This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description
# Attack Surface Meter

[![Latest Version](https://badge.fury.io/py/attacksurfacemeter.svg)](https://badge.fury.io/py/attacksurfacemeter)
[![Build Status](https://secure.travis-ci.org/andymeneely/attack-surface-metrics.svg?branch=master)](https://travis-ci.org/andymeneely/attack-surface-metrics)
[![Coverage Status](https://img.shields.io/coveralls/andymeneely/attack-surface-metrics.svg)](https://coveralls.io/r/andymeneely/attack-surface-metrics)

Attack Surface Meter is a Python package for collecting attack surface metrics from a software system. In its current version, Attack Surface Meter is capable of analyzing software systems written in the C programming language with skeletal support for analyzing software systems written in the Java programming language.

The attack surface metrics collected are:

* Proximity to Entry/Exit/Dangerous - The mean of shortest unweighted path length from a function/file to Entry Points/Exit Points/Dangerous Points.
* Risky Walk - The probability that a function/file will be invoked on a random execution path starting at the attack surface.

## Installation

### PyPI

`pip install attacksurfacemeter`

### Source

`python setup.py install`

## Usage

### API

The Attack Surface Meter works off of the call graph representation of a software system. A call graph is parsed by the correponding *loader* to generate an internal representation. In this version, the Attack Surface Meter is capable of parsing the call graph generated by one of the following utilities:

* [GNU cflow](http://www.gnu.org/software/cflow/ "GNU cflow")
* [GNU gprof](https://sourceware.org/binutils/docs/gprof/ "GNU gprof")

Extending the Attack Surface Meter to analyze a software system written in a programming language other than C or Java would require defining a new *loader* to parse a call graph generated by a particular language-specific utility.

#### Example

The code snippet that follows depicts using the Attack Surface Meter API to analyze the a C program for which a call graph generated by GNU cflow is available.

```
import os
from attacksurfacemeter.call_graph import CallGraph
from attacksurfacemeter.loaders.cflow_loader import CflowLoader

loader = CflowLoader(os.path.expanduser('~/cflow.callgraph.txt'))
call_graph = CallGraph.from_loader(loader)
```

The `call_graph` object is an instance of the `attacksurfacemeter.call_graph.CallGraph` class and supports several methods to collect the proximity and risky metrics for a given function/file. For more information on these methods, please refer to the `call_graph.py` file which has all the methods extensively documented using Python documentation comments.

### Command Line

```
usage: attack_surface_meter.py [-h] [-gr {function,file}] [-c CFLOW]
[--reverse] [-g GPROF] [-p PROCESSES]
[-j JAVACG] [-a [P [P ...]]] [--output OUTPUT]
[--verbose] [--showerrors]

Collect attack surface metrics from the call graph representation of a
software system.

optional arguments:
-h, --help show this help message and exit
-gr {function,file} The granularity at which the call graphs must be
processed at.
-c CFLOW Absolute path of the file containing the textual
representation of the call graph generated by GNU cflow
or of the directory containing the source code of the
software system to be analyzed.
--reverse cflow call graph was generated with the -r option.
-g GPROF Absolute path of the file containing the textual
representation of the call graph generated by GNU gprof
or of a directory containing multiple such text files.
-p PROCESSES Number of processes to spawn when loaded multiple gprof
call graph files. Default is 2.
-j JAVACG Absolute path of the file containing the textual
representation of the call graph generated by java-
callgraph.
-a [P [P ...]] When using java-callgraph for call graph generation of
android apps, specify the fully qualified package name
of the method calls that will be included in the call
graph. This is generally the name of the java package
inside which the app's classes are defined.
--output OUTPUT Absolute path of the file to which the output should be
written to. The format of output is inferred from the
file extension. txt, html, and xml are currently
supported. In cases when the output format cannot be
inferred, txt is used. When an output path is not
specified, standard output is used.
--verbose Output itemized report including metric values
collected for each function/file.
--showerrors Display errors encountered when parsing call graph (if
any).
```
Release History

Release History

0.11.0

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.10.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.9.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.8.3

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.8.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.8.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.8.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.7.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.7.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.7.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.6.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.5.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.4.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
attacksurfacemeter-0.11.0.tar.gz (499.9 kB) Copy SHA256 Checksum SHA256 Source Aug 2, 2016

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting