What we really mean when we talk about 'vulnerability'

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
A diagram showing what we are looking for when trying to find vulnerabilities in various codebases from both the perspectives of the LangSec model[1] (unexpected states, circle on the left) and the data-flow model(tainted data flows, the ring on the right)

More or less, there are almost certainly some states and state transitions("the weird machine") that "did exist but unknown and unexpected to the programmer" - in every single codebase.

Simply put, what hackers do is reveal those state transitions and somehow force the program/automaton into such an unexpected state through an unexpected(from the programmer's perspective) state transition, which is initiated by a user-crafted data flow. The only way to get it done safely is to let your expectation precisely match the weird machine actually being implemented by either expanding your expectation or diminishing the "weird part" in your automaton.

It is from a technical viewpoint and has nothing to do with some so-called "branches of security", such as OpSec, Unauthorized Access, which should be included in your expectation from the outset. As well as Reverse Engineering, Forensics(without exploitation), for which we are actually treating the target machine as data for our own program(e.g. reverse/forensics tools), and when doing so, there is no unexpected computation being explored whatsoever in the control flow of that target program.

The point here is whether or not there is any *unexpected state transition* (a.k.a. the weird machine) and any exploitable behaviour in the weird part of that target automaton.

"The system’s security is defined by what computations can and cannot occur in it under all possible inputs[2]" after all, cyber security research is all about trying to figure out how things really work under all circumstances, both expectedly and unexpectedly. (a.k.a. exploring the unexpectedness)

Just my humble opinion, feel free to correct me.


[1] http://langsec.org/papers/Bratus.pdf

[2] http://langsec.org/papers/langsec-tr.pdf (if you are interested in this topic, I strongly recommend you read it first.)

[3] http://langsec.org/papers/langsec-cwes-secdev2016.pdf