Christopher Theisen
ABSTRACT
Proactive security review and test efforts are a necessary component of the software development lifecycle. Since resource limitations often preclude reviewing, testing and fortifying the entire code base, prioritizing what code to review/test can improve a team's ability to find and remove more vulnerabilities that are reachable by an attacker. One way that professionals perform this prioritization is the identification of the attack surface of software systems. However, identifying the attack surface of a software system is non-trivial. The goal of this poster is to present the concept of a risk-based attack surface approximation based on crash dump stack traces for the prioritization of security code rework efforts. For this poster, we will present results from previous efforts in the attack surface approximation space, including studies on its effectiveness in approximating security relevant code for Windows and Firefox. We will also discuss future research directions for attack surface approximation, including discovery of additional metrics from stack traces and determining how many stack traces are required for a good approximation.
- Bird, J. and Manico, J. OWASP Attack Surface Analysis Cheat Sheet. Open Web Application Security Project, 2015. https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet.Google Scholar
- Dang, Y., Wu, R., Zhang, H., Zhang, D., and Nobel, P. ReBucket: A method for clustering duplicate crash reports based on call stack similarity. Proceedings - International Conference on Software Engineering, (2012), 1084--1093. Google ScholarDigital Library
- Geer, D. E. Attack surface inflation. IEEE Security and Privacy 9, 4 (2011), 85--86. Google ScholarDigital Library
- Guo, P. J., Zimmermann, T., Nagappan, N., and Murphy, B. Characterizing and predicting which bugs get fixed. Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - ICSE '10, (2010), 495. Google ScholarDigital Library
- Howard, M., Pincus, J., and Wing, J. M. Measuring Relative Attack Surfaces. Computer Security in the 21st Century, CMU-TR-03-169 (2005), 109--137.Google Scholar
- Huang, S. K., Huang, M. H., Huang, P. Y., Lu, H. L., and Lai, C. W. Software crash analysis for automatic exploit generation on binary programs. IEEE Transactions on Reliability 63, 1 (2014), 270--289.Google ScholarCross Ref
- Kim, D., Wang, X., Kim, S., Zeller, A., Cheung, S. C., and Park, S. Which crashes should i fix first?: Predicting top crashes at an early stage to prioritize debugging efforts. IEEE Transactions on Software Engineering 37, 3 (2011), 430--447. Google ScholarDigital Library
- Manadhata, P. K. and Wing, J. M. An attack surface metric. IEEE Transactions on Software Engineering 37, 3 (2011), 371--386. Google ScholarDigital Library
- Podgurski, A., Leon, D., Francis, P., et al. Automated support for classifying software failure reports. 25th International Conference on Software Engineering, 2003. Proceedings., (2003), 465--475. Google ScholarDigital Library
- Theisen, C., Herzig, K., Morrison, P., Murphy, B., and Williams, L. Approximating Attack Surfaces with Stack Traces. IEEE/ACM 37th IEEE International Conference on Software Engineering, (2015). Google ScholarDigital Library
- Thome, J., Shar, L. K., and Briand, L. Security slicing for auditing XML, XPath, and SQL injection vulnerabilities. 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE), (2015), 553--564. Google ScholarDigital Library
- Wang, S., Khomh, F., and Zou, Y. Improving bug localization using correlations in crash reports. IEEE International Working Conference on Mining Software Repositories, (2013), 247--256. Google ScholarDigital Library
- Zimmermann, T., Premraj, R., Bettenburg, N., Just, S., Schröter, A., and Weiss, C. What makes a good bug report? IEEE Transactions on Software Engineering 36, (2010), 618--643. Google ScholarDigital Library
Index Terms
- Risk-based attack surface approximation: poster
Recommendations
Automated attack surface approximation
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringWhile software systems are being developed and released to consumers more rapidly than ever, security remains an important issue for developers. Shorter development cycles means less time for these critical security testing and review efforts. The ...
Comparing and applying attack surface metrics
MetriSec '12: Proceedings of the 4th international workshop on Security measurements and metricsA software system's attack surface metric measures the freedom of a potential attacker to influence the system's execution, potentially exploiting a security vulnerability. Existing attack surface metrics aim to measure the security impact associated ...
Risk-based attack surface approximation: how much data is enough?
ICSE-SEIP '17: Proceedings of the 39th International Conference on Software Engineering: Software Engineering in Practice TrackProactive security reviews and test efforts are a necessary component of the software development lifecycle. Resource limitations often preclude reviewing the entire code base. Making informed decisions on what code to review can improve a team's ...
Comments