软件系统攻击面研究综述
|
摘要
攻击面度量可以用来测量软件系统的安全风险,是当前软件安全度量中的一个研究热点.以软件系统攻击面为研究对象,综合现有研究对其进行一般化定义,并在一般化定义的基础上总结了软件系统攻击面研究的几个主要工作.首先从现有攻击面模型研究中归纳出枚举模型、关联模型和图模型三种模型,对它们进行了详细的介绍和比较,然后阐述了识别和测量攻击面的相关研究,对减小、操纵和移动攻击面三种增强系统安全性的应用进行了介绍,并列举了评估攻击面度量的一些观点和方法,最后对未来研究工作进行了展望.
Attack surface metric can be used to measure the security risk of software system,is a hot research topic in current software security metrics. In this paper,the software system attack surface is studied,and its general definition is given. Based on the general definition,we summarize the main work of the research on the software system attack surface. Firstly,from the existing attack surface models,three kinds of model are summed up,introduced and compared in detail,including enumeration model,relational model and graph model. Then,we describe related research of the identification and measurement of the attack surface,introduce the reducing,manipulating and moving attack surface three ways to enhance the system security,and enumerate some viewpoints and methods of evaluation of attack surface metric. Finally,the future research work is prospected.
Attack surface metric can be used to measure the security risk of software system,is a hot research topic in current software security metrics. In this paper,the software system attack surface is studied,and its general definition is given. Based on the general definition,we summarize the main work of the research on the software system attack surface. Firstly,from the existing attack surface models,three kinds of model are summed up,introduced and compared in detail,including enumeration model,relational model and graph model. Then,we describe related research of the identification and measurement of the attack surface,introduce the reducing,manipulating and moving attack surface three ways to enhance the system security,and enumerate some viewpoints and methods of evaluation of attack surface metric. Finally,the future research work is prospected.
引文
[1]Goertzel K M,Winograd T,Mc Kinley H L,et al.Software security assurance:a state-of-art report(SOAR)[R].Information Assurance Technology Analysis Center(IATAC),2007.
[2]Howard M.Fending off future attacks by reducing attack surface[EB/OL].https://msdn.microsoft.com/en-us/library/ms972812.aspx.2003 February.
[3]Abgrall E,Gombault S,Traon Y L,et al.An empirical investigation of the w eb brow ser attack surface under cross-site scripting:an urgent need for systematic security regression testing[C].2014 IEEE International Conference on Softw are Testing,Verication and Validation Workshops(ICSTW 2014),2014:34-41.
[4]Nayak K,Marino D,Efstathopoulos P,et al.Some vulnerabilities are different than others:studying vulnerabilities and attack surfaces in the w ild[C].17th International Workshop on Recent Advances in Intrusion Detection(RAID 2014),2014:426-446.
[5]Wang R,Azab A M,Enck W,et al.SPOKE:scalable knowledge collection and attack surface analysis of access control policy for security enhanced android[C].In Proceedings of the 2017 ACM on Asia Conference on Computer and Communication Security,2017:612-624.
[6]Mohallel A A,Bass J M,Dehghantaha A.Experimenting with docker:linux container and base OS attack surfaces[C].2016 International Conference on Information Society,2016:17-21.
[7]Heumann T,Keller J,Türpe S.Quantifying the attack surface of a w eb application[C].Proceedings of Sicherheit 2010,2010:305-316.
[8]Goswami S,Krishnan N R,Mukesh,et al.Reducing attack surface of a Web application by open Web application security project compliance[J].Defence Science Journal(DSJ),2012,62(5):324-330.
[9]Stuckman J,Purtilo J.Comparing and applying attack surface metrics[C].Proceedings of the 4th International Workshop on Security M easurements and M etrics(M etri Sec 2012),2012:3-6.
[10]Friedman J.Attack your attack surface:how to reduce your exposure to cyberattacks w ith an attack surface visualization solution[R].Skybox Security,Inc,2016.
[11]Howard M,Pincus J,Wing J M.Measuring relative attack surfaces[C].Lee D T,Shieh S P,Tygar J D,ed.Computer Security in the21st Century[M].Boston:Springer US,2005:109-137.
[12]Manadhata P K,Wing J M.An attack surface metric[J].IEEE Transactions on Softw are Engineering(TSE),2011,37(3):371-386.
[13]Tozer B,Mazzuchi T,Sarkani S.Optimizing attack surface and configuration diversity using multi-objective reinforcement learning[C].2015 IEEE 14th International Conference on Machine Learning and Applications,2015:144-149.
