Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce.

Published byLily Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce."— Presentation transcript:

1 Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce

2 Abstract Propose metric for measuring relative level of security of 2 systems Base measurement is “attack opportunities” Measured along 3 dimensions to generate an attack surface Larger surface=>more attack opportunities => more likely a target

3 Limitations Metric is relative, not absolute –Can compare 2 systems Restrictions –Same environment –same capabilities –i.e. 2 releases of same system

4 Goal Measure if a new release of a system has improved its security

5 Motivation Building on previous work of one of the authors –He defined 17 attack vectors –Defined Relative Attack Surface Quotient (RASC) Current paper adds 3 attack vectors Compute RASQ for 5 versions of Windows Claim relative security levels agree with anecdotal evidence

6 RASQ Calculations

7 Attackability Proposed unit of measurement for security Higher level than bug count Lower level than count of system vulnerabilities reported in bulletins and advisories

8 Attackability Define 3 dimensions to measure –Targets and Enablers –Channels and Protocols –Access Rights From these create system’s Attack Surface

9 System Model System to be measured and environment modeled as Finite State Machines 3 Key terms –Vulnerability – weakness in design, implementation or operation –Attack – exploit the vulnerability –Threat – the adversary doing the attack

10 State Models Think of System as FSM with states, initial states and transitions Threat modeled the same way Create new FSM out of union of System and Threat

11 State Models The attacker has Goal States of the System he wants to obtain We want to defines the system FSM so Goal States can’t be reached

12 Vulnerabilities Look at 2 System FSMs –Intended machine (I) & Actual machine (A) Behaviors = set of execution sequences of an FSM Vulnerabilities = Behavior(A) – Behavior(I) –Note: Set difference

13 Vulnerabilities (States of A – States of I) not empty => unintended states (Initial states of A - Initial states of I) not empty => we can start actual system where we shouldn’t

14 Vulnerabilities (Action set of A – Action set of I) not empty => A can have unexpected behavior (Transition set of A – Transition set of I) not empty => A can have unintended transitions

15 Attack A sequence of action executions which include vulnerabilities and which leads to attacker’s Goal State

16 Dimension #1 Targets and Enablers Target – part of system to be controlled Enabler – part of system providing means for attack –Evaluator – runs attacking code –Carrier – embeds attacking code

17 Dimension #2 Channels and Protocols How attacker gets into the system Channel –Message passing –Shared memory Protocol – rules for message passing

18 Dimension #3 Access Rights Accounts –How many individual, admin, guest Trust Relationships –Among users and processes Privilege Level Reducing the dimension = Principal of Least Privilege

19 Example Use actual MS Security Bulletin Provide template for describing Vulnerabilities and Attacks –Vulnerabilities: describe intended and actual pre and post conditions –Attacks: describe goal, resources, preconditions, attack sequence, postconditions

20 Example Use of the preceding model: –Some use of FSM transitions in Vulnerability description –Resources described in terms of the three dimensions

21 Attack Surface Some complex function of the 5 components of the dimensions Authors punt on specific function Instead they suggest reducing it by: –Reducing values of dimensions –Reducing vulnerabilities (Intended - Actual) –Reduce types of attacks (better technology)

22 Attack Surface Metric List 20 attack vectors Examples: –Open port –Services running as SYSTEM –ActiveX enabled

23 Attack Surface Metric Calculation Each vector given a weight “Surfaces” are calculated for 4 vector types –Channels –Process Targets –Data Targets –Process Enablers

24 Attack Surface Metric Calculation Each surface is sum of weights of each type of vector Total surface is sum of these 4 I assume this is the RASQ (they don’t make an explicit connection) Values of weights are not explained

25 Results

26 Win NT with IIS is much less secure than without it Win Server 2003 doesn’t lose much security with IIS on Relative security of 3 seems to match the order shown

27 Analysis of RASQ Can’t apply if systems are different –RASQ isn’t absolute metric –Doesn’t measure over time as features or configurations change –Certainly doesn’t apply to different operating systems Should focus more on individual attack vectors than a single number

28 Presenter’s Comments A relatively simple idea dressed up in elegant mathematical clothing Formalizes stuff we already know –Formalization can obfuscate the obvious Confusing point: start with 3 dimensions based on 5 factors and end up with 4 surface categories

29 Presenter’s Comments “Surface” => area => product of dimensions –Not done here More like each term adds a “pixel”, a small patch, to a surface to form total area Or each term pokes hole in surface dimension to increase porosity

Download ppt "Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce."

Similar presentations

ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Winter 2007SEG2101 Chapter 41 Chapter 4 SDL – Structure and Behavior.

Winter 2007SEG2101 Chapter 41 Chapter 4 SDL – Structure and Behavior.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Are You Sure What Failures Your Tests Produce? Lee White.

Are You Sure What Failures Your Tests Produce? Lee White.
Distributed System’s Middleware: DCOM's ActiveX versus Java's JavaBeans and CORBA's IIOP.

Distributed System’s Middleware: DCOM's ActiveX versus Java's JavaBeans and CORBA's IIOP.
Describing Syntax and Semantics

Describing Syntax and Semantics
Systems Analysis and Design in a Changing World, 6th Edition

Systems Analysis and Design in a Changing World, 6th Edition
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.

DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.
HUIT Queue Managers Forum May 7, 2014. Agenda Welcome The Role of the Service Owner Service Metrics “IT Order Takers” ServiceNow Best Practices, Tips.

HUIT Queue Managers Forum May 7, Agenda Welcome The Role of the Service Owner Service Metrics “IT Order Takers” ServiceNow Best Practices, Tips.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
A Taxonomy of Network and Computer Attacks Simon Hansman & Ray Hunt Computers & Security (2005) Present by Mike Hsiao, 20080613 S. Hansman and R. Hunt,

A Taxonomy of Network and Computer Attacks Simon Hansman & Ray Hunt Computers & Security (2005) Present by Mike Hsiao, S. Hansman and R. Hunt,
TEST SUITE DEVELOPMENT FOR CONFORMANCE TESTING OF EMAIL PROTOCOLS Anastasia Tugaenko Scientific Adviser: Nikolay Pakulin, PhD Institute for System Programming.

TEST SUITE DEVELOPMENT FOR CONFORMANCE TESTING OF PROTOCOLS Anastasia Tugaenko Scientific Adviser: Nikolay Pakulin, PhD Institute for System Programming.
Architecting secure software systems

Architecting secure software systems

Similar presentations

Ads by Google