2007
DOI: 10.21236/ada476977
|View full text |Cite
|
Sign up to set email alerts
|

An Approach to Measuring a System's Attack Surface

Abstract: Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and R… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
51
0

Year Published

2009
2009
2019
2019

Publication Types

Select...
5
1
1

Relationship

1
6

Authors

Journals

citations
Cited by 41 publications
(51 citation statements)
references
References 18 publications
0
51
0
Order By: Relevance
“…Another is Alhazmi and Ray's approach which defines the security of a program based on its vulnerability density [8]. To be effective, this technique [2]. However, none of these approaches directly consider data-flow security of a program based on its design, as we do.…”
Section: Related Workmentioning
confidence: 97%
See 1 more Smart Citation
“…Another is Alhazmi and Ray's approach which defines the security of a program based on its vulnerability density [8]. To be effective, this technique [2]. However, none of these approaches directly consider data-flow security of a program based on its design, as we do.…”
Section: Related Workmentioning
confidence: 97%
“…These include metrics which assess security at the abstract system architecture level [2], at the design phase [3] [4] and at the low level of program code [5]. However, none of this work to date is capable of measuring the overall security of a given program with respect to information flow.…”
Section: Introductionmentioning
confidence: 99%
“…It is based on the set of possible resources which an attacker could use to attack the system [14], including methods, data and channels [14]. A method is described by Manadhata et al as a system entity which could send data (exit point) or receive data (entry point) [6]. Data in their approach is any entity which is visible in the current system such as files, cookies and database records [6].…”
Section: Related Workmentioning
confidence: 99%
“…Manadhata and Wing's parameter sensitivity analysis suggests that the difference between the numeric values assigned to successive damage potential levels should be in the range of 3-14 [8]. Hence we chose the midpoint, 8.5, of the range as the difference.…”
Section: Numeric Value Assignmentmentioning
confidence: 99%
“…First, we plan to extend the tool to measure the attack surfaces of software implemented in other languages such as JavaScript. Second, Manadhata and Wing performed three empirical studies to validate the abstract measurement method and the measurement results of systems implemented in C [8]. A possible direction of future research is to explore validation ideas in the context of SAP business applications.…”
Section: Summary and Future Workmentioning
confidence: 99%