A Formal Model of the Attack Surface of a Software System
This model serves as a means of assessing progress in the development of secure software.
A formal model has been devised to impart some mathematical rigor to the concept of the attack surface of a software system. Complementing the model is a definition of a quantitative measure of the attack surface as an indicator of the relative insecurity of the system (the larger the attack surface, the more insecure the system). The model and the quantitative measure are intended to serve as systematic means of assessing progress in the development of secure software; they are expected to be especially valuable for evaluating the relative degree of security of two successive versions of nominally the same computer program.
Prior research on attack surfaces has involved informal models of attack surfaces and ad hoc quantitative measures, relying on expert knowledge of minute details of specific computer programs. The present model and quantitative measure were formulated to be applicable to diverse software systems and not to require expert knowledge of minute details of individual programs.
Some definitions of terms are prerequisite to a meaningful summary of the present model and quantitative measure. The attack surface of a software system is defined as the set of ways in which an adversary can attack the system and potentially cause damage. It is known from past experience that in order to succeed in an attack, an attacker must connect to a system by use of the channels of the system, invoke the methods of the system, and either send data to or receive data from the system. Hence, the attack surface of the system is defined in terms of the system methods, channels, and data items (collectively denoted the resources) of the system.
Not all resources contribute equally to the attack surface; the contribution of a given resource depends on the likelihood that the resource will be used in attacks. Therefore, the measure of the attack surface of a system is defined as a triple consisting of the total contributions of the resources of the system along three dimensions: methods, channels, and data. As a point of clarification, it must be stated the measure of the attack surface does not represent either the quality of the code or the number of vulnerabilities in the code. Instead, a larger attack surface indicates that an attacker is more likely to exploit whatever vulnerabilities are present, to attack with less effort, and/or to cause more damage. Inasmuch as any computer code is likely to contain vulnerabilities, a reduction in its attack surface indicates a reduction of the risk associated with the exploitation of its vulnerabilities. This concludes the prerequisite definitions of terms.
The main elements of the present model and quantitative measure are the following:
- A software system and its environment (see figure) are modelled by means of a theoretical framework based on input/output automata. The framework includes submodels of direct and indirect entry (essentially, input) and exit (essentially, output) points of the system, defined with respect to certain features of processing of data by the system and of exchange of data of this system with the user, with a data store, and with other systems in the environment. Necessarily omitting details for the sake of brevity, the attack surface of the system is defined, within this framework, as consisting partly of the sets of entry and exit points, the set of channels, and the set of untrusted data items (simplistically, data items that can be visible to an attacker and that the system reads from a data store via a direct entry point or writes to a data store via a direct exit point).
- It has been formally established that with respect to the same attacker, a larger attack surface of a system leads to a larger number of potential attacks on the system.
- The contribution of a given resource to the measure of an attack surface is quantified as a ratio between a measure of damage potential and a measure of the effort that an attacker must make to cause the damage.
- It has been shown that resources as used in the quantitative measure of the attack surface are analogous events as used in risk modeling.
This work was done by Pratyusa K. Manadhata, Dilsun K. Kaynar, and Jeannette M. Wing of Carnegie Mellon University.
CMU-0002
This Brief includes a Technical Support Package (TSP).
A Formal Model of the Attack Surface of a Software System
(reference CMU-0002) is currently available for download from the TSP library.
Don't have an account?
