On Definition of Vulnerability Discovery

Abstract

The adaptation and exploitation of security vulnerabilities in military operations is a complex, multidisciplinary problem that calls for precise foundational definitions. This paper establishes such groundwork by discussing the principal elements of the topic from the perspective of security vulnerability research. We first characterize the sources and details of vulnerability and weakness information, describe common collection and presentation practices, and identify the principal consumers of this data. Next, we distinguish between vulnerability research and vulnerability discovery, explaining the processes that generate vulnerability information and highlighting the subtle but important differences between these activities. Finally, we examine principles governing the operational use of the vulnerabilities in military context and assess the respective contributions of research and discovery to achieving operational objectives. Within cyber domain operational planning we elaborate on (principle of) non-forceability. The primary hypothesis of non-forceability is that in cyber domain an adversary cannot induce an adverse effect on the logical components of a target system without proof of an exploitable logical vulnerability. This claim requires a precise explanation of the logical part of a system, which we define to include software, data, configurations, and formally defined user procedures and training; it explicitly excludes underlying processing platforms (hardware) and human actors (users and administrators). Under these definitions, external adverse effects on the logical system necessarily imply the proof of a vulnerability. Finally, the role of proof-of-concept (PoC) code in the operational utilization of software vulnerabilities has to be elaborated. We argue that the utility of vulnerability information is highly related on intended use and the level of technical detail provided. For defensive purposes, identification of a vulnerable component and its triggering mechanism is typically sufficient to trigger defensive actions. By contrast offensive operations require validation of adversaries’ defensive capabilities before PoC code baseline capabilities, further development objectives and possible actions of objectives (impact) can be evaluated as an operational course of action.