NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

CASFinder: Detecting Common Attack Surface

Published

Author(s)

Meng Zhang, Yue Xin, Lingyu Wang, Sushil Jajodia, Anoop Singhal

Abstract

Code reusing is a common practice in software development due to its various benefits. Such a practice, however, may also cause large scale security issues since one vulnerability may appear in many different software due to cloned code fragments. The well known concept of relying on software diversity for security may also be compromised since seemingly different software may in fact share vulnerable code fragments. Although there exist efforts on detecting cloned code fragments, there lack solutions for formally characterizing their specific impact on security. In this paper, we revisit the concept of software diversity from a security viewpoint. Specifically, we define the novel concept of common attack surface to model the relative degree to which a pair of software may be sharing potentially vulnerable code fragments. To implement the concept, we develop an automated tool, CASFinder, in order to efficiently identify common attack surface between any given pair of software with minimum human intervention. Finally, we conduct experiments by applying our tool to real world open source software applications. Our results demonstrate many seemingly unrelated software applications indeed share significant common attack surface.
Proceedings Title
Data and Applications Security and Privacy XXXIII
Volume
11559
Conference Dates
July 15-18, 2019
Conference Location
Charleston, SC, US
Conference Title
33rd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec'19)
Pub Type
Conferences

Download Paper

https://doi.org/10.1007/978-3-030-22479-0_18
Local Download

Keywords

Mission Impact, Active Cyber Defense, Cloud Computing, Attack Graphs
Cybersecurity and privacy and Cloud computing and virtualization

Citation

Zhang, M. , Xin, Y. , Wang, L. , Jajodia, S. and Singhal, A. (2019), CASFinder: Detecting Common Attack Surface, Data and Applications Security and Privacy XXXIII , Charleston, SC, US, [online], https://doi.org/10.1007/978-3-030-22479-0_18, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=927918 (Accessed October 1, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created June 10, 2019, Updated October 12, 2021
Was this page helpful?