A Formal Model of the Attack Surface of a Software System

A formal model has been devised to impart some mathematical rigor to the concept of the attack surface of a software system. Complementing the model is a definition of a quantitative measure of the attack surface as an indicator of the relative insecurity of the system (the larger the attack surface, the more insecure the system). The model and the quantitative measure are intended to serve as systematic means of assessing progress in the development of secure software; they are expected to be especially valuable for evaluating the relative degree of security of two successive versions of nominally the same computer program.