BF Type Computation (TCM) Bugs Class

Definition

Type Computation (TCM) class – An arithmetic expression (over numbers, strings, or pointers) is calculated improperly, or a boolean condition is evaluated improperly.

Taxonomy

OperationsDefinition
CalculateCalculate operation – Find the result of a numeric, pointer, or string operation.
EvaluateEvaluate operation – Find the result of a Boolean condition (incl. comparison).
OperandsDefinition
NameName operand – The identifier of an object, function, or data type entity used to reference it.
DataData operand – The data value of an object – i.e., the actual value that is stored in memory.
CausesDefinition
Code BugCode Bug type – An error in the implementation of an operation – proper operands over an improper operation. It is the roor cause of a security vulnerability. Must be fixed to resolve the vulnerability.
   Wrong CodeWrong Code bug - An incorrect operator or function is used, or an incorrect data type is specified.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Name FaultName Fault/Error type – The fully resolved name of an entity is wrong.
   Wrong Object ResolvedWrong Object Resolved fault/error – The object is resolved from wrong scope.
   Wrong Function ResolvedWrong Function Resolved fault/error – The function is resolved from wrong scope.
   Wrong Generic Function BoundWrong Generic Function Bound fault/error – Code for a wrong data type is bound due to wrong generic type arguments.
   Wrong Overridden Function BoundWrong Overridden Function Bound fault/error – Code from wrong subtype is bound due to a wrong invoking subtype object.
   Wrong Overloaded Function BoundWrong Overloaded Function Bound fault/error – Wrong overloaded implementation is bound due to wrong function arguments.
Data FaultData Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value.
   Wrong ArgumentWrong Argument fault/error – Inaccurate input data value, i.e., non-verified for harmed semantics.
   Reference vs. DereferenceReference vs. Dereference fault/error – Using the address of an entity instead of its data value.
Type FaultType Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong.
   Wrong TypeWrong Type fault/error – A data type range or structure is not correct.
   Wrong Object Type ResolvedWrong Object Type Resolved fault/error – An object is resolved from a wrong scope, so its data type might be wrong (e.g., a parent vs a child data type).
ConsequencesDefinition
Data ErrorData Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value.
   Wrong ResultWrong Result fault/error – Incorrect value – from type conversion or computation.
   Under RangeUnder Range fault/error – The data value is smaller than the lower range of its type.
   Over RangeOver Range fault/error – The data value is larger than the upper range of its type.
   Flipped SignFlipped Sign fault/error – Sign bit is overwritten from type related calculation.
   Wrap AroundWrap Around fault/error – A moved around-the-clock value over its data type upper or lower range, as it exceeds that range. (Integer Over-/Under-flow is a wrapped-around the upper/lower range integer value; may become very small/large and change to the opposite sign.)
Type Computation Final ErrorType Computation final error type – An exploitable or undefined system behavior caused by type computation bugs.
   UndefinedUndefined final error – The Type System cannon represent the calculated result (e.g., division by 0).
Operations AttributesDefinition
MechanismMechanism operation attribute type – Shows how the operation the operation with a bug or faulty operand is performed.
   FunctionFunction operation attribute – The operation is via a function.
   OperatorOperator operation attribute – The operation is via a function with a symbolic name that implements a mathematical, relational or logical operation.
   MethodMethod operation attribute – The operation is via a member function of an OOP class.
   Lambda ExpressionLambda Expression operation attribute – The operation is performed via an anonymous function, implemented within another function.
   ProcedureProcedure operation attribute – The operation is via a function with a void return type.
Source CodeSource Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
   Third-PartyThird-Party operation attribute – The operation code is in a third-party source.
   Standard LibraryStandard Library operation attribute – The operation code is in the standard library for a particular programming language.
   Compiler/InterpreterCompiler/Interpreter operation attribute – The operation code is in the language processor that allows execution or creates executables (interpreter, compiler, assembler).
Execution SpaceExecution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs.
   LocalLocal operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission.
   AdminAdmin operation attribute – The bugged code runs in an environment with access control policy with unlimited (admin user) permission.
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Name StateName State operand attribute type – Shows what the stage of the entity name is.
            ResolvedResolved operand attribute – The name scope is known to the Type System.
            BoundBound operand attribute – The name is linked to a declared (or inferred) data type, a defined object's data, or a called function implementation.
         Data KindData Kind operand attribute type – Shows what the type or category of data is.
            NumericNumeric operand attribute – A number – a sequence of digits.
            TextText operand attribute – A string – a sequence of symbols.
            PointerPointer operand attribute – A holder of the memory address of an object.
            BooleanBoolean operand attribute – A truth/falsity value – true or false; 1 or 0.