BF Vulnerability Model
Irena Bojanova, PI and Lead, Bugs Framework (BF)

The BF software security vulnerability model is presented on Figure 1. Following the BF definitions of bug, fault, error, and weakness, a software security vulnerability is modeled as a causal chain of underlying weaknesses that leads to a security failure. A security bug causes the first weakness, leading to an error. This error becomes the cause (i.e., the fault) for a next weakness and propagates through subsequent weaknesses until a final error is reached, causing the security failure.

Figure 1. The BF Vulnerability Model -- a chain of improper states (each with one at least ), leading to a security failure..

Exploitation of a vulnerability may result in a fault causing a next vulnerability of only fault type weaknesses – see the propagation through a failure on Figure 2. The bug in the first vulnerability must be fixed to avoid the failure. Occasionally, for an exploit to be harmful, several┬ávulnerabilities must converge at their final errors – see the converging chains on Figure 2. The bug in at least one of the chains must be fixed to avoid the failure.

Figure 2. BF Vulnerability Model of propagating and/or conveging vulnerabilities..