Redmond boffins' infosec trick will ship better code, faster

Security boffins from Microsoft and North Carolina State University have developed a method to help software developers better identify attack surfaces and therefore ship code more quickly.

The work is effective enough for Microsoft's own security teams to consider adopting it in its internal review processes.

The technique is called "attack surface approximation" and is detailed in the paper Approximating Attack Surfaces with Stack Traces (pdf) to be presented in May.

The research is most valuable to developers as it narrows the attack surface they need to focus on to improve security, a feat they say currently requires expertise and "significant" manual effort.

Attack surfaces are the parts of software that can offer access to code or data, and then to p0wnage or unintended or unauthorised access.

Identifying attack surfaces is, however, sometimes impractical, say Microsoft boffins Kim Herzig, Patrick Morrison, and Brendan Murphy, along with lead author Christopher Theisen, and Laurie Williams of North Carolina State University.

The team therefore proposes an automated means of attack surface identification they say is accurate and time-saving, as follows:

We propose attack surface approximation, an automated approach to identifying parts of the system that are contained on the attack surface through stack trace analysis. We parse stack traces, adding all code found in these traces onto the attack surface approximation. By definition, code that appears in stack traces caused by user activity is on the attack surface because it appears in a code path reached by users.

The goal of this research is to aid software engineers in prioritising security efforts by approximating the attack surface of a system via stack trace analysis.

The team says stack traces from user-initiated crashes allow attack surfaces to be measured as it indicates a user's activity which puts a system under stress, highlights direct and indirect entry points, and provides automatically generated control and data flow graphs.

Trials of vulnerability prediction models against their approximation system on Windows 8 found 94.6% of known vulnerabilities in 48.4 percent of binaries for kernel and user mode crashes.

"Based on this result we suggest this approach can reduce the amount of time spent inspecting code that currently cannot be exploited directly by malicious users," the boffins say.

"This time saving is critical when faced with incoming delivery deadlines and time crunches."

Compared to running the models against the entire codebase, their model improved recall rates -- the percentage of accurately identified vulnerabilities as a measure of zero to one -- from .07 to .1 for binaries and .02 to .05 for source files, an albeit small uptick they say is the best in the industry.

Their approximation system requires no manual effort to define an attack surface and could help identify security relationships between code.

The work could be more painful but not impossible in systems with less mature software engineering tools and data where mapping missing code is not a straightforward process, the team say.

It could become more effective at spotting vulnerabilities if more work is done assigning weights to specific artefacts appearing in stack traces. ®