The Grand Unification: 5 Dimensions of Every Vulnerability

Over the last eighteen months, I developed four independent frameworks for vulnerability analysis:

  1. VMF Engine — geometric scanning with 6 projection dimensions
  2. Error Principle — information debt quantification via D_e scoring
  3. Memory Layer — 8-factor exploitability vector across memory geometries
  4. AttackGraph — graph-theoretic exploit chain modeling

For a long time, I treated them as separate tools for separate jobs. VMF for scanning. Error Principle for triage. Memory Layer for exploit analysis. AttackGraph for chain discovery.

Then I realized something: they’re all describing the same object from different angles.

The 5-Dimensional Vulnerability

Every vulnerability can be completely described by five orthogonal dimensions — a 5-tuple (P, L, D, G, κ):

Dim Symbol Framework What It Measures
Pattern P Error Principle Which error handling anti-pattern
Layer L Memory Layer Memory geometry of the attack
Debt D Error Principle Information debt score D_e
Graph G AttackGraph Position in the exploit chain lattice
Curvature κ VMF Engine Geometric curvature across 6 projections

Two findings with the same (P, L, D, G, κ) tuple are the same vulnerability, regardless of codebase, language, or architecture. A Rust unwrap() and a Java catch(Exception e) {} can occupy the same point in this space.

The Bridge Equations

The four frameworks are not independent. They’re related by a set of bridge equations that map between them:

κ_error_state = 1 − D_e
[VMF error_state projection = inverse of Error Principle debt]

Chain depth in AttackGraph = function of Layer distance
[G.M = f(L.D, L.E, L.T)]

Memory Layer precision = mapping from Error Principle pattern
[L.P = f(P)]

AttackGraph edge weight = Layer_Complexity(L)
[w = (L.P × L.K × L.C × L.M) / (L.D × L.E)]

These equations mean that if you know a finding’s Error Principle pattern, you can estimate its Memory Layer vector. If you know its Memory Layer vector, you can compute its AttackGraph edge weight. If you know its VMF curvature, you can compute its information debt.

The frameworks are projections. The 5-tuple is the underlying object.

The Unified Score

Given a finding F = (P, L, D, G, κ), the unified exploitability score is:

U(F) = κ_total × (1 − D_e) × Layer_Complexity(L) × Chainability(F)

Where:

  • κ_total = is this finding even real?
  • (1 − D_e) = how much does error handling protect the system?
  • Layer_Complexity = how hard is the exploit geometrically?
  • Chainability = how many paths through the lattice include this finding?

Here’s how some real findings score:

Finding κ_total 1−D_e Layer Complexity Chainability U(F)
Classic stack overflow (no mitigations) 0.95 1.00 0.90 0.80 0.68
Heartbleed 0.90 1.00 0.95 0.90 0.77
A01 Binder Parcel gap write 0.12 0.15 0.08 0.20 0.0003
UGMS BadParcelableException 0.72 0.05 0.25 0.30 0.003

U(F) correlates with CVSS but is finer-grained. It separates “is this finding real?” (κ_total) from “how hard to exploit?” (Layer_Complexity) from “does error handling help the defender?” (D_e).

The Deep Insight

The five dimensions converge to a single scalar relationship:

Exploitability = (Reality × Controllability) / (Debt × Entropy)

Where:

  • Reality = κ_total (is this even a real finding?)
  • Controllability = Layer_Complexity (can I make it happen?)
  • Debt = D_e (how much does error handling help the defender?)
  • Entropy = 1/Chainability (how many hops to connect the dots?)

Every mitigation strategy increases one of the denominator terms. ASLR increases Entropy. Better error handling reduces Debt. CFI reduces Controllability. Every bug introduces a potential numerator term.

There is no third kind of operation in security. This is the complete set. If you understand these four variables, you understand the entire game.

Why This Matters

The unification changes how you approach security:

  1. Cross-framework validation: A finding that scores in all four frameworks is more likely real than one scoring in only one
  2. Automated triage: Scan → classify as (P, L, D) → query AttackGraph for G → compute VMF projections for κ → unified score determines escalation
  3. Language independence: The 5-tuple works for C, C++, Java, Rust, Python, Solidity — any language with memory and control flow
  4. Exploit chain discovery: Instead of asking “is this bug exploitable?”, ask “what path through the lattice has the highest U(F)?”

Four frameworks. Five dimensions. One unified score. This is the first complete mathematical description of what a vulnerability is, how to find one, and how to tell if it matters.

Up next: Android AOSP Case Study: 53 Information Debt Points →


Part of the Geometric Vulnerability Analysis series

← Previous: AttackGraph | Research Overview →

Leave a Comment