"The Shape and Size of Threats: Defining a Networked System's Attack Surface"

Previous Technical Report Name:"The Shape and Size of Threats: Defining Attack Surface"
Technical Report number:1120004
Date of Publication: 2014-10-21
Title of Publication: "The Shape and Size of Threats: Defining a Networked System's Attack Surface"
Abstract: "Security and privacy have become very relevant concerns in our online lives. However as we have created complex and layered security services, it has become increasingly difficult to quantify their vulnerability to compromise. Security solutions must strive for both usability of the security system and understandability of their vulnerabilities. The concept of “attack surface” has emerged in recent years as a measure of such vulnerabilities, however systematically quantifying the attack surfaces of networked systems with high degrees of interdependencies remains an open challenge (especially in an expressive way). In this work we propose a methodology to both quantify the attack surface and visually represent semantically different components (or resources) of such systems by identifying their systemic dependencies. To illustrate the efficacy of our methodology, we use two real Internet standards (the X.509 CA verification system and DANE) as case studies. We find that, with conscientious design, one can minimize attack surface vulnerabilities without sacrificing availability and usability. Our methodology suggests that, by leveraging the already existing DNS/DNSSEC system, DANE can quantifiably reduce attack surface by orders of magnitude for some popular websites today, when compared to X.509 CA verification. We believe this work represents the first step towards systemically modeling dependencies of actual Internet networked systems, and illustrates the usability benefits from leveraging existing services."
Proceedings or Venue of Publication: NPSEC '14 Proceedings of the 2014 9th IEEE Workshop on Secure Network
BibTeX:
@inproceedings{verisignlabs-conf-1120004,
                   author = {Eric Osterweil and Danny McPherson and Lixia Zhang},
                   title = {The Shape and Size of Threats: Defining a Networked System's Attack Surface},
                   booktitle = {NPSEC '14 Proceedings of the 2014 9th IEEE Workshop on Secure Network },
                   year = {2014},
                   }
  
            
File: New work ./docs/conf-1120004.pdf