Attack Surface and Defense-in-Depth Metrics - April 2017

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams
Researchers: Nuthan Munaiah, Chris Theisen

HARD PROBLEM(S) ADDRESSED

• Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
• Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
• Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

PUBLICATIONS

• Theisen, C., Murphy, B., Kerzig, K., Williams, L., Risk-Based Attack Surface Approximation: How Much Data is Enough?, International Conference on Software Engineering (ICSE) Software Engineering in Practice (SEIP) 2017, Buenos Aires, Argentina, to appear.

ACCOMPLISHMENT HIGHLIGHTS

• We have completed a systematic literature review of the concept of attack sufrace. Our review covered 643 papers to examine how the term "attack surface" is used in the academic literature. We found that 71% of papers use the term "attack surface" without defining it or citing a definition. We examined competing definitions and conceptualizations of the term "attack surface" and offer a unified defintion of the term while discussing the utility of alternative definitions.