BF Type Conversion (TCV) Bugs Class

Definition

Type Conversion (TCV) class – Data are converted or coerced into other type improperly.

Taxonomy

OperationsDefinition
CastCast operation – Explicitly convert the value of an object to another data type.
CoerceCoerce operation – Implicitly (forced by the Type System) convert the value of a passed in/out argument or the return into the corresponding parameter or return data type. (Type Coercion is known also as Type Juggling.)
OperandsDefinition
NameName operand – The identifier of an object, function, or data type entity used to reference it.
DataData operand – The data value of an object – i.e., the actual value that is stored in memory.
TypeType operand – The data type of an object – i.e., the set of allowed values (e.g., char is within [-128, 127]) and operations over them (e.g., +, *, mod).
CausesDefinition
Code BugCode Bug type – An error in the implementation of an operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Missing CodeMissing Code bug - The operation is entirely absent.
   Wrong CodeWrong Code bug - An incorrect operator or function is used, or an incorrect data type is specified.
Name FaultName Fault/Error type – The fully resolved name of an entity is wrong.
   Wrong Object ResolvedWrong Object Resolved fault/error – The object is resolved from wrong scope.
   Missing Overloaded FunctionMissing Overloaded Function fault/error – Code for particular function parameters' data types is absent.
Data FaultData Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value.
   Under RangeUnder Range fault/error – The data value is smaller than the lower range of its type.
   Over RangeOver Range fault/error – The data value is larger than the upper range of its type.
   Flipped SignFlipped Sign fault/error – Sign bit is overwritten from type related calculation.
Type FaultType Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong.
   Wrong TypeWrong Type fault/error – A data type range or structure is not correct.
   Wrong Object Type ResolvedWrong Object Type Resolved fault/error – An object is resolved from a wrong scope, so its data type might be wrong (e.g., a parent vs a child data type).
   Mismatched ArgumentMismatched Argument fault/error – An argument is not of the parameter data type.
ConsequencesDefinition
Data ErrorData Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value.
   Wrong ValueWrong Value fault/error – The data value is not accurate (e.g., outside of a range).
   Flipped SignFlipped Sign fault/error – Sign bit is overwritten from type related calculation.
   Truncated ValueTruncated Value fault/error – The rightmost bits of a data value that won’t fit the data type size are cut off.
   Distorted ValueDistorted Value fault/error – The data value is incorrect (although is fits the type size) due to a sign flip or signed/unsigned or unsigned/signed cast.
   Rounded ValueRounded Value fault/error – Precision loss of a real number.
Type ErrorType Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong.
   Cast PointerCast Pointer fault/error – A pointer is type cast to a data type that is incompatible with its object's data type.
   Downcast PointerDowncast Pointer fault/error – A pointer is cast to a subtype (base to subclass or subclass to subclass) that is incompatible with its object's data type. The object may invoke an overridden function is of a wrong subtype.
   Wrong TypeWrong Type fault/error – A data type range or structure is not correct.
Type Conversion Final Error
   Subtype ConfusionSubtype Confusion final error – A downcasted pointer and its object have incompatible data types.
Operations AttributesDefinition
MechanismMechanism operation attribute type – Shows how the operation the operation with a bug or faulty operand is performed.
   Pass InPass In operation attribute – The operation is via in arguments' values to a function/ operator.
   Pass OutPass Out operation attribute – The operation is via out or in/out arguments' values or a return value to a function/ operator.
Source CodeSource Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
   Third-PartyThird-Party operation attribute – The operation code is in a third-party source.
   Standard LibraryStandard Library operation attribute – The operation code is in the standard library for a particular programming language.
   Compiler/InterpreterCompiler/Interpreter operation attribute – The operation code is in the language processor that allows execution or creates executables (interpreter, compiler, assembler).
Execution SpaceExecution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs.
   LocalLocal operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission.
   AdminAdmin operation attribute – The bugged code runs in an environment with access control policy with unlimited (admin user) permission.
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Name StateName State operand attribute type – Shows what the stage of the entity name is.
            ResolvedResolved operand attribute – The name scope is known to the Type System.
            BoundBound operand attribute – The name is linked to a declared (or inferred) data type, a defined object's data, or a called function implementation.
         Data KindData Kind operand attribute type – Shows what the type or category of data is.
            NumericNumeric operand attribute – A number – a sequence of digits.
            TextText operand attribute – A string – a sequence of symbols.
            PointerPointer operand attribute – A holder of the memory address of an object.
            BooleanBoolean operand attribute – A truth/falsity value – true or false; 1 or 0.
         Type KindType Kind operand attribute type – Shows what the data type composition is.
            PrimitivePrimitive operand attribute – A scalar data type that mimics the hardware units - e.g., int (long, short, signed), float, double, string, Boolean. A primitive data type is only language defined and is not built from other data types.
            StructureStructure operand attribute – A composite data type - e.g., array, list, map, class. A structured data type is built from other data types and has primitive or structured members.