Measuring relative attack surfaces
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Measuring Relative Attack Surfaces PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Measuring Relative Attack Surfaces. Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce. Abstract. Propose metric for measuring relative level of security of 2 systems Base measurement is “attack opportunities” Measured along 3 dimensions to generate an attack surface

Download Presentation

Measuring Relative Attack Surfaces

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Measuring relative attack surfaces

Measuring Relative Attack Surfaces

Michael Howard, Jon Pincus & Jeannette Wing

Presented by Bert Bruce



  • Propose metric for measuring relative level of security of 2 systems

  • Base measurement is “attack opportunities”

  • Measured along 3 dimensions to generate an attack surface

  • Larger surface=>more attack opportunities => more likely a target



  • Metric is relative, not absolute

    • Can compare 2 systems

  • Restrictions

    • Same environment

    • same capabilities

    • i.e. 2 releases of same system

Measuring relative attack surfaces


  • Measure if a new release of a system has improved its security



  • Building on previous work of one of the authors

    • He defined 17 attack vectors

    • Defined Relative Attack Surface Quotient (RASC)

  • Current paper adds 3 attack vectors

  • Compute RASQ for 5 versions of Windows

  • Claim relative security levels agree with anecdotal evidence

Rasq calculations

RASQ Calculations



  • Proposed unit of measurement for security

  • Higher level than bug count

  • Lower level than count of system vulnerabilities reported in bulletins and advisories



  • Define 3 dimensions to measure

    • Targets and Enablers

    • Channels and Protocols

    • Access Rights

  • From these create system’s Attack Surface

System model

System Model

  • System to be measured and environment modeled as Finite State Machines

  • 3 Key terms

    • Vulnerability – weakness in design, implementation or operation

    • Attack – exploit the vulnerability

    • Threat – the adversary doing the attack

State models

State Models

  • Think of System as FSM with states, initial states and transitions

  • Threat modeled the same way

  • Create new FSM out of union of System and Threat

State models1

State Models

  • The attacker has Goal States of the System he wants to obtain

  • We want to defines the system FSM so Goal States can’t be reached



  • Look at 2 System FSMs

    • Intended machine (I) & Actual machine (A)

  • Behaviors = set of execution sequences of an FSM

  • Vulnerabilities = Behavior(A) – Behavior(I)

    • Note: Set difference



  • (States of A – States of I) not empty => unintended states

  • (Initial states of A - Initial states of I) not empty => we can start actual system where we shouldn’t



  • (Action set of A – Action set of I) not empty => A can have unexpected behavior

  • (Transition set of A – Transition set of I) not empty => A can have unintended transitions



  • A sequence of action executions which include vulnerabilities and which leads to attacker’s Goal State

Dimension 1 targets and enablers

Dimension #1Targets and Enablers

  • Target – part of system to be controlled

  • Enabler – part of system providing means for attack

    • Evaluator – runs attacking code

    • Carrier – embeds attacking code

Dimension 2 channels and protocols

Dimension #2 Channels and Protocols

  • How attacker gets into the system

  • Channel

    • Message passing

    • Shared memory

  • Protocol – rules for message passing

Dimension 3 access rights

Dimension #3Access Rights

  • Accounts

    • How many individual, admin, guest

  • Trust Relationships

    • Among users and processes

  • Privilege Level

  • Reducing the dimension = Principal of Least Privilege



  • Use actual MS Security Bulletin

  • Provide template for describing Vulnerabilities and Attacks

    • Vulnerabilities: describe intended and actual pre and post conditions

    • Attacks: describe goal, resources, preconditions, attack sequence, postconditions



  • Use of the preceding model:

    • Some use of FSM transitions in Vulnerability description

    • Resources described in terms of the three dimensions

Attack surface

Attack Surface

  • Some complex function of the 5 components of the dimensions

  • Authors punt on specific function

  • Instead they suggest reducing it by:

    • Reducing values of dimensions

    • Reducing vulnerabilities (Intended - Actual)

    • Reduce types of attacks (better technology)

Attack surface metric

Attack Surface Metric

  • List 20 attack vectors

  • Examples:

    • Open port

    • Services running as SYSTEM

    • ActiveX enabled

Attack surface metric calculation

Attack Surface Metric Calculation

  • Each vector given a weight

  • “Surfaces” are calculated for 4 vector types

    • Channels

    • Process Targets

    • Data Targets

    • Process Enablers

Attack surface metric calculation1

Attack Surface Metric Calculation

  • Each surface is sum of weights of each type of vector

  • Total surface is sum of these 4

  • I assume this is the RASQ (they don’t make an explicit connection)

  • Values of weights are not explained





  • Win NT with IIS is much less secure than without it

  • Win Server 2003 doesn’t lose much security with IIS on

  • Relative security of 3 seems to match the order shown

Analysis of rasq

Analysis of RASQ

  • Can’t apply if systems are different

    • RASQ isn’t absolute metric

    • Doesn’t measure over time as features or configurations change

    • Certainly doesn’t apply to different operating systems

  • Should focus more on individual attack vectors than a single number

Presenter s comments

Presenter’s Comments

  • A relatively simple idea dressed up in elegant mathematical clothing

  • Formalizes stuff we already know

    • Formalization can obfuscate the obvious

  • Confusing point: start with 3 dimensions based on 5 factors and end up with 4 surface categories

Presenter s comments1

Presenter’s Comments

  • “Surface” => area => product of dimensions

    • Not done here

  • More like each term adds a “pixel”, a small patch, to a surface to form total area

  • Or each term pokes hole in surface dimension to increase porosity

  • Login