metric gives us a lot more opportunities to elaborate and innovate the metric, which we are doing next. We also expanded our case studies to FFMpeg and Wireshark, and have started expanded to even more case studies.  This work has been submitted to the International Conference on Software Engineering (main research track) with strong results.
  • Improved parallelization of our data collection so that we can analyze many releases and many case studies simultaneously, making re-collecting data an automated process. This allows us to have a deeper analysis of case studies and iterate on our metrics better. This was a big acceleration factor that led to getting recent results.
  • We developed an automated technique to approximate attack surfaces through the analysis of stack traces.  A

 

Groups: