Article

Measuring the attack surfaces of two FTP daemons

Authors:

Pratyusa Manadhata,

Jeannette Wing,

Mark Flynn,

Miles McQueenAuthors Info & Claims

QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection

Pages 3 - 10

https://doi.org/10.1145/1179494.1179497

Published: 30 October 2006 Publication History

Get Access

Abstract

Software consumers often need to choose between different software that provide the same functionality. Today, security is a quality that many consumers, especially system administrators, care about and will use in choosing one soft- ware system over another. An attack surface metric is a security metric for comparing the relative security of similar software systems [7]. The measure of a system's attack surface is an indicator of the system's security: given two systems, we compare their attack surface measurements to decide whether one is more secure than another along each of the following three dimensions: methods, channels, and data. In this paper, we use the attack surface metric to measure the attack surfaces of two open source FTP daemons: ProFTPD 1.2.10 and Wu-FTPD 2.6.2. Our measurements show that ProFTPD is more secure along the method dimension, ProFTPD is as secure as Wu-FTPD along the channel dimension, and Wu-FTPD is more secure along the data dimension. We also demonstrate how software consumers can use the attack surface metric in making a choice between the two FTP daemons.

References

[1]

CERT. Cert advisories. http://www.cert.org/.

Google Scholar

[2]

GNU cflow. http://www.gnu.org/software/cflow.

Google Scholar

[3]

D. DaCosta, C. Dahn, S. Mancoridis, and V. Prevelakis. Characterizing the security vulnerability likelihood of software functions. In Proc. of International Conference on Software Maintenance, 2003.

Digital Library

Google Scholar

[4]

M. Howard. Fending off future attacks by reducing attack surface. http://msdn.microsoft.com/library/default.asp url=/library/enus/dncode%/html/secure02132003.asp, 2003.

Google Scholar

[5]

M. Howard, J. Pincus, and J.M. Wing. Measuring relative attack surfaces,. In Proc. of Workshop on Advanced Developments in Software and Systems Security, 2003.

Google Scholar

[6]

P. Manadhata and J. M. Wing. Measuring a system's attack surface. In Technical Report CMU-CS-04-102, 2004.

Crossref

Google Scholar

[7]

P. Manadhata and J. M. Wing. An attack surface metric. In Technical Report CMU-CS-05-155, 2005.

Crossref

Google Scholar

[8]

MITRE. Common vulnerabilities and exposures. http://cve.mitre.org/.

Google Scholar

[9]

The ProFTPD Project. http://www.proftpd.org/.

Google Scholar

[10]

The ProFTPD Project. Project goals. http://www.proftpd.org/goals.html.

Google Scholar

[11]

SecurityFocus. Securityfocus vulnerabilities. http://www.securityfocus.com/vulnerabilities.

Google Scholar

Cited By

View all

Levy MMaldonado F(2024)Attack Surface Measurement: A Weird Machines PerspectiveProceedings of the 2024 European Interdisciplinary Cybersecurity Conference10.1145/3655693.3655705(90-94)Online publication date: 5-Jun-2024
https://dl.acm.org/doi/10.1145/3655693.3655705
Khan ASharma I(2023)Enhancing FTP Security Through Ensemble Learning-based Brute Force Attack Detection2023 3rd International Conference on Innovative Mechanisms for Industry Applications (ICIMIA)10.1109/ICIMIA60377.2023.10425917(1345-1350)Online publication date: 21-Dec-2023
https://doi.org/10.1109/ICIMIA60377.2023.10425917
Gao CWang GShi WWang ZChen Y(2022)Autonomous Driving Security: State of the Art and ChallengesIEEE Internet of Things Journal10.1109/JIOT.2021.31300549:10(7572-7595)Online publication date: 15-May-2022
https://doi.org/10.1109/JIOT.2021.3130054
Show More Cited By

Index Terms

Measuring the attack surfaces of two FTP daemons
1. General and reference
  1. Cross-computing tools and techniques
    1. Metrics
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Beyond the Attack Surface: Assessing Security Risk with Random Walks on Call Graphs
SPRO '16: Proceedings of the 2016 ACM Workshop on Software PROtection

