Attack Surface and Defense-in-Depth Metrics - January 2017

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams
Researchers: Nuthan Munaiah, Chris Theisen

HARD PROBLEM(S) ADDRESSED

• Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
• Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
• Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

PUBLICATIONS

• None

ACCOMPLISHMENT HIGHLIGHTS

• We are continuing to evolve our metrics and expand our case study analysis based on feedback from presenting at the CCS 2016 Workshop on Software Protection. We have expanded our call graph attack surface metrics, focusing on improving their prediction of vulnerabilities in software as the code is written. We demonstrated that organizations can use their source code to conduct security risk analysis while the code is being written and maintained.
• We have continued to evolve our risk-based attack surface approximation (RASA), a technique that uses crash dump stack traces to predict what code may contain exploitable vulnerabilities.  We demonstrated that organizations can building a prediction model with a sampling of their crash dump data without signficantly impacting prediction performance.
• We have completed most of our data collection for an upcoming systematic literature review on attack surfaces. This study will examine the various usages of the phrase "attack surface" in the computing security research community, and will examine how the definitions vary within the community.