Technical Report 1120004

Title: Quantifying Attack Surface Through Systemic Dependencies Analysis
Version (s): < 1 2 3 4 5 6 >
Obsoleted by published work
Authors: Eric Osterweil
Danny McPherson
Lixia Zhang
Date: 2013-06-04
Paper: Download here
Abstract: As we have created increasingly complex and layered ser- vices, we have made it increasingly difficult to quantify their vulnerability to compromise. The concept of “attack surface” has emerged in recent years as a measure of such vulnerabilities. However, given the high degree of interdependencies among networked systems, a way to systematically quantify their attack surfaces remains an open challenge. In this work we propose a methodology to quantify the attack surface of such systems by identifying their systemic dependencies, and we use two real Internet standards (the X.509 CA verification system and DANE) as case studies to illustrate the efficacy of our methodology. We find that, with conscientious design, one can minimize attack surface vulnerabilities without sacrificing availability, and our method- ology suggests that DANE can quantifiably reduce attack surface by up to three orders of magnitude for some popular websites today, when compared to X.509 CA verification. We believe this work represents the first step towards systemically modeling dependencies of actual Internet net- worked systems in order to formally quantify the often elusive notion of a system’s attack surface.
                author = {Eric Osterweil and Danny McPherson and Lixia Zhang},
                title = {Quantifying Attack Surface Through Systemic Dependencies Analysis},
                booktitle = {Verisign Labs Technical Reports},
                number = {1120004 version 3},
                year = {2013},