When reasoning about software security, researchers and practitioners use the phrase ``attack surface'' as a metaphor for risk. Enumerate and minimize the ways attackers can break in then risk is reduced and the system is better protected, the metaphor ...
Comparing and applying attack surface metrics
MetriSec '12: Proceedings of the 4th international workshop on Security measurements and metrics

A software system's attack surface metric measures the freedom of a potential attacker to influence the system's execution, potentially exploiting a security vulnerability. Existing attack surface metrics aim to measure the security impact associated ...
Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks

Measuring temporal variation in network attack surface is a key problem in dynamic networks.We propose to use graph distance metrics based on the Maximum Common Subgraph (MCS) and Graph Edit Distance (GED).We show test results on a set of 3 different ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection

October 2006

70 pages

ISBN:1595935533

DOI:10.1145/1179494

Program Chairs:
Guenter Karjoth
IBM Research, CH
,
Fabio Massacci
University di Trento, IT

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

October 30, 2006

Virginia, Alexandria, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
744
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Levy MMaldonado F(2024)Attack Surface Measurement: A Weird Machines PerspectiveProceedings of the 2024 European Interdisciplinary Cybersecurity Conference10.1145/3655693.3655705(90-94)Online publication date: 5-Jun-2024
https://dl.acm.org/doi/10.1145/3655693.3655705
Khan ASharma I(2023)Enhancing FTP Security Through Ensemble Learning-based Brute Force Attack Detection2023 3rd International Conference on Innovative Mechanisms for Industry Applications (ICIMIA)10.1109/ICIMIA60377.2023.10425917(1345-1350)Online publication date: 21-Dec-2023
https://doi.org/10.1109/ICIMIA60377.2023.10425917
Gao CWang GShi WWang ZChen Y(2022)Autonomous Driving Security: State of the Art and ChallengesIEEE Internet of Things Journal10.1109/JIOT.2021.31300549:10(7572-7595)Online publication date: 15-May-2022
https://doi.org/10.1109/JIOT.2021.3130054
Chuah ESuri NJhumka AAlt S(2021)Challenges in Identifying Network Attacks Using Netflow Data2021 IEEE 20th International Symposium on Network Computing and Applications (NCA)10.1109/NCA53618.2021.9685305(1-10)Online publication date: 23-Nov-2021
https://doi.org/10.1109/NCA53618.2021.9685305
Zeng JWu SChen YZeng RWu C(2019)Survey of Attack Graph Analysis Methods from the Perspective of Data and Knowledge ProcessingSecurity and Communication Networks10.1155/2019/20310632019Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1155/2019/2031063
Oakley JWong KShen CBrown D(2018)Improving offensive cyber security assessments using varied and novel initialization perspectivesProceedings of the 2018 ACM Southeast Conference10.1145/3190645.3190673(1-9)Online publication date: 29-Mar-2018
https://dl.acm.org/doi/10.1145/3190645.3190673
Allodi LMassacci F(2017)Security Events and Vulnerability Data for Cybersecurity Risk EstimationRisk Analysis10.1111/risa.1286437:8(1606-1627)Online publication date: 11-Aug-2017
https://doi.org/10.1111/risa.12864
Theisen CMurphy BHerzig KWilliams LJuristo NShepherd D(2017)Risk-based attack surface approximationProceedings of the 39th International Conference on Software Engineering: Software Engineering in Practice Track10.1109/ICSE-SEIP.2017.9(273-282)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/ICSE-SEIP.2017.9
Singhal AOu XWang LJajodia SSinghal A(2017)Security Risk Analysis of Enterprise Networks Using Probabilistic Attack GraphsNetwork Security Metrics10.1007/978-3-319-66505-4_3(53-73)Online publication date: 16-Nov-2017
https://doi.org/10.1007/978-3-319-66505-4_3
Gonzalez-Granadillo GGarcia-Alfaro JDebar H(2017)An n-Sided Polygonal Model to Calculate the Impact of Cyber Security EventsRisks and Security of Internet and Systems10.1007/978-3-319-54876-0_7(87-102)Online publication date: 2-Mar-2017
https://doi.org/10.1007/978-3-319-54876-0_7
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Beyond the Attack Surface: Assessing Security Risk with Random Walks on Call Graphs

Comparing and applying attack surface metrics

Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks