System-based Approach to Software Vulnerability

The focus of vulnerability research has been conceptualization of the lifecycle of software vulnerability as errors in software that can be used by an attacker to gain access to a system or network. This lifecycle is described in terms of its phases: creation, discovery, exploitation, disclosure, patch availability, and patch installed. The objective of this paper is to clarify the notion of vulnerability so it complements current error-focused conceptualization. The paper proposes a fine-grained lifecycle of a vulnerable system in terms of a flowsystem that includes five basic stages and is defined by a flow transition diagram. A software system is first created, released, and transferred to users; it is then activated until it fails as a result of vulnerability to an attack. Several other phases lead to re-creation of the system. Accordingly, vulnerability is defined as the state of a system where it can be damaged when it receives a certain type of attack.