ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Measuring the attack surfaces of two FTP daemons
Full text PdfPdf (221 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 2nd ACM workshop on Quality of protection table of contents
Alexandria, Virginia, USA
SESSION: Software security metrics table of contents
Pages: 3 - 10  
Year of Publication: 2006
ISBN:1-59593-553-3
Authors
Pratyusa Manadhata  Carnegie Mellon University
Jeannette Wing  Carnegie Mellon University
Mark Flynn  Idaho National Laboratory
Miles McQueen  Idaho National Laboratory
Sponsors
ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 7,   Downloads (12 Months): 48,   Citation Count: 2
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1179494.1179497
What is a DOI?

ABSTRACT

Software consumers often need to choose between different software that provide the same functionality. Today, security is a quality that many consumers, especially system administrators, care about and will use in choosing one soft- ware system over another. An attack surface metric is a security metric for comparing the relative security of similar software systems [7]. The measure of a system's attack surface is an indicator of the system's security: given two systems, we compare their attack surface measurements to decide whether one is more secure than another along each of the following three dimensions: methods, channels, and data. In this paper, we use the attack surface metric to measure the attack surfaces of two open source FTP daemons: ProFTPD 1.2.10 and Wu-FTPD 2.6.2. Our measurements show that ProFTPD is more secure along the method dimension, ProFTPD is as secure as Wu-FTPD along the channel dimension, and Wu-FTPD is more secure along the data dimension. We also demonstrate how software consumers can use the attack surface metric in making a choice between the two FTP daemons.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
CERT. Cert advisories. http://www.cert.org/.
 
2
GNU cflow. http://www.gnu.org/software/cflow.
 
3
Dan DaCosta , Christopher Dahn , Spiros Mancoridis , Vassilis Prevelakis, Characterizing the 'Security Vulnerability Likelihood' of Software Functions, Proceedings of the International Conference on Software Maintenance, p.266, September 22-26, 2003
 
4
M. Howard. Fending off future attacks by reducing attack surface. http://msdn.microsoft.com/library/default.asp url=/library/enus/dncode%/html/secure02132003.asp, 2003.
 
5
M. Howard, J. Pincus, and J.M. Wing. Measuring relative attack surfaces,. In Proc. of Workshop on Advanced Developments in Software and Systems Security, 2003.
 
6
P. Manadhata and J. M. Wing. Measuring a system's attack surface. In Technical Report CMU-CS-04-102, 2004.
 
7
P. Manadhata and J. M. Wing. An attack surface metric. In Technical Report CMU-CS-05-155, 2005.
 
8
MITRE. Common vulnerabilities and exposures. http://cve.mitre.org/.
 
9
The ProFTPD Project. http://www.proftpd.org/.
 
10
The ProFTPD Project. Project goals. http://www.proftpd.org/goals.html.
 
11
SecurityFocus. Securityfocus vulnerabilities. http://www.securityfocus.com/vulnerabilities.

CITED BY  2
Lingyu Wang , Anoop Singhal , Sushil Jajodia, Toward measuring network security using attack graphs, Proceedings of the 2007 ACM workshop on Quality of protection, October 29-29, 2007, Alexandria, Virginia, USA
Marcel Frigault , Lingyu Wang , Anoop Singhal , Sushil Jajodia, Measuring network security using dynamic bayesian network, Proceedings of the 4th ACM workshop on Quality of protection, October 27-27, 2008, Alexandria, Virginia, USA

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.8 Metrics

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection


General Terms:
Security


Keywords:
attack surface, attack surface metric, security metric

Collaborative Colleagues:
Pratyusa Manadhata: colleagues
Jeannette Wing: colleagues
Mark Flynn: colleagues
Miles McQueen: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player