BF Memory Addressing (MAD) Bugs Class
Irena Bojanova, Inventor, Creator, PI, Bugs Framework (BF)

Definition

The pointer to an object is initialized, repositioned, or reassigned to an improper memory address.

Taxonomy

OperationsDefinition
Initialize PointerChange the undefined data value of a pointer to a meaningful object address; and position the pointer at the start of the object.
RepositionChange the pointer to another position inside its object.
ReassignDirect the pointer to a different object.
OperandsDefinition
DataThe data value of an object -- stored in object's memory.
TypeThe data type of an object -- the set of allowed values (e.g., char is within [-128, 127]) and the operations allowed over them (e.g., +, *, mod).
AddressThe memory address for an object. Its value is data of another object, the object's pointer, used to reference and traverce the object.
SizeThe memory size of an object -- the number of bytes allocated for an object in memory. Its value is contained by (is data of) of another object.
CausesDefinition
Code Defect BugThe operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability.
   Missing CodeThe entire operation implementation or a part of its specification is absent.
   Mismatched OperationThe deallocation function does not match the allocation function used for the same object.
   Erroneous CodeThe operation implementation has a bug.
Data FaultThe object data has harmed semantics or inconsistent or wrong value
   Hardcoded AddressThe pointer points a wrong specific address.
   Single Owned AddressExactly one pointer owns the object.
   Wrong IndexIncorrect index position.
   Wrong SizeThe value used as size does not match the actual size of the object.
Type FaultThe set or range of allowed values is wrong or the operations allowed on them are wrong.
   Wrong TypeA data type range or structure is not correct.
   Wrong Index TypeAn index is of incorrect data type.
   Casted PointerThe pointer does not match the type of the object due to wrong type casting.
Address FaultThe object address in use is wrong.
   NULL PointerPoints to the zero address, a specific invalid address.
   Wild PointerPoints to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.
   Dangling PointerStill points to the address of its successfully deallocated object.
   Untrusted PointerThe pointer is modified to an improperly checked address.
   Over Bounds PointerPoints above the upper boundary of its object.
   Under Bounds PointerPoints below the lower boundary of its object.
   Wrong Position PointerPoints to a miscalculated position inside its object bounds.
Size FaultThe object size in use is wrong.
   Not Enough MemoryThe allocated memory is too little for the data it should store.
ConsequencesDefinition
Data ErrorThe object data has harmed semantics or inconsistent or wrong value
   Forbidden AddressThe pointer points to an OS protected or non-existing address.
Type ErrorThe set or range of allowed values is wrong or the operations allowed on them are wrong.
   Casted PointerThe pointer does not match the type of the object due to wrong type casting.
Address ErrorThe object address in use is wrong.
   NULL PointerPoints to the zero address, a specific invalid address.
   Wild PointerPoints to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.
   Dangling PointerStill points to the address of its successfully deallocated object.
   Untrusted PointerThe pointer is modified to an improperly checked address.
   Over Bounds PointerPoints above the upper boundary of its object.
   Under Bounds PointerPoints below the lower boundary of its object.
   Wrong Position PointerPoints to a miscalculated position inside its object bounds.
Memory Corruption/Disclosure Final ErrorAn exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Memory LeakAn object has no pointer pointing to it.
Operations AttributesDefinition
MechanismShows how the buggy/faulty operation code is performed.
   DirectThe operation is performed on a particular object element.
   SequentialThe operation is performed after iterating over the object elements.
Source CodeShows where the buggy/faulty operation code is in the program -- in what kind of software.
   CodebaseThe operation is in the programmer's code - in the application itself.
   Third-PartyThe operation is in a third-party software.
   Standard LibraryThe operation is in the standard library for a particular programming language.
   Compiler/InterpreterThe operation is in the language processor that allows execution or creates executables (compiler, assembler, interpreter).
Execution SpaceShows where the buggy/faulty operation code is running or with what privilege level).
   UserlandThe bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
   KernelThe bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture).
   Bare-MetalThe bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Address StateShows where the address is in the memory layout.
            StackThe object is a non-static local variable (defined in a function, a passed parameter, or a function return address).
            HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).
            /other/Other kinds of memory layout (e.g. Uninitialized Data Segment, Data Segment, and Code Segment could be used for C).
         Size KindShows what the limit for traversal of the object is.
            ActualThe real size of an object.
            UsedA supplied size for an object.