Attack Surface and Defense-in-Depth Metrics - October 2016

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams, Munindar P. Singh
Researchers: Nuthan Munaiah, Jason King, Chris Theisen, Ozgur Kafali

HARD PROBLEM(S) ADDRESSED

• Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
• Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
• Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

PUBLICATIONS

• Munaiah, Nuthan, Andrew Meneely.  2016.  Beyond the Attack Surface: Assessing Security Risk with Random Walks on Call Graphs. Proceedings of the 2nd International Workshop on Software Protection.

ACCOMPLISHMENT HIGHLIGHTS

• Our publication at the CCS 2016 workshop has demonstrated the potential of predicting vulnerabilities at the method level by using random walks on call graphs. Our prediction models are significant improvements over the baseline model of just using source-lines-of-code, indicating that our metrics provide significant improvement over the current vulnerability prediction knowledge. In comparing our work to related literature, we outperform all literature that our work is comparable to. Our approach is lightweight, yet tunable to any software devlopment project. Our prediction model outperformed comparable models from prior literature with notable improvements: 58% reduction in false negative rate, 81% reduction in false positive rate, and 548% increase in F 2 -measure for predicting vulnerabilities at the file level.
• We developed a systematic and reusable framework called Semaver to understand how well security policies account for actual breaches. We differentiated between two types of breaches: technical vulnerabilities that adversaries exploit and human errors (intentional or unintentional) that lead to misuse. Our investigation of the 1,577 healthcare breaches reported by the HHS showed that 44% of the breaches are misuses. Moreover, we identified that the HIPAA policy does not account for misuses as well as vulnerabilities.