Attack Surface Analytics [ISSRE-DSW 15]
-
Upload
chris-theisen -
Category
Data & Analytics
-
view
320 -
download
0
Transcript of Attack Surface Analytics [ISSRE-DSW 15]
Christopher Theisen
Attack Surface Analytics
Background
Attack Surface?
Ex. early approximation of attack surface – Manadhata [1]:
Only covers API entry points
…easy to say, hard to define (practically).
OWASP defines Attack Surface as the paths in and
out of a system, the data that travels those paths,
and the code that protects both
[1] Manadhata, P., Wing, J., Flynn, M., & McQueen, M. (2006, October). Measuring the attack surfaces of two FTP daemons. In Proceedings of the 2nd
ACM workshop on Quality of protection (pp. 3-10). ACM
The goal of this research is to aid
software engineers in prioritizing
security efforts by approximating the
attack surface of a system via crash
dump stack trace analysis.
Crashes represent activity that put the
system under stress.
Stack Traces tell us what happened.
foo!foobarDeviceQueueRequest+0x68
foo!fooDeviceSetup+0x72
foo!fooAllDone+0xA8
bar!barDeviceQueueRequest+0xB6
bar!barDeviceSetup+0x08
bar!barAllDone+0xFF
center!processAction+0x1034
center!dontDoAnything+0x1030
Catalog all code that appears on stack traces
Catalog all code that appears on stack traces
Catalog all code that appears on stack traces
[2] C. Theisen, K. Herzig, P. Morrison, B. Murphy, and L. Williams, “Approximating Attack Surfaces with Stack Traces,” in Companion
Proceedings of the 37th International Conference on Software Engineering, 2015
Windows 8 [2] User Crashes
%binaries 48.4%
%vulnerabilities 94.6%
Stack traces highlighted where
security vulnerabilities were.
Mozilla Firefox User Crashes
%files 8.4%
%vulnerabilities 72.1%
Stack traces highlighted where
security vulnerabilities were.
More stack traces, less files, higher flaw density!
Lose coverage as you increase stack trace cutoff
Priority – Who is crashing the most?
Files Flaws %Files %Vuln
>= 1 4998 282 8.4% 72.1%
>= 30 1853 210 3.1% 53.7%
>= 140 969 162 1.6% 41.4%
All 59437 391 - -
Initial attack surface approximation
...old nodes removed, new nodes added
Few to Many Many to Many Many to Few
What are the security impacts of
these shapes?
A AA
foo!foobarDeviceQueueRequest+0x68
foo!fooDeviceSetup+0x72
foo!fooAllDone+0xA8
bar!barDeviceQueueRequest+0xB6
bar!barDeviceSetup+0x08
bar!barAllDone+0xFF
center!processAction+0x1034
center!dontDoAnything+0x1030
Contact
@theisencr