Attack Surface Measurement

Measurement of security, both qualitatively and quantitatively, has been a long standing challenge to the research community and is of practical import to software industry today. Software industry has responded to demands for improvement in software security by increasing effort for creating ``more secure” products and services. How can industry determine whether this effort is paying off and how can consumers determine whether industry’s effort has made a difference? Our work looks at an important question faced by both industry and consumers today: How can we quantify a software system’s security?

We propose to use the measure of a software system’s attack surface as an indicator of the system’s security. Intuitively, a system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage. Hence the larger the attack surface, the more insecure the system.



Selected Talks