The concept of “attack surface” has been batted around in the security community for a long time. At a high-level, we all get the gist of it: the more exposed a system is to attackers (attack surface) the more risk it is probably exposing to those who depend on it, but what does that mean? Recently, my colleagues Danny McPherson, Lixia Zhang and I decided that it would be useful to have a definition and a technique that would let people illustrate and quantify systems’ attack surfaces. Specifically, we asked the questions: how do we measure attack surfaces, how do we clearly understand the exposure of our systems’ attack surfaces, and to understand these things where should we start?
Initially, we sought to understand the attack surfaces of systems that we are already interested in. Our operational responsibilities have motivated us to study topics like secure network protocols and systems, and helped us understand just how pronounced and complicated the systemic dependencies can be in them. One area of study that Verisign Labs and the Verisign CSO office have been investigating for a number of years is secure cryptographic key learning in the Internet. So, we decided to start there, with a topic on which we already have some knowledge.
“Knowing is half the battle!”
Recently, we created a new methodology called Functional Process Digraphs (FPDs) to address these shortcomings: systematically mapping the inherited dependencies of networked systems and quantifying their attack surfaces. Using this technique, we set about measuring and comparing the attack surfaces of deployments of two specific Internet protocols that do cryptographic key learning: the WebPKI and a new protocol called DNS-based Authentication of Named Entities (DANE). Our objective with this research has been to evolve a methodology that lets anyone gain more clarity into the complex protocols running in today’s Internet.
We detailed our approach, a round of measurements, and some of our findings in a recent publication titled “The Shape and Size of Threats: Defining a Networked System’s Attack Surface.” At this year’s IEEE Workshop on Secure Network Protocols (NPSec ‘14) we were presented with the Best Paper Award for this paper.
We were flattered for this recognition as NPSec is well known for publishing top quality works that address protocol-level security research. Among our contributions in this paper, we described:
- The definition of a networked system’s attack surface
- Repeatable ways in which to quantify networked systems’ attack surfaces
- Observations to help design protocols in a way that can augment their availability without increasing their attack surfaces
- How much some popular websites would be able to reduce their attack surfaces by deploying DNSSEC, and how much more by deploying DANE
- A novel visualization technique, called resource tiers, to relate different types of resources in an attack surface in a visual manner
Our hope for this work is that it will serve as a starting point for researchers, engineers, and anyone who is invested in a secure Internet to begin quantifying systemic dependencies and attack surfaces. Additional details can be found in our Verisign Labs Technical Report # 1120004. We have plans for follow-on work to apply this methodology to more networked systems and to build on it with techniques like Kill-Chain Analysis.