Pratyusa K. Manadhata An Attack Surface Metric Degree Type: Ph.D. in Computer Science Advisor(s): Jeannette M.Wing Graduated: December 2008 Abstract: Measurement of security has been a long standing challenge to the research community. Practical security measurements and metrics are critical to the improvement of software security. Hence the need for security metrics has recently become more pressing. In this thesis, we introduce the measure of a software system's attack surface as an indicator of the system's security. The larger the attack surface, the more insecure the system. We formalize the notion of a system's attack surface using an I/O automata model of the system and introduce an attack surface metric to measure the attack surface in a systematic manner. Our attack surface measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes. In this thesis, we measure the attack surfaces of software implemented in C and Java. We also demonstrate that the method scales to enterprise-scale software by measuring the attack surfaces of complex SAP business applications. Validation of security metrics is challenging and is a relatively unexplored territory. In this thesis, we conduct three exploratory empirical studies to validate our measurement method and measurements results: an expert user survey, a statistical analysis of Microsoft Security Bulletins, and an analysis of security vulnerability patches of popular open source software. Both software developers and software consumers can use the attack surface metric. We demonstrate the use of the metric in software consumers' decision making process by comparing the attack surface measurements of two IMAP servers and two FTP daemons. Our collaboration with SAP demonstrates the use of the metric in the software development process. Thesis Committee: Jeannette M. Wing (Chair) Virgil D. Gligor Roy A. Maxion Michael K. Reiter (University of North Carolina at Chapel Hill) Peter Lee, Head, Computer Science Department Randy Bryant, Dean, School of Computer Science Keywords: Security metrics, attack surface, attack surface measurement, attack surface metric, entry point, exit point, damage potential-effort ratio, metrics, validation, software security, software quality, risk mitigration CMU-CS-08-152.pdf (1.07 MB) ( 165 pages) Copyright Notice