Utility
Utility v1.0.1
The Usefulness of the Exploit to the Adversary
| Value | Definition |
|---|---|
| Laborious | Automatable:No AND Value Density:Diffuse |
| Efficient | (Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated) |
| Super Effective | Automatable:Yes AND Value Density:Concentrated |
{
"namespace": "ssvc",
"version": "1.0.1",
"key": "U",
"name": "Utility",
"description": "The Usefulness of the Exploit to the Adversary",
"values": [
{
"key": "L",
"name": "Laborious",
"description": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
"description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
"description": "Automatable:Yes AND Value Density:Concentrated"
}
]
}
See also
Utility is a combination of Automatable and Value Density
This is a compound decision point, therefore it is a notational convenience.
Utility estimates an adversary's benefit compared to their effort based on the assumption that they can exploit the vulnerability. Utility is independent from the state of Exploitation, which measures whether a set of adversaries have ready access to exploit code or are in fact exploiting the vulnerability. In economic terms, Exploitation measures whether the capital cost of producing reliable exploit code has been paid or not. Utility estimates the marginal cost of each exploitation event.
Whereas Exploitation is about how easy it would be to start such a campaign or if one is already underway, Utility is about how much an adversary might benefit from a campaign using the vulnerability in question.
Heuristically, we base Utility on a combination of the value density of vulnerable components and whether potential exploitation is automatable. This framing makes it easier to analytically derive these categories from a description of the vulnerability and the affected component. Automatable as (no or yes) and Value Density as (diffuse or concentrated) define those decision points.
Roughly, Utility is a combination of two things: (1) the value of each exploitation event and (2) the ease and speed with which the adversary can cause exploitation events. We define Utility as laborious, efficient, or super effective, as described in the table above.
Alternative Utility Outputs
Alternative heuristics can plausibly be used as proxies for adversary utility. One example is the value of the vulnerability if it were sold on the open market. Some firms, such as Zerodium, make such pricing structures public. The valuable exploits track the Automatable and Value Density heuristics for the most part. Within a single system—whether it is Apache, Windows, iOS or WhatsApp—more successfully automated steps in the kill lead to higher exploit value. Remote code execution with sandbox escape and without user interaction are the most valuable exploits, and these features describe automation of the relevant kill chain steps.
How equivalently Automatable exploits for different systems are priced relative to each other is more idiosyncratic. Price does not only track the Value Density of the system, but presumably also the existing supply of exploits and the installation distribution among the targets of Zerodium’s customers. Currently, we simplify the analysis and ignore these factors. However, future work should look for and prevent large mismatches between the outputs of the Utility decision point and the exploit markets.
Previous Versions
Utility v1.0.0
The Usefulness of the Exploit to the Adversary
| Value | Definition |
|---|---|
| Laborious | Virulence:Slow and Value Density:Diffuse |
| Efficient | Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated |
| Super Effective | Virulence:Rapid and Value Density:Concentrated |
{
"namespace": "ssvc",
"version": "1.0.0",
"key": "U",
"name": "Utility",
"description": "The Usefulness of the Exploit to the Adversary",
"values": [
{
"key": "L",
"name": "Laborious",
"description": "Virulence:Slow and Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
"description": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
},
{
"key": "S",
"name": "Super Effective",
"description": "Virulence:Rapid and Value Density:Concentrated"
}
]
}
See also
Utility v1.0.0 was a combination of Virulence and Value Density