Attack Surface Prioritization with Crash Dump Stack Traces

Resource limitations often preclude security professionals from reviewing, testing, and fortifying an entire code base. Identifying metrics that enable prioritization of security efforts would help practitioners discover security issues more efficiently. Risk-Based Attack Surface Approximation (RASA) makes use of crash dump stack trace from a targeted software system to provide an estimated attack surface. In this paper, we extend the RASA approach, to develop a series of metrics that could help identify how the attack surface changes and if areas of the attack surface have more dangerous vulnerabilities. The goal of this research is to aid software engineers in approximating the attack surface of software systems by developing metrics based on crash dump stack traces. In this paper, we present the RASA approach and three metrics based on crash dump stack traces: change, complexity, and boundary metrics. We parsed 24.5 million stack traces from Windows 8, 8.1, and 10 for inclusion in our study. With change metrics, we help security professionals identify code that has fallen off or been added to the attack surface for the target system. For example, 58.7% of code that was seen on crash dump stack traces changed from Windows 8.1 to Windows 10. With complexity metrics, we measure fan-in and fan-out measures from crash dump stack traces to determine whether certain vulnerabilities are more impactful than others. With boundary metrics, we determine where the boundary of the software system is, or where crash dump stack traces indicate entry and exit points to the system might be. We determined that only 4% of vulnerabilities fixed for Windows 8.1 appeared on the boundary of the system.