BF Memory Addressing (MAD) Bugs Class

Definition

Memory Addressing (MAD) class – The pointer to an object is initialized, dereferenced, repositioned, or reassigned to an improper memory address.

Taxonomy

OperationsDefinition
Initialize PointerInitialize Pointer operation – Change the undefined data value of a pointer to a meaningful object address; and position the pointer at the start of the object.
DereferenceDereference operation – Interpret a pointer value as memory address and access that memory location. The pointer datatype determines the data type of the values to be read or written.
RepositionReposition operation – Change the pointer to another position inside its object.
ReassignReassign operation – Direct the pointer to a different object.
OperandsDefinition
DataData operand – The data value of an object – i.e., the actual value that is stored in memory.
TypeType operand – The data type of an object – i.e., the set of allowed values (e.g., char is within [-128, 127]) and operations over them (e.g., +, *, mod).
AddressAddress operand attribute – The memory address for an object. Its value is data of another object -- the object's pointer, used to reference and traverse it.
SizeSize operand – The memory size of an object – the number of bytes allocated for an object in memory. Its value is contained by (is data of) of another object.
CausesDefinition
Code BugCode Bug type – An error in the implementation of an operation – proper operands over an improper operation. It is the roor cause of a security vulnerability. Must be fixed to resolve the vulnerability.
   Missing CodeMissing Code bug - The operation is misplaced entirely absent.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Data FaultData Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value.
   NULL PointerNULL Pointer fault/error – The pointer does not point to a valid object; usually holds the zero memory address.
   Hardcoded AddressHardcoded Address fault/error – The pointer holds a wrong specific address.
   Single Owned AddressSingle Owned Address fault/error – Exactly one pointer owns the object.
   Wrong IndexWrong Index fault/error – Incorrect index position – hardcoded or from computation.
   Wrong SizeWrong Size fault/error – The value used as size or length (i.e., the number of elements) does not match the object's memory size or length (e.g., to limit a pointer reposition or index increment/decrement in a repetition statement).
Type FaultType Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong.
   Cast PointerCast Pointer fault/error – A pointer is type cast to a data type that is incompatible with its object's data type.
   Wrong TypeWrong Type fault/error – A data type range or structure is not correct.
   Wrong Index TypeWrong Index Type fault/error – An index is of incorrect data type.
Address FaultAddress Fault/Error type – The address of an object is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine was used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., a pointer to a freed heap object or address of a stack object returned by a function).
   Untrusted PointerUntrusted Pointer fault/error – The pointer is modified to an improperly checked address.
   Overbound PointerOverbound Pointer fault/error – Holds an address that is above the upper boundary of its object.
   Underbound PointerUnderbound Pointer fault/error – Holds an address that is below the lower boundary of its object.
   Wrong Position PointerWrong Position Pointer fault/error – Holds the address of a miscalculated position inside its object bounds.
Size FaultType Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong.
   Insufficient SizeInsufficient Size fault/error – The allocated memory is too little for the data it should store.
ConsequencesDefinition
Data ErrorData Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value.
   NULL PointerNULL Pointer fault/error – The pointer does not point to a valid object; usually holds the zero memory address.
   Forbidden AddressForbidden Address fault/error – The pointer holds an OS protected address or a non-existing address.
Address ErrorAddress Fault/Error type – The address of an object is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine was used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., a pointer to a freed heap object or address of a stack object returned by a function).
   Untrusted PointerUntrusted Pointer fault/error – The pointer is modified to an improperly checked address.
   Overbound PointerOverbound Pointer fault/error – Holds an address that is above the upper boundary of its object.
   Underbound PointerUnderbound Pointer fault/error – Holds an address that is below the lower boundary of its object.
   Wrong Position PointerWrong Position Pointer fault/error – Holds the address of a miscalculated position inside its object bounds.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure final error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, or deallocation bugs.
   NULL Pointer DereferenceNULL Pointer Dereference final error – An attempt to access an object for reading or writing via a NULL pointer.
   Untrusted Pointer DereferenceUntrusted Pointer Dereference final error – An attempt to access an object via an altered pointer (not legitimate dereference of a tainted pointer).
   Uninitialized Pointer DereferenceUninitialized Pointer Dereference final error – An attempt to access an object for reading or writing via an uninitialized pointer.
   Memory LeakMemory Leak final error – An object has no pointer pointing to it.
Operations AttributesDefinition
MechanismMechanism operation attribute type – Shows how the operation the operation with a bug or faulty operand is performed.
   DirectDirect operation attribute – The operation is on a particular object element.
   SequentialSequential operation attribute – The operation is via iterating over the object elements.
Source CodeSource Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
   Third-PartyThird-Party operation attribute – The operation code is in a third-party source.
   Standard LibraryStandard Library operation attribute – The operation code is in the standard library for a particular programming language.
   Compiler/InterpreterCompiler/Interpreter operation attribute – The operation code is in the language processor that allows execution or creates executables (interpreter, compiler, assembler).
Execution SpaceExecution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs.
   UserlandUserland operation attribute – The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
   KernelKernel operation attribute – The bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture).
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Address StateAddress State operand attribute type – Shows where the address is (i.e., its location) in the memory layout.
            StackThe object is a non-static local variable (defined in a function, a passed parameter, or a function return address).
            HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).
            /other/
         Size KindSize Kind operand attribute type – Shows what is used as the size or length (i.e., the number of elements) of an object - e.g., as the limit for traversal over the elements.
            ActualActual operand attribute – The real size or length (i.e., the number of elements) of the allocated memory for an object.
            UsedUsed operand attribute – A supplied value to be used as the size or length (i.e., the number of elements) of an object.