BF Memory Addressing (MAD) Bugs Class

Definition

Memory Addressing (MAD) class – The pointer to an object is initialized, dereferenced, repositioned, or reassigned to an improper memory address.

Taxonomy

OperationsDefinition
Initialize PointerInitialize Pointer operation – Change the undefined data value of a pointer to a meaningful object address; and position the pointer at the start of the object.
DereferenceDereference operation – Interpret a pointer value as memory address and access that memory location. The pointer datatype determines the data type of the values to be read or written.
RepositionReposition operation – Change the pointer to another position inside its object.
ReassignReassign operation – Direct the pointer to a different object.
OperandsDefinition
DataData operand – The data value of an object – i.e., the actual value that is stored in memory.
TypeType operand – The data type of an object – i.e., the set of allowed values (e.g., char is within [-128, 127]) and operations over them (e.g., +, *, mod).
AddressAddress operand attribute – The memory address for an object. Its value is data of another object -- the object's pointer, used to reference and traverse it.
SizeSize operand – The size of an object – i.e., the amount of memory allocated for an object. Its value is data of another object.
CausesDefinition
Code BugCode Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Missing CodeMissing Code bug - The operation is entirely absent.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Data FaultData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value.
   NULL PointerNULL Pointer fault/error – Does not point to a valid object; usually holds the zero memory address.
   Hardcoded AddressHardcoded Address fault/error – The pointer holds a wrong specific address.
   Single Owned AddressSingle Owned Address fault/error – Exactly one pointer owns the object.
   Wrong IndexWrong Index fault/error – Incorrect index position – hardcoded or from computation.
   Wrong SizeWrong Size fault/error – The value used as size does not match the actual size of the object memory (e.g., to restrict pointer reposition or index increment/decrement in a repetition statement).
Type FaultType Fault/Error type – The set or range of allowed values is wrong or the operations allowed on them are wrong.
   Wrong TypeWrong Type fault/error – A data type range or structure is not correct.
   Wrong Index TypeWrong Index Type fault/error – An index is of incorrect data type.
   Casted PointerCasted Pointer fault/error – A pointer is type cast to a data type that is incompatible with its object's data type.
Address FaultAddress Fault/Error type – The object address in use is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., a pointer to a freed heap object or a returned by a function address of a stack object).
   Untrusted PointerUntrusted Pointer fault/error – The pointer is modified to an improperly checked address.
   Over Bounds PointerOver Bounds Pointer fault/error – Holds an address above the upper boundary of its object.
   Under Bounds PointerUnder Bounds Pointer fault/error – Holds an address below the lower boundary of its object.
   Wrong Position PointerWrong Position Pointer fault/error – Holds the address of a miscalculated position inside its object bounds.
Size FaultSize Fault/Error type – The object size in use is wrong.
   Not Enough MemoryNot Enough Memory fault/error – The allocated memory is too little for the data it should store.
ConsequencesDefinition
Data ErrorData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value.
