metricon 1.0 an attack surface metric pratyusa k. manadhata jeannette m. wing carnegie mellon...
TRANSCRIPT
MetriCon 1.0
An Attack Surface Metric
Pratyusa K. Manadhata Jeannette M. Wing
Carnegie Mellon University
{pratyus, wing}@cs.cmu.edu
MetriCon 1.0
Motivation and GoalsIs system A more secure than system
B?
Is system A more secure than system
B?
Compare the attack surface measurements of A and B.Prior work [HPW03, MW04] shows that attack surface measurement is a good indicator of security.
Goal: Define a metric to systematically measure a software system’s attack surface.
0
100
200
300
400
500
600
700
Windows NT 4 Windows 2000 Windows Server 2003
RASQ RASQ with IIS enabled RASQ with IIS Lockdown
MetriCon 1.0
Intuition Behind Attack Surfaces
system surface
The attack surface of a system is the ways in which an adversary can enter the system and potentially cause damage.
1. Methods
2. Channels
3. Data
Attacks
Entry/Exit Points
Attack Surface Measurement: Identify relevant resources (methods, channels, and data), and estimate the contribution of each such resource.
MetriCon 1.0
Attack Surface MeasurementFormal framework to identify a set, M, of entry points and exit points, a set, C, of channels, and a set, I, of untrusted data items.
Estimate a resource’s contribution to the attack surface as a damage potential-effort ratio, der.
Resource Damage Potential Effort
Method Privilege Access Rights
Channel Protocol Access Rights
Data Items Type Access Rights
The measure of the system’s attack surface is the triple, < , , > .
Mm
der(m)Cc
der(c)Id
der(d)
MetriCon 1.0
IMAPD Example
Annotated the source code and analyzed the call graph to identify entry and exit points.Used run time monitoring to identify channels and untrusted data items
To compute der, assumed a total ordering among the values of the attributes and assigned numeric values according to the total order
0
100
200
300
400
500
600
Method Channel Data
AS
Mea
sure
men
ts
Courier 4.0.1
Cyrus 2.2.10
• Courier 4.0.1 (41KLOC), and Cyrus 2.2.10 (50KLOC)
MetriCon 1.0
Validation (work-in-progress)
1. Formal Validation: I/O Automata [LW89]
2. Empirical Validation1. Vulnerability report count*
2. Machine Learning (MS Security Bulletins)
3. Honeynet Data
050
100150200250300350400450
AS
Mea
sure
men
ts
ProFTP 1.2.10
Wu-FTP 2.6.2
Database ProFTP Wu-FTP
CERT 0 1
CVE 2 4
SecurityFocus 3 7
*Joint work with Mark Flynn and Miles McQueen, INL.
MetriCon 1.0
Backup Slides
MetriCon 1.0
IMAPD Example
• Courier 4.0.1 (41KLOC), and Cyrus 2.2.10 (50KLOC)
MetriCon 1.0
Entry Points and Exit Points
MetriCon 1.0
Channels and Data Items
MetriCon 1.0
Numeric Values
MetriCon 1.0
FTPD Example
• ProFTPD 1.2.10 and Wu-FTPD 2.6.2
MetriCon 1.0
Entry Points and Exit Points
MetriCon 1.0
Channels and Data Items
MetriCon 1.0
Numeric Values