基于信息熵和攻击面的软件安全度量

对软件实施安全度量是开发安全的软件产品和实施软件安全改进的关键基础。基于Manadhata等(MANADHATA P K, TAN K M C, MAXION R A, et al. An approach to measuring a system's attack surface, CMU-CS-07-146. Pittsburgh: Carnegie Mellon University, 2007; MANADHATA P K, WING J M. An attack surface metric. IEEE Transactions on Software Engineering, 2011, 37(3): 371-386)提出的攻击面方法，结合信息熵理论，提出结合信息熵和攻击面的软件安全度量方法，可以有效地利用信息熵的计算方法对软件攻击面的各项资源进行威胁评估，从而提供具有针对性的威胁指标量化权值。在此基础之上，通过计算软件攻击面各项资源的指标值可以实现软件的安全度量。最后，通过具体的实例分析说明结合信息熵和攻击面的方法可以有效地应用于软件的安全开发过程和软件安全改进过程，为软件的安全设计开发指明可能存在的安全威胁，帮助提早避免软件产品中可能存在的漏洞；而对于已经开发完成待实施安全改进的软件则可以指出明确的改进方向。

Software security measurement based on information entropy and attack surface

Software security measurement is critical to the development of software and improvement of software security. Based on the entropy and attack surface proposed by Manadhata et al. (MANADHATA P K, TAN K M C, MAXION R A, et al. An approach to measuring a system's attack surface, CMU-CS-07-146. Pittsburgh: Carnegie Mellon University, 2007; MANADHATA P K, WING J M. An attack surface metric. IEEE Transactions on Software Engineering, 2011, 37(3): 371-386), a method of software security measurement was used to assess the threat of the software's resources and provide the threat weight of these resources. Based on the threat weight, the attack surface metric was calculated for determining whether a software product is secure in design, or in what aspect the software product can be improved. The method is demonstrated in a case to show that, when using the method, the probable security threats can be found as early as possible to prevent from producing the software products that may have vulnerabilities, and the directions for the improvement of software security are pointed out clearly.