[14]Atighetchi M,Soule N,Watro R,et al.The concept of attack surface reasoning[C].Proceedings of the Third International Conference on Intelligent Systems and Applications(Intelli 2014),2014:39-42.
[15]Munaiah N,Meneely A.Beyond the attack surface:assessing security risk w ith random w alks on call graphs[C].Proceedings of the2016 ACM Workshop on Softw are PROtection(SPRO'16),2016:3-14.
[16]Elshaafi H,Mc Gibney J,Botvich D.Attack surface based security metric framew ork for service selection and composition[J].International Journal of Autonomous and Adaptive Communications Systems(IJAACS),2014,10(1):1-24.
[17]Krautsevich L,Martinelli F,Yautsiukhin A.Evaluation of risk for complex systems using attack surface[C].In Proceedings of 2014IEEE International Symposium on Softw are Reliability Engineering Workshops(ISSREW 2014),2014:275-280.
[18]Osterweil E,Mc Pherson D,Zhang L.The shape and size of threats:defining a netw orked system's attack surface[R].Verisign Labs Technical Report#1120004 Version 6,2014.
[19]Zhang S,Zhang X W,Ou X M,et al.Assessing attack surface with component-based package dependency[C].Proceedings of the 9th International Conference on Netw ork and System Security(NSS2015),2015:405-417.
[20]Theisen C,Herzig K,Morrison P,et al.Approximating attack surfaces w ith stack traces[C].Proceedings of the 37th International Conference on Softw are Engineering(ICSE 2015),2015:199-208.
[21]Kurmus A,Tartler R,Dorneanu D,et al.Attack surface metrics and automated compile-time OS kernel tailoring[C].20th Netw ork and Distributed System Security Symposium(NDSS'13),2013:1-63.
[22]Kurmus A,Dechand S,Kapitza R.Quantifiable run-time kernel attack surface reduction[C].11th International Conference on Detection of Intrusions and M alw are,and Vulnerability Assessment(DIMVA'14),2014:212-234.
[23]Chen Q A,Osterweil E,Thomas M,et al.Mit M attack by name collision:cause analysis and vulnerability assessment in the new g TLD era[C].2016 IEEE Symposium on Security and Privacy(S&P2016),2016:675-690.
[24]Michaud F,Canada T.Identifying key attack surface resources with dynamic analysis[R].I.T.Security R&D Specialist for the Cyber Capability Development Centre(CCDC),2015.
[25]Gennari J,Garlan D.Measuring attack surface in software architecture[R].Carnegie M ellon University,2012.
[26]Jaeger T,Ge X,Muthukumaran D,et al.Designing for attack surfaces:keep your friends close,but your enemies closer[C].5th International Conference on Security,Privacy,and Applied Cryptography Engineering(SPACE 2015),2015:55-74.
[27]Vijayakumar H,Jakka G,Rueda S.Integrity walls:finding attack surfaces from mandatory access control policies[C].Proceedings of the 7th ACM Symposium on Information,Computer and Communications Security(ASIACCS'12),2012:75-76.
[28]Ouchani S,Lenzini G.Generating attacks in Sys ML activity diagrams by detecting attack surfaces[J].Jouranl of Ambient Intelligence and Humanized Computing,2015,6(3):361-373.
[29]Younis A A,Malaiya Y K,Ray I.Using attack surface entry points and reachability analysis to assess the risk of softw are vulnerability exploitability[C].15th International Symposium on High-Assurance Systems Engineering(HASE'14),2014:1-8.
[30]Shoemaker D.A practical method for minimization of attack surfaces in information w arfare[R].ISPI:Policy Brief,2013:1-9.
[31]Steinegger R,Sch a..fer J,Vogler M,et al.Attack surface reduction for Web services based on authorization patterns[C].Proceedings of the 8th International Conference on Emerging Security Information,Systems and Technologies(SECURWARE 2014),2014:194-201.
[32]Carter P A.Reducing the attack surface[M].Securing SQL Server:DBAs Defending the Database,Apress,2016:143-160.
[33]Park J,Noh J,Kim M,et al.Invi-server:reducing the attack surfaces by making protected server invisible on netw orks[J].Computers&Security,2017,67:89-106.
[34]Cybenko G,Jajodia S,Wellman M P,et al.Adversarial and uncertain reasoning for adaptive cyber defense:building the scientific foundation[C].Proceedings of the 10th International Conference on Information Systems Security(ICISS 2014),2014:1-8.
