A Grounded Theory Based Approach to Characterize Software Attack Surfaces

TL;DR

This paper employs Grounded Theory to empirically identify and categorize comprehensive attack surface components in software systems, based on analysis of vulnerability reports, enhancing understanding beyond prior approximations.

Contribution

It introduces a grounded theory-based methodology to systematically categorize attack surface components from real vulnerability data, covering diverse perspectives and surpassing previous literature.

Findings

Identified core attack surface categories: Entry points, Targets, and Mechanisms.

Compared with existing literature, the model covers up to 50% of network-level and 6.7% of code-level attack surface components.

Provided a comprehensive attack surface categorization from multiple perspectives.

Abstract

The notion of Attack Surface refers to the critical points on the boundary of a software system which are accessible from outside or contain valuable content for attackers. The ability to identify attack surface components of software system has a significant role in effectiveness of vulnerability analysis approaches. Most prior works focus on vulnerability techniques that use an approximation of attack surfaces and there has not been many attempt to create a comprehensive list of attack surface components. Although limited number of studies have focused on attack surface analysis, they defined attack surface components based on project specific hypotheses to evaluate security risk of specific types of software applications. In this study, we leverage a qualitative analysis approach to empirically identify an extensive list of attack surface components. To this end, we conduct a Grounded Theory (GT) analysis on 1444 previously published vulnerability reports and weaknesses with a team of three software developers and security experts. We extract vulnerability information from two publicly available repositories: 1) Common Vulnerabilities and Exposures, and 2) Common Weakness Enumeration. We ask three key questions: where the attacks come from, what they target, and how they emerge, and to help answer these questions we define three core categories for attack surface components: Entry points, Targets, and Mechanisms. We extract attack surface concepts related to each category from collected vulnerability information using the GT analysis and provide a comprehensive categorization that represents attack surface components of software systems from various perspectives. The comparison of the proposed attack surface model with the literature shows in the best case previous works cover only 50% of the attack surface components at network level and only 6.7% of the components at code level.