Risk-based attack surface approximation: poster
Pages 121 - 123
Abstract
Proactive security review and test efforts are a necessary component of the software development lifecycle. Since resource limitations often preclude reviewing, testing and fortifying the entire code base, prioritizing what code to review/test can improve a team's ability to find and remove more vulnerabilities that are reachable by an attacker. One way that professionals perform this prioritization is the identification of the attack surface of software systems. However, identifying the attack surface of a software system is non-trivial. The goal of this poster is to present the concept of a risk-based attack surface approximation based on crash dump stack traces for the prioritization of security code rework efforts. For this poster, we will present results from previous efforts in the attack surface approximation space, including studies on its effectiveness in approximating security relevant code for Windows and Firefox. We will also discuss future research directions for attack surface approximation, including discovery of additional metrics from stack traces and determining how many stack traces are required for a good approximation.
References
[1]
Bird, J. and Manico, J. OWASP Attack Surface Analysis Cheat Sheet. Open Web Application Security Project, 2015. https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet.
[2]
Dang, Y., Wu, R., Zhang, H., Zhang, D., and Nobel, P. ReBucket: A method for clustering duplicate crash reports based on call stack similarity. Proceedings - International Conference on Software Engineering, (2012), 1084--1093.
[3]
Geer, D. E. Attack surface inflation. IEEE Security and Privacy 9, 4 (2011), 85--86.
[4]
Guo, P. J., Zimmermann, T., Nagappan, N., and Murphy, B. Characterizing and predicting which bugs get fixed. Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - ICSE '10, (2010), 495.
[5]
Howard, M., Pincus, J., and Wing, J. M. Measuring Relative Attack Surfaces. Computer Security in the 21st Century, CMU-TR-03-169 (2005), 109--137.
[6]
Huang, S. K., Huang, M. H., Huang, P. Y., Lu, H. L., and Lai, C. W. Software crash analysis for automatic exploit generation on binary programs. IEEE Transactions on Reliability 63, 1 (2014), 270--289.
[7]
Kim, D., Wang, X., Kim, S., Zeller, A., Cheung, S. C., and Park, S. Which crashes should i fix first?: Predicting top crashes at an early stage to prioritize debugging efforts. IEEE Transactions on Software Engineering 37, 3 (2011), 430--447.
[8]
Manadhata, P. K. and Wing, J. M. An attack surface metric. IEEE Transactions on Software Engineering 37, 3 (2011), 371--386.
[9]
Podgurski, A., Leon, D., Francis, P., et al. Automated support for classifying software failure reports. 25th International Conference on Software Engineering, 2003. Proceedings., (2003), 465--475.
[10]
Theisen, C., Herzig, K., Morrison, P., Murphy, B., and Williams, L. Approximating Attack Surfaces with Stack Traces. IEEE/ACM 37th IEEE International Conference on Software Engineering, (2015).
[11]
Thome, J., Shar, L. K., and Briand, L. Security slicing for auditing XML, XPath, and SQL injection vulnerabilities. 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE), (2015), 553--564.
[12]
Wang, S., Khomh, F., and Zou, Y. Improving bug localization using correlations in crash reports. IEEE International Working Conference on Mining Software Repositories, (2013), 247--256.
[13]
Zimmermann, T., Premraj, R., Bettenburg, N., Just, S., Schröter, A., and Weiss, C. What makes a good bug report? IEEE Transactions on Software Engineering 36, (2010), 618--643.
Index Terms
- Risk-based attack surface approximation: poster
Recommendations
Reusing stack traces: automated attack surface approximation
ICSE '16: Proceedings of the 38th International Conference on Software Engineering CompanionSecurity requirements around software systems have become more stringent as society becomes more interconnected via the Internet. New ways of prioritizing security efforts are needed so security professionals can use their time effectively to find ...
Automated attack surface approximation
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringWhile software systems are being developed and released to consumers more rapidly than ever, security remains an important issue for developers. Shorter development cycles means less time for these critical security testing and review efforts. The ...
Comparing and applying attack surface metrics
MetriSec '12: Proceedings of the 4th international workshop on Security measurements and metricsA software system's attack surface metric measures the freedom of a potential attacker to influence the system's execution, potentially exploiting a security vulnerability. Existing attack surface metrics aim to measure the security impact associated ...
Comments
Information & Contributors
Information
Published In
April 2016
138 pages
Copyright © 2016 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 19 April 2016
Check for updates
Author Tags
Qualifiers
- Poster
Conference
HotSoS '16
Acceptance Rates
Overall Acceptance Rate 34 of 60 submissions, 57%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 129Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)0
Reflects downloads up to 06 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in