A Grounded Theory Based Approach to Characterize Software Attack Surfaces

12/02/2021
by   Sara Moshtari, et al.
0

The notion of Attack Surface refers to the critical points on the boundary of a software system which are accessible from outside or contain valuable content for attackers. The ability to identify attack surface components of software system has a significant role in effectiveness of vulnerability analysis approaches. Most prior works focus on vulnerability techniques that use an approximation of attack surfaces and there has not been many attempt to create a comprehensive list of attack surface components. Although limited number of studies have focused on attack surface analysis, they defined attack surface components based on project specific hypotheses to evaluate security risk of specific types of software applications. In this study, we leverage a qualitative analysis approach to empirically identify an extensive list of attack surface components. To this end, we conduct a Grounded Theory (GT) analysis on 1444 previously published vulnerability reports and weaknesses with a team of three software developers and security experts. We extract vulnerability information from two publicly available repositories: 1) Common Vulnerabilities and Exposures, and 2) Common Weakness Enumeration. We ask three key questions: where the attacks come from, what they target, and how they emerge, and to help answer these questions we define three core categories for attack surface components: Entry points, Targets, and Mechanisms. We extract attack surface concepts related to each category from collected vulnerability information using the GT analysis and provide a comprehensive categorization that represents attack surface components of software systems from various perspectives. The comparison of the proposed attack surface model with the literature shows in the best case previous works cover only 50 surface components at network level and only 6.7 level.

READ FULL TEXT

page 3

page 4

research
06/15/2020

A Suite of Metrics for Calculating the Most Significant Security Relevant Software Flaw Types

The Common Weakness Enumeration (CWE) is a prominent list of software we...
research
02/02/2021

A Historical and Statistical Studyof the Software Vulnerability Landscape

Understanding the landscape of software vulnerabilities is key for devel...
research
08/06/2020

Predicting Missing Information of Key Aspects in Vulnerability Reports

Software vulnerabilities have been continually disclosed and documented....
research
01/20/2021

Epidemic? The Attack Surface of German Hospitals during the COVID-19 Pandemic

In our paper we analyze the attack surface of German hospitals and healt...
research
08/29/2023

Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities

The Common Vulnerability Scoring System (CVSS) is a popular method for e...
research
08/07/2021

Machine Learning Assisted Security Analysis of 5G-Network-Connected Systems

The core network architecture of telecommunication systems has undergone...
research
06/07/2023

Development of a System Vulnerability Analysis Tool for Assessment of Complex Mission Critical Systems

A system vulnerability analysis technique (SVAT) for complex mission cri...

Please sign up or login with your details

Forgot password? Click here to reset