Computer Science Department
School of Computer Science, Carnegie Mellon University


A Formal Model for A System's Attack Surface

Pratyusa K. Manadhata, Dilsun K. Kaynar, Jeannette M. Wing

July 2007

Keywords: Attack surface, attack surface metric, damage potential-effort ratio

Practical software security metrics and measurements are essential to the development of secure software [18]. In this paper, we propose to use a software system's attack surface measurement as an indicator of the system's security; the larger the attack surface, the more insecure the system. We formalize the notion of a system's attack surface using an I/O automata model of the system [15] and define a quantitative measure of the attack surface in terms of three kinds of used in attacks on the system: methods, channels, and data. We demonstrate the feasibility of our approach by measuring the attack surfaces of two open source FTP daemons and two IMAP servers. Software developers can use our attack surface measurement method in the software development process and software consumers can use the method in their decision making process.

21 pages

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by