More From SAE Media Group
Aerospace & Defense Tech Briefs
Deterministic and Modular Architecture for Embedded Vehicle Systems
Tech Briefs
A ‘Smarter’ Way to Protect an Electric Grid
Aerospace & Defense Tech Briefs
Thwarting Code-Injection Attacks Using SDT-Based ISR
Aerospace & Defense Tech Briefs
Developing and Validating Statistical Cyber Defenses
Medical Design Briefs
Securing the Future of Healthcare through the Right Cybersecurity Architecture
Tech Briefs
Ontology-Driven Information Integration
Software Tech Briefs
Cloud Computing for Science Data Processing in Support of Emergency Response
Tech Briefs
Open Software Options for Automation
Tech Briefs
Streaming Software Speeds Apps
Photonics & Imaging Technology
Total Versatility: Flexible Test Station With a Cobot and Camera
Aerospace & Defense Tech Briefs
FACE Technical Standard Offers MOSA Lessons for Safety-Critical Software in Any Sector
Aerospace & Defense Tech Briefs
Adamant: A Soon-to-be Open Source, Mission-Critical Flight Software Framework Written in Ada
Tech Briefs
A Method of Partly Automated Testing of Software
Sensor Technology
The Industrial Nervous System: IIoT and PLCs
Aerospace & Defense Tech Briefs
Covariance and Uncertainty Realism in Space Surveillance and Tracking
Aerospace & Defense Tech Briefs
Overcoming Obstacles to DoD Software Technology Transition
Tech Briefs
Autonomous Environment-Monitoring Networks
Tech Briefs
Software for Managing Distributed Real-Time Data
Tech Briefs
Who Knows How Much AI Knows? This Tech Does
Overview
The document titled "A Formal Model for A System’s Attack Surface" presents a comprehensive approach to measuring the attack surface of software systems, which is crucial for assessing their security. Authored by Pratyusa K. Manadhata, Dilsun K. Kaynar, and Jeannette M. Wing, the paper emphasizes that a larger attack surface indicates a higher potential for security vulnerabilities.
The authors begin by defining a system's attack surface as the set of ways an adversary can exploit the system, which includes its methods, channels, and data items. They argue that not all resources contribute equally to the attack surface; the contribution depends on the resource's damage potential and the effort required for an attacker to exploit it. For instance, methods with higher privileges are more likely to be targeted in attacks, thus increasing their contribution to the attack surface.
The paper introduces a systematic measurement method that does not rely on expert knowledge, making it applicable across various systems. This method is grounded in an I/O automata model, which formalizes the interactions between the system and potential attackers. The authors propose both qualitative and quantitative measures of the attack surface, with the latter being a ratio scale that quantifies the damage potential-effort ratio of resources.
The document highlights two key theorems: Theorem 1 states that adding resources to a software system increases its attack surface, while Theorem 2 indicates that modifying resource attributes can also enlarge the attack surface. These findings underscore the importance of managing the attack surface during software development, as a larger attack surface correlates with a greater number of potential attacks.
The authors also provide practical implications for software developers, suggesting that they should aim to reduce the attack surface when creating new software versions. Conversely, if adding resources is necessary, developers should be aware of the resulting increase in vulnerability exposure.
In conclusion, the paper offers a formalized and systematic approach to measuring a software system's attack surface, providing valuable insights for both developers and consumers. By quantifying the attack surface, the authors aim to enhance the understanding of software security and facilitate better decision-making in software development and usage.
Top Stories
INSIDERDefense
F-35 Proves Nuke Drop Performance in Stockpile Flight Testing
INSIDERMaterials
Using Ultrabright X-Rays to Test Materials for Ultrafast Aircraft
INSIDERManufacturing & Prototyping
Stevens Researchers Test Morkovin's Hypothesis for Major Hypersonic Flight...
INSIDERManufacturing & Prototyping
New 3D-Printable Nanocomposite Prevents Overheating in Military Electronics
INSIDERRF & Microwave Electronics
L3Harris Starts Low Rate Production Of New F-16 Viper Shield
INSIDERRF & Microwave Electronics
Webcasts
Energy
SAE Automotive Engineering Podcast: Additive Manufacturing
Manufacturing & Prototyping
A New Approach to Manufacturing Machine Connectivity for the Air Force
Automotive
Optimizing Production Processes with the Virtual Twin
Power
EV and Battery Thermal Management Strategies
Energy
How Packet Digital Is Scaling Domestic Drone Battery Manufacturing
Materials
Advancements in Zinc Die Casting Technology & Alloys for Next-Generation...