[35]Tong Qing,Zhang Zheng,Wu Jiang-xing.The active defense technology based on the softw are/hardw are diversity[J].Journal of Cyber Security,2017,2(1):1-12.
[36]Jajodia S,Ghosh A K,Swarup V,et al.Moving target defense:creating asymmetric uncertainty for cyber threats[M].Berlin:Springer Advances in Information Security,2011.
[37]Meisel M,Pappas V,Zhang L.A taxonomy of biologically inspired research in computer netw orking[J].Computer Netw orks,2010,54(6):901-916.
[38]Wu Jiang-xing.Research on cyber mimic defense[J].Journal of Cyber Security,2016,1(4):1-10.
[39]Albanese M,Battistay E,Jajodia S,et al.Manipulating the attacker's view of a system's attack surface[C].2014 IEEE Conference on Communications and Network Security(CNS 2014),2014:472-480.
[40]Albanese M,Battistay E,Jajodia S.Deceiving attackers by creating a virtual attack surface[M].Jajodia S,Subrahmanian V S,Sw arup V,et al.Cyber Deception,Sw itzerland:Springer International Publishing,2016:167-199.
[41]Dijk M V,Juels A,Oprea A,et al.Flip It:the game of“stealthy takeover”[J].Journal of Cryptology,2013,26(4):655-713.
[42]Laszka A,Horvath G,Felegyhazi M,et al.Flip Them:modeling targeted attacks w ith flip It for multiple resources[C].5th Conference on Decision and Game Theory for Security(Game Sec'10),2013:175-194.
[43]Prakash A,Wellman M P.Empirical game-theoretic analysis for moving target defense[C].Proceedings of the Second ACM Workshop on M oving Target Defense(M TD 2015),2015:57-65.
[44]Okhravi H,Rabe M A,Mayberry T J,et al.Survey of cyber moving targets[R].Lincoln Laboratory,M assachusetts Institute of Technology,2013.
[45]Manadhata P K.Game theoretic approaches to attack surface shifting[M].Jajodia S,Ghosh A K,Subrahmanian V S.M oving Target II:Application of Game Theory and Adversarial M odeling,Springer,2013:1-13.
[46]Schuster F,Holz T.Towards reducing the attack surface of software backdoors[C].Proceedings of the 2013 ACM SIGSAC Conference on Computer&Communications Security(CCS 2013),2013:851-862.
[47]Younis A A,Malaiya Y K.Relationship between attack surface and vulnerability density:a case study on apache HTTP server[C].Proceedings of the 2012 International Conference on Internet Computing(ICOM P'12),2012:197-203.
[35]仝青,张铮,邬江兴.基于软硬件多样性的主动防御技术[J].信息安全学报,2017,2(1):1-12.
[38]邬江兴.网络空间拟态防御研究[J].信息安全学报,2016,1(4):1-10.
1https://www. owasp. org/index. php/Attack_Surface_Analysis_Cheat_Sheet
2http://www. gnu. org/software/cflow
3http://whatis. techtarget. com/definition/network-attack-surface
4 http://whatis. techtarget. com/definition/physical-attack-surface
5 http://whatis. techtarget. com/definition/social-engineering-attack-surface
[2]Howard M.Fending off future attacks by reducing attack surface[EB/OL].https://msdn.microsoft.com/en-us/library/ms972812.aspx.2003 February.
[3]Abgrall E,Gombault S,Traon Y L,et al.An empirical investigation of the w eb brow ser attack surface under cross-site scripting:an urgent need for systematic security regression testing[C].2014 IEEE International Conference on Softw are Testing,Verication and Validation Workshops(ICSTW 2014),2014:34-41.
[4]Nayak K,Marino D,Efstathopoulos P,et al.Some vulnerabilities are different than others:studying vulnerabilities and attack surfaces in the w ild[C].17th International Workshop on Recent Advances in Intrusion Detection(RAID 2014),2014:426-446.
[5]Wang R,Azab A M,Enck W,et al.SPOKE:scalable knowledge collection and attack surface analysis of access control policy for security enhanced android[C].In Proceedings of the 2017 ACM on Asia Conference on Computer and Communication Security,2017:612-624.
[6]Mohallel A A,Bass J M,Dehghantaha A.Experimenting with docker:linux container and base OS attack surfaces[C].2016 International Conference on Information Society,2016:17-21.
