A Formal Model of the Attack Surface of a Software System
This model serves as a means of assessing progress in the development of secure software.
A formal model has been devised to impart some mathematical rigor to the concept of the attack surface of a software system. Complementing the model is a definition of a quantitative measure of the attack surface as an indicator of the relative insecurity of the system (the larger the attack surface, the more insecure the system). The model and the quantitative measure are intended to serve as systematic means of assessing progress in the development of secure software; they are expected to be especially valuable for evaluating the relative degree of security of two successive versions of nominally the same computer program.
Prior research on attack surfaces has involved informal models of attack surfaces and ad hoc quantitative measures, relying on expert knowledge of minute details of specific computer programs. The present model and quantitative measure were formulated to be applicable to diverse software systems and not to require expert knowledge of minute details of individual programs.
Some definitions of terms are prerequisite to a meaningful summary of the present model and quantitative measure. The attack surface of a software system is defined as the set of ways in which an adversary can attack the system and potentially cause damage. It is known from past experience that in order to succeed in an attack, an attacker must connect to a system by use of the channels of the system, invoke the methods of the system, and either send data to or receive data from the system. Hence, the attack surface of the system is defined in terms of the system methods, channels, and data items (collectively denoted the resources) of the system.
Not all resources contribute equally to the attack surface; the contribution of a given resource depends on the likelihood that the resource will be used in attacks. Therefore, the measure of the attack surface of a system is defined as a triple consisting of the total contributions of the resources of the system along three dimensions: methods, channels, and data. As a point of clarification, it must be stated the measure of the attack surface does not represent either the quality of the code or the number of vulnerabilities in the code. Instead, a larger attack surface indicates that an attacker is more likely to exploit whatever vulnerabilities are present, to attack with less effort, and/or to cause more damage. Inasmuch as any computer code is likely to contain vulnerabilities, a reduction in its attack surface indicates a reduction of the risk associated with the exploitation of its vulnerabilities. This concludes the prerequisite definitions of terms.
The main elements of the present model and quantitative measure are the following:
- A software system and its environment (see figure) are modelled by means of a theoretical framework based on input/output automata. The framework includes submodels of direct and indirect entry (essentially, input) and exit (essentially, output) points of the system, defined with respect to certain features of processing of data by the system and of exchange of data of this system with the user, with a data store, and with other systems in the environment. Necessarily omitting details for the sake of brevity, the attack surface of the system is defined, within this framework, as consisting partly of the sets of entry and exit points, the set of channels, and the set of untrusted data items (simplistically, data items that can be visible to an attacker and that the system reads from a data store via a direct entry point or writes to a data store via a direct exit point).
- It has been formally established that with respect to the same attacker, a larger attack surface of a system leads to a larger number of potential attacks on the system.
- The contribution of a given resource to the measure of an attack surface is quantified as a ratio between a measure of damage potential and a measure of the effort that an attacker must make to cause the damage.
- It has been shown that resources as used in the quantitative measure of the attack surface are analogous events as used in risk modeling.
This work was done by Pratyusa K. Manadhata, Dilsun K. Kaynar, and Jeannette M. Wing of Carnegie Mellon University.
CMU-0002
This Brief includes a Technical Support Package (TSP).
A Formal Model of the Attack Surface of a Software System
(reference CMU-0002) is currently available for download from the TSP library.
Don't have an account? Sign up here.
More From SAE Media Group
Aerospace & Defense Tech Briefs
Developing and Validating Statistical Cyber Defenses
Medical Design Briefs
Securing the Future of Healthcare through the Right Cybersecurity Architecture
Software Tech Briefs
Cloud Computing for Science Data Processing in Support of Emergency Response
Tech Briefs
Streaming Software Speeds Apps
Aerospace & Defense Tech Briefs
Thwarting Code-Injection Attacks Using SDT-Based ISR
Tech Briefs
Ontology-Driven Information Integration
Tech Briefs
Who Knows How Much AI Knows? This Tech Does
Aerospace & Defense Tech Briefs
Covariance and Uncertainty Realism in Space Surveillance and Tracking
Aerospace & Defense Tech Briefs
The Next Generation of Mission-Critical Communications Infrastructure is Here
Tech Briefs
A Method of Partly Automated Testing of Software
Top Stories
INSIDERAerospace
Air Force Completes First Magnetic Navigation Flight on C-17 - Mobility...
Technology ReportEnergy
Mazda’s Revived Rotary Engine Starts Production - Mobility Engineering...
INSIDERDefense
Army Launches M1E3 Tank Development, Cancels M1 Abrams Upgrade Program -...
INSIDERAerospace
Air Force Awards JetZero $235 Million to Develop Blended Wing Body Demonstrator...
INSIDERCommunications
Air Force to Buy Archer eVTOL Under New Contracts - Mobility Engineering...
INSIDERDefense
DoD's First Electric Aircraft Charging Station is a BETA Supercharger -...
Webcasts
Software
Leveraging Electronics Digital Twins on AWS to Accelerate...
Defense
Choosing a Silicone for Operation in Harsh Thermal Environments
Sensors/Data Acquisition
A Guide to Unlocking Precision and Efficiency with 3D Scanning...
Electronics & Computers
Introduction to the Integration of Electronics Switching and...
Energy
Miniaturized Solutions for Battery Development
