Christopher Theisen

Attack Surface Analytics

Background

Attack Surface?

Ex. early approximation of attack surface – Manadhata [1]:

Only covers API entry points

…easy to say, hard to define (practically).

OWASP defines Attack Surface as the paths in and

out of a system, the data that travels those paths,

and the code that protects both

[1] Manadhata, P., Wing, J., Flynn, M., & McQueen, M. (2006, October). Measuring the attack surfaces of two FTP daemons. In Proceedings of the 2nd

ACM workshop on Quality of protection (pp. 3-10). ACM

The goal of this research is to aid

software engineers in prioritizing

security efforts by approximating the

attack surface of a system via crash

dump stack trace analysis.

Crashes represent activity that put the

system under stress.

Stack Traces tell us what happened.

foo!foobarDeviceQueueRequest+0x68

foo!fooDeviceSetup+0x72

foo!fooAllDone+0xA8

bar!barDeviceQueueRequest+0xB6

bar!barDeviceSetup+0x08

bar!barAllDone+0xFF

center!processAction+0x1034

center!dontDoAnything+0x1030

Catalog all code that appears on stack traces

Catalog all code that appears on stack traces

Catalog all code that appears on stack traces

[2] C. Theisen, K. Herzig, P. Morrison, B. Murphy, and L. Williams, “Approximating Attack Surfaces with Stack Traces,” in Companion

Proceedings of the 37th International Conference on Software Engineering, 2015

Windows 8 [2] User Crashes

%binaries 48.4%

%vulnerabilities 94.6%

Stack traces highlighted where

security vulnerabilities were.

Mozilla Firefox User Crashes

%files 8.4%

%vulnerabilities 72.1%

Stack traces highlighted where

security vulnerabilities were.

More stack traces, less files, higher flaw density!

Lose coverage as you increase stack trace cutoff

Priority – Who is crashing the most?

Files Flaws %Files %Vuln

>= 1 4998 282 8.4% 72.1%

>= 30 1853 210 3.1% 53.7%

>= 140 969 162 1.6% 41.4%

All 59437 391 - -

Initial attack surface approximation

...old nodes removed, new nodes added

Few to Many Many to Many Many to Few

What are the security impacts of

these shapes?

A AA

foo!foobarDeviceQueueRequest+0x68

foo!fooDeviceSetup+0x72

foo!fooAllDone+0xA8

bar!barDeviceQueueRequest+0xB6

bar!barDeviceSetup+0x08

bar!barAllDone+0xFF

center!processAction+0x1034

center!dontDoAnything+0x1030

Contact

crtheise@ncsu.edu

@theisencr