[7]Heumann T,Keller J,Türpe S.Quantifying the attack surface of a w eb application[C].Proceedings of Sicherheit 2010,2010:305-316.
[8]Goswami S,Krishnan N R,Mukesh,et al.Reducing attack surface of a Web application by open Web application security project compliance[J].Defence Science Journal(DSJ),2012,62(5):324-330.
[9]Stuckman J,Purtilo J.Comparing and applying attack surface metrics[C].Proceedings of the 4th International Workshop on Security M easurements and M etrics(M etri Sec 2012),2012:3-6.
[10]Friedman J.Attack your attack surface:how to reduce your exposure to cyberattacks w ith an attack surface visualization solution[R].Skybox Security,Inc,2016.
[11]Howard M,Pincus J,Wing J M.Measuring relative attack surfaces[C].Lee D T,Shieh S P,Tygar J D,ed.Computer Security in the21st Century[M].Boston:Springer US,2005:109-137.
[12]Manadhata P K,Wing J M.An attack surface metric[J].IEEE Transactions on Softw are Engineering(TSE),2011,37(3):371-386.
[13]Tozer B,Mazzuchi T,Sarkani S.Optimizing attack surface and configuration diversity using multi-objective reinforcement learning[C].2015 IEEE 14th International Conference on Machine Learning and Applications,2015:144-149.
[14]Atighetchi M,Soule N,Watro R,et al.The concept of attack surface reasoning[C].Proceedings of the Third International Conference on Intelligent Systems and Applications(Intelli 2014),2014:39-42.
[15]Munaiah N,Meneely A.Beyond the attack surface:assessing security risk w ith random w alks on call graphs[C].Proceedings of the2016 ACM Workshop on Softw are PROtection(SPRO'16),2016:3-14.
[16]Elshaafi H,Mc Gibney J,Botvich D.Attack surface based security metric framew ork for service selection and composition[J].International Journal of Autonomous and Adaptive Communications Systems(IJAACS),2014,10(1):1-24.
[17]Krautsevich L,Martinelli F,Yautsiukhin A.Evaluation of risk for complex systems using attack surface[C].In Proceedings of 2014IEEE International Symposium on Softw are Reliability Engineering Workshops(ISSREW 2014),2014:275-280.
[18]Osterweil E,Mc Pherson D,Zhang L.The shape and size of threats:defining a netw orked system's attack surface[R].Verisign Labs Technical Report#1120004 Version 6,2014.
[19]Zhang S,Zhang X W,Ou X M,et al.Assessing attack surface with component-based package dependency[C].Proceedings of the 9th International Conference on Netw ork and System Security(NSS2015),2015:405-417.
[20]Theisen C,Herzig K,Morrison P,et al.Approximating attack surfaces w ith stack traces[C].Proceedings of the 37th International Conference on Softw are Engineering(ICSE 2015),2015:199-208.
[21]Kurmus A,Tartler R,Dorneanu D,et al.Attack surface metrics and automated compile-time OS kernel tailoring[C].20th Netw ork and Distributed System Security Symposium(NDSS'13),2013:1-63.
[22]Kurmus A,Dechand S,Kapitza R.Quantifiable run-time kernel attack surface reduction[C].11th International Conference on Detection of Intrusions and M alw are,and Vulnerability Assessment(DIMVA'14),2014:212-234.
[23]Chen Q A,Osterweil E,Thomas M,et al.Mit M attack by name collision:cause analysis and vulnerability assessment in the new g TLD era[C].2016 IEEE Symposium on Security and Privacy(S&P2016),2016:675-690.
[24]Michaud F,Canada T.Identifying key attack surface resources with dynamic analysis[R].I.T.Security R&D Specialist for the Cyber Capability Development Centre(CCDC),2015.
[25]Gennari J,Garlan D.Measuring attack surface in software architecture[R].Carnegie M ellon University,2012.
[26]Jaeger T,Ge X,Muthukumaran D,et al.Designing for attack surfaces:keep your friends close,but your enemies closer[C].5th International Conference on Security,Privacy,and Applied Cryptography Engineering(SPACE 2015),2015:55-74.
[27]Vijayakumar H,Jakka G,Rueda S.Integrity walls:finding attack surfaces from mandatory access control policies[C].Proceedings of the 7th ACM Symposium on Information,Computer and Communications Security(ASIACCS'12),2012:75-76.
[28]Ouchani S,Lenzini G.Generating attacks in Sys ML activity diagrams by detecting attack surfaces[J].Jouranl of Ambient Intelligence and Humanized Computing,2015,6(3):361-373.
