Over the last eighteen months, I developed four independent frameworks for vulnerability analysis:
- VMF Engine — geometric scanning with 6 projection dimensions
- Error Principle — information debt quantification via D_e scoring
- Memory Layer — 8-factor exploitability vector across memory geometries
- AttackGraph — graph-theoretic exploit chain modeling
For a long time, I treated them as separate tools for separate jobs. VMF for scanning. Error Principle for triage. Memory Layer for exploit analysis. AttackGraph for chain discovery.
Then I realized something: they’re all describing the same object from different angles.
The 5-Dimensional Vulnerability
Every vulnerability can be completely described by five orthogonal dimensions — a 5-tuple (P, L, D, G, κ):
| Dim | Symbol | Framework | What It Measures |
|---|---|---|---|
| Pattern | P | Error Principle | Which error handling anti-pattern |
| Layer | L | Memory Layer | Memory geometry of the attack |
| Debt | D | Error Principle | Information debt score D_e |
| Graph | G | AttackGraph | Position in the exploit chain lattice |
| Curvature | κ | VMF Engine | Geometric curvature across 6 projections |
Two findings with the same (P, L, D, G, κ) tuple are the same vulnerability, regardless of codebase, language, or architecture. A Rust unwrap() and a Java catch(Exception e) {} can occupy the same point in this space.
The Bridge Equations
The four frameworks are not independent. They’re related by a set of bridge equations that map between them:
κ_error_state = 1 − D_e
[VMF error_state projection = inverse of Error Principle debt]
Chain depth in AttackGraph = function of Layer distance
[G.M = f(L.D, L.E, L.T)]
Memory Layer precision = mapping from Error Principle pattern
[L.P = f(P)]
AttackGraph edge weight = Layer_Complexity(L)
[w = (L.P × L.K × L.C × L.M) / (L.D × L.E)]
These equations mean that if you know a finding’s Error Principle pattern, you can estimate its Memory Layer vector. If you know its Memory Layer vector, you can compute its AttackGraph edge weight. If you know its VMF curvature, you can compute its information debt.
The frameworks are projections. The 5-tuple is the underlying object.
The Unified Score
Given a finding F = (P, L, D, G, κ), the unified exploitability score is:
U(F) = κ_total × (1 − D_e) × Layer_Complexity(L) × Chainability(F)
Where:
κ_total= is this finding even real?(1 − D_e)= how much does error handling protect the system?Layer_Complexity= how hard is the exploit geometrically?Chainability= how many paths through the lattice include this finding?
Here’s how some real findings score:
| Finding | κ_total | 1−D_e | Layer Complexity | Chainability | U(F) |
|---|---|---|---|---|---|
| Classic stack overflow (no mitigations) | 0.95 | 1.00 | 0.90 | 0.80 | 0.68 |
| Heartbleed | 0.90 | 1.00 | 0.95 | 0.90 | 0.77 |
| A01 Binder Parcel gap write | 0.12 | 0.15 | 0.08 | 0.20 | 0.0003 |
| UGMS BadParcelableException | 0.72 | 0.05 | 0.25 | 0.30 | 0.003 |
U(F) correlates with CVSS but is finer-grained. It separates “is this finding real?” (κ_total) from “how hard to exploit?” (Layer_Complexity) from “does error handling help the defender?” (D_e).
The Deep Insight
The five dimensions converge to a single scalar relationship:
Exploitability = (Reality × Controllability) / (Debt × Entropy)
Where:
- Reality = κ_total (is this even a real finding?)
- Controllability = Layer_Complexity (can I make it happen?)
- Debt = D_e (how much does error handling help the defender?)
- Entropy = 1/Chainability (how many hops to connect the dots?)
Every mitigation strategy increases one of the denominator terms. ASLR increases Entropy. Better error handling reduces Debt. CFI reduces Controllability. Every bug introduces a potential numerator term.
There is no third kind of operation in security. This is the complete set. If you understand these four variables, you understand the entire game.
Why This Matters
The unification changes how you approach security:
- Cross-framework validation: A finding that scores in all four frameworks is more likely real than one scoring in only one
- Automated triage: Scan → classify as (P, L, D) → query AttackGraph for G → compute VMF projections for κ → unified score determines escalation
- Language independence: The 5-tuple works for C, C++, Java, Rust, Python, Solidity — any language with memory and control flow
- Exploit chain discovery: Instead of asking “is this bug exploitable?”, ask “what path through the lattice has the highest U(F)?”
Four frameworks. Five dimensions. One unified score. This is the first complete mathematical description of what a vulnerability is, how to find one, and how to tell if it matters.
Up next: Android AOSP Case Study: 53 Information Debt Points →
Part of the Geometric Vulnerability Analysis series