For a long time C class people have been looking for the one forumla that will allow them to grasp the number of vulnerabilities present on their computer with which they can be hacked. Finally I have devised a method of calculating this and giving you a number. The forumula is based on the work of Dr. Frank Drake, but appears to be good for vulnerabilities as well.
N = R * fp * ne * fl * fi * fc * L
N is the number of vulnerabilities in computer with which we might expect to get hacked with
R is the rate of new lines of software being introduced into your system
fp is the fraction of those lines that have vulnerabilities in
ne is average number of these vulnerabilities that can be exploited to run code
fl is the fraction of the above which actually go on and can become exploited to run arbitrary code
fi is the fraction of the above which actually go on and an exploit code for them is released
fc is the fraction of the above which made into easy to use and cross platform exploit codes
L is the expected lifetime of such a vulnerability
Lets suggest these values for the above formula:
* R = 1,000,000/year,
* fp = 0.5,
* ne = 5,
* fl = 0.1,
* fi = fc = 0.1,
* and L = 1 month.
And we get …
(1,000,000) * 0.5 * 5 * 0.1 * 0.1 * 0.1 * (1 / 31) = 80
Which is quite impressive, you have 80 vulnerabilities in your computer through which you can get hacked with…
Now if you upgraded your software from Windows 2000 to lets say XP which holds three times as much code as the previous OS, the number jumps to 241, which is quiteimpressive. And if you go on and upgrade to Windows 2003, whose source code is 6 times that of Windows 2000, you get 480 vulnerabilities…
So where are all these vulnerabilities hiding?