Modeling and Reducing the Attack Surface in Software Systems

被引:2
作者
Yee, George O. M. [1 ]
机构
[1] Carleton Univ, Dept Syst & Comp Engn, Comp Res Lab, Aptusinnova Inc, Ottawa, ON, Canada
来源
2019 IEEE/ACM 11TH INTERNATIONAL WORKSHOP ON MODELLING IN SOFTWARE ENGINEERING (MISE 2019) | 2019年
关键词
software; system; sensitive; data; location; attack surface; reduction;
D O I
10.1109/MiSE.2019.00016
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
In today's world, software is ubiquitous and relied upon to perform many important and critical functions. Unfortunately, software is riddled with security vulnerabilities that invite exploitation. Attackers are particularly attracted to software systems that hold sensitive data with the goal of compromising the data. For such systems, this paper proposes a modeling method applied at design time to identify and reduce the attack surface, which arises due to the locations containing sensitive data within the software system and the accessibility of those locations to attackers. The method reduces the attack surface by changing the design so that the number of such locations is reduced. The method performs these changes on a graphical model of the software system. The changes are then considered for application to the design of the actual system to improve its security.
引用
收藏
页码:55 / 62
页数:8
相关论文
共 25 条
[1]   Attack Surface Expansion Using Decoys to Protect Virtualized Infrastructure [J].
Al-Salah, Tulha ;
Hong, Liang ;
Shetty, Sachin .
2017 IEEE 1ST INTERNATIONAL CONFERENCE ON EDGE COMPUTING (IEEE EDGE), 2017, :216-219
[2]   Vulnerability-based Security Pattern Categorization in Search of Missing Patterns [J].
Anand, Priya ;
Ryoo, Jungwoo ;
Kazman, Rick .
2014 NINTH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES), 2015, :476-483
[3]   Automated reduction of attack surface using call graph enumeration [J].
Ando, Ruo .
PROCEEDINGS OF THE 2018 2ND INTERNATIONAL CONFERENCE ON MANAGEMENT ENGINEERING, SOFTWARE ENGINEERING AND SERVICE SCIENCES (ICMSS 2018), 2018, :118-121
[4]  
Bukhari SN, 2018, 2018 4 INT C ADV EL, P1, DOI DOI 10.1109/AEEICB.2018.8480945
[5]  
Dark Reading, 2017 SMASH WORLDS RE
[6]   Components of a multi-perspective modeling method for designing and managing IT security systems [J].
Goldstein, Anat ;
Frank, Ulrich .
INFORMATION SYSTEMS AND E-BUSINESS MANAGEMENT, 2016, 14 (01) :101-140
[7]  
Identity Force, 2018 DAT BREACH WORS
[8]  
Koch M, 2000, LECT NOTES COMPUT SC, V1895, P122
[9]   BinRec: Attack Surface Reduction Through Dynamic Binary Recovery [J].
Kroes, Taddeus ;
Altinay, Anil ;
Nash, Joseph ;
Na, Yeoul ;
Volckaert, Stijn ;
Bos, Herbert ;
Franz, Michael ;
Giuffrida, Cristiano .
FEAST'18: PROCEEDINGS OF THE 2018 WORKSHOP ON FORMING AN ECOSYSTEM AROUND SOFTWARE TRANSFORMATION, 2018, :8-13
[10]  
Kurmus Anil., 2011, Proceedings of the Fourth European Workshop on System Security, EUROSEC '11, p6:1, DOI DOI 10.1145/1972551.1972557
123