Assessing Attack Surface with Component-Based Package Dependency

Package dependency has been considered in many vulnerability assessment systems. However, existing approaches are either coarse-grained and do not accurately reveal the influence and severity of vulnerabilities, or do not provide comprehensive (both incoming and outgoing) analysis of attack surface through package dependency. We propose a systematic approach of measuring attack surface exposed by individual vulnerabilities through component level dependency analysis. The metric could potentially extended to calculate attack surfaces at component, package, and system levels. It could also be used to calculate both incoming and outgoing attack surfaces, which enables system administrators to accurately evaluate how much risk that a vulnerability, a component or a package to the complete system, and the risk that is injected to a component or package by packages it depends on in a given system. To our best knowledge, our approach is the first to quantitatively assess attack surfaces of vulnerabilities, components, packages, and systems through component level dependency.