[29]Younis A A,Malaiya Y K,Ray I.Using attack surface entry points and reachability analysis to assess the risk of softw are vulnerability exploitability[C].15th International Symposium on High-Assurance Systems Engineering(HASE'14),2014:1-8.
[30]Shoemaker D.A practical method for minimization of attack surfaces in information w arfare[R].ISPI:Policy Brief,2013:1-9.
[31]Steinegger R,Sch a..fer J,Vogler M,et al.Attack surface reduction for Web services based on authorization patterns[C].Proceedings of the 8th International Conference on Emerging Security Information,Systems and Technologies(SECURWARE 2014),2014:194-201.
[32]Carter P A.Reducing the attack surface[M].Securing SQL Server:DBAs Defending the Database,Apress,2016:143-160.
[33]Park J,Noh J,Kim M,et al.Invi-server:reducing the attack surfaces by making protected server invisible on netw orks[J].Computers&Security,2017,67:89-106.
[34]Cybenko G,Jajodia S,Wellman M P,et al.Adversarial and uncertain reasoning for adaptive cyber defense:building the scientific foundation[C].Proceedings of the 10th International Conference on Information Systems Security(ICISS 2014),2014:1-8.
[35]Tong Qing,Zhang Zheng,Wu Jiang-xing.The active defense technology based on the softw are/hardw are diversity[J].Journal of Cyber Security,2017,2(1):1-12.
[36]Jajodia S,Ghosh A K,Swarup V,et al.Moving target defense:creating asymmetric uncertainty for cyber threats[M].Berlin:Springer Advances in Information Security,2011.
[37]Meisel M,Pappas V,Zhang L.A taxonomy of biologically inspired research in computer netw orking[J].Computer Netw orks,2010,54(6):901-916.
[38]Wu Jiang-xing.Research on cyber mimic defense[J].Journal of Cyber Security,2016,1(4):1-10.
[39]Albanese M,Battistay E,Jajodia S,et al.Manipulating the attacker's view of a system's attack surface[C].2014 IEEE Conference on Communications and Network Security(CNS 2014),2014:472-480.
[40]Albanese M,Battistay E,Jajodia S.Deceiving attackers by creating a virtual attack surface[M].Jajodia S,Subrahmanian V S,Sw arup V,et al.Cyber Deception,Sw itzerland:Springer International Publishing,2016:167-199.
[41]Dijk M V,Juels A,Oprea A,et al.Flip It:the game of“stealthy takeover”[J].Journal of Cryptology,2013,26(4):655-713.
[42]Laszka A,Horvath G,Felegyhazi M,et al.Flip Them:modeling targeted attacks w ith flip It for multiple resources[C].5th Conference on Decision and Game Theory for Security(Game Sec'10),2013:175-194.
[43]Prakash A,Wellman M P.Empirical game-theoretic analysis for moving target defense[C].Proceedings of the Second ACM Workshop on M oving Target Defense(M TD 2015),2015:57-65.
[44]Okhravi H,Rabe M A,Mayberry T J,et al.Survey of cyber moving targets[R].Lincoln Laboratory,M assachusetts Institute of Technology,2013.
[45]Manadhata P K.Game theoretic approaches to attack surface shifting[M].Jajodia S,Ghosh A K,Subrahmanian V S.M oving Target II:Application of Game Theory and Adversarial M odeling,Springer,2013:1-13.
[46]Schuster F,Holz T.Towards reducing the attack surface of software backdoors[C].Proceedings of the 2013 ACM SIGSAC Conference on Computer&Communications Security(CCS 2013),2013:851-862.
[47]Younis A A,Malaiya Y K.Relationship between attack surface and vulnerability density:a case study on apache HTTP server[C].Proceedings of the 2012 International Conference on Internet Computing(ICOM P'12),2012:197-203.
[35]仝青,张铮,邬江兴.基于软硬件多样性的主动防御技术[J].信息安全学报,2017,2(1):1-12.
[38]邬江兴.网络空间拟态防御研究[J].信息安全学报,2016,1(4):1-10.
1https://www. owasp. org/index. php/Attack_Surface_Analysis_Cheat_Sheet
2http://www. gnu. org/software/cflow
3http://whatis. techtarget. com/definition/network-attack-surface
4 http://whatis. techtarget. com/definition/physical-attack-surface
5 http://whatis. techtarget. com/definition/social-engineering-attack-surface