"The Shape and Size of Threats: Defining a Networked System's Attack Surface"

Previous Technical Report Name:"A Quantitative Comparison Between X.509 CA Verification and DANE Via Attack Surface Analysis"
Technical Report number:1120004
Date of Publication: 2014-10-21
Title of Publication: "The Shape and Size of Threats: Defining a Networked System's Attack Surface"
Abstract: "Almost every Internet user relies on security protections to guard our online lives. In particular, when in need of secure communications over the Internet, a protocol called Transport Layer Security (TLS), is commonly used. TLS uses cryptographic certificates to bootstrap secure communications between web browsers and web servers, as well as to secure email, Internet news, and other Internet communications, and it is arguably the most widely used Internet-scale cryptographic protocol in use today. In this paper, we examine the way TLS performs its certificate verification, and compare it to the wouldbe successor, DNS-based Authentication of Named Entities (DANE). In this work, we do this by using a concept called an attack surface, and we propose a novel new methodology for actually quantifying what the attack surface is for each verification scheme, and then we measure the Alexa top 1,000 websites to empirically quantify the relative attack surfaces of actual web sites. In searching for a way to compare the protections of these two verification schemes, our candidate methodology illustrates that the attack surface can be shrunk by as much as three orders of magnitude by moving from today’s CA verification scheme to DANE."
Proceedings or Venue of Publication: NPSEC '14 Proceedings of the 2014 9th IEEE Workshop on Secure Network
BibTeX:
@inproceedings{verisignlabs-conf-1120004,
                   author = {Eric Osterweil and Danny McPherson and Lixia Zhang},
                   title = {The Shape and Size of Threats: Defining a Networked System's Attack Surface},
                   booktitle = {NPSEC '14 Proceedings of the 2014 9th IEEE Workshop on Secure Network },
                   year = {2014},
                   }
  
            
File: New work ./docs/conf-1120004.pdf