A formal model has been devised to impart some mathematical rigor to the concept of the attack surface of a software system. Complementing the model is a definition of a quantitative measure of the attack surface as an indicator of the relative insecurity of the system (the larger the attack surface, the more insecure the system). The model and the quantitative measure are intended to serve as systematic means of assessing progress in the development of secure software; they are expected to be especially valuable for evaluating the relative degree of security of two successive versions of nominally the same computer program.

A Software System (s) for which an attack surface is defined exchanges data with the user (U), with a data store (D), and with other systems (s1, s2) in its environment (Es).
Prior research on attack surfaces has involved informal models of attack surfaces and ad hoc quantitative measures, relying on expert knowledge of minute details of specific computer programs. The present model and quantitative measure were formulated to be applicable to diverse software systems and not to require expert knowledge of minute details of individual programs.

Some definitions of terms are prerequisite to a meaningful summary of the present model and quantitative measure. The attack surface of a software system is defined as the set of ways in which an adversary can attack the system and potentially cause damage. It is known from past experience that in order to succeed in an attack, an attacker must connect to a system by use of the channels of the system, invoke the methods of the system, and either send data to or receive data from the system. Hence, the attack surface of the system is defined in terms of the system methods, channels, and data items (collectively denoted the resources) of the system.

Not all resources contribute equally to the attack surface; the contribution of a given resource depends on the likelihood that the resource will be used in attacks. Therefore, the measure of the attack surface of a system is defined as a triple consisting of the total contributions of the resources of the system along three dimensions: methods, channels, and data. As a point of clarification, it must be stated the measure of the attack surface does not represent either the quality of the code or the number of vulnerabilities in the code. Instead, a larger attack surface indicates that an attacker is more likely to exploit whatever vulnerabilities are present, to attack with less effort, and/or to cause more damage. Inasmuch as any computer code is likely to contain vulnerabilities, a reduction in its attack surface indicates a reduction of the risk associated with the exploitation of its vulnerabilities. This concludes the prerequisite definitions of terms.

The main elements of the present model and quantitative measure are the following:

  • A software system and its environment (see figure) are modelled by means of a theoretical framework based on input/output automata. The framework includes submodels of direct and indirect entry (essentially, input) and exit (essentially, output) points of the system, defined with respect to certain features of processing of data by the system and of exchange of data of this system with the user, with a data store, and with other systems in the environment. Necessarily omitting details for the sake of brevity, the attack surface of the system is defined, within this framework, as consisting partly of the sets of entry and exit points, the set of channels, and the set of untrusted data items (simplistically, data items that can be visible to an attacker and that the system reads from a data store via a direct entry point or writes to a data store via a direct exit point).
  • It has been formally established that with respect to the same attacker, a larger attack surface of a system leads to a larger number of potential attacks on the system.
  • The contribution of a given resource to the measure of an attack surface is quantified as a ratio between a measure of damage potential and a measure of the effort that an attacker must make to cause the damage.
  • It has been shown that resources as used in the quantitative measure of the attack surface are analogous events as used in risk modeling.

This work was done by Pratyusa K. Manadhata, Dilsun K. Kaynar, and Jeannette M. Wing of Carnegie Mellon University.

CMU-0002


This Brief includes a Technical Support Package (TSP).
A Formal Model of the Attack Surface of a Software System

(reference CMU-0002) is currently available for download from the TSP library.

Don't have an account? Sign up here.



Defense Tech Briefs Magazine

This article first appeared in the February, 2009 issue of Defense Tech Briefs Magazine.

Read more articles from this issue here.

Read more articles from the archives here.