Attack Surface and Defense-in-Depth Metrics - April 2016

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams, Munindar P. Singh
Researchers: Kevin Campusano Gonzalez, Nuthan Munaiah, Jason King, Chris Theisen, Ozgur Kafali

HARD PROBLEM(S) ADDRESSED

• Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
• Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
• Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

PUBLICATIONS

• Ozgur Kafali, Munindar P. Singh, Laurie Williams. Toward a Normative Approach for Forensicability: Extended Abstract. In Proceedings of the International Symposium and Bootcamp on the Science of Security (HotSoS), Pittsburgh, April 2016.

ACCOMPLISHMENT HIGHLIGHTS

• We developed a framework called Nane for identifying misuse cases from normative enactments. Understanding the relevant misuse cases of a software system is crucial to prevent security breaches, which often originate from the social interactions among users. Current requirement engineering systems do not capture such social relations.
• We reacted to reviewer feedback on the ICSE submission and expanded the study's scope. We conducted a sensitivity analysis on our results, showing how different parameter values can impact the results. We heavily revised our message on the manuscript and submitted to MSR, and then to FSE 2016. Our prediction result outperform all known comparable literature for function-level prediction.