Measuring a System's Attack Surface
CARNEGIE-MELLON UNIV PITTSBURGH PA SCHOOL OF COMPUTER SCIENCE
Pagination or Media Count:
We propose a metric to determine whether one version of a system is relatively more secure than another with respect to the systems attack surface. Intuitively, the more exposed the attack surface, the more likely the system could be successfully attacked, and hence the more insecure it is. We define an attack surface in terms of the systems actions that are externally visible to its users and the systems resources that each action accesses or modifies. To apply our metric in practice, rather than consider all possible system resources, we narrow our focus on a relevant subset of resource types, which we call attack classes these reflect the types of system resources that are more likely to be targets of attack. We assign payoffs to attack classes to represent likelihoods of attack resources in an attack class with a high payoff value are more likely to be targets or enablers of an attack than resources in an attack class with a low payoff value. We outline a method to identify attack classes and to measure a systems attack surface. We demonstrate and validate our method by measuring the relative attack surface of four different versions of the Linux operating system.
- Computer Programming and Software
- Computer Systems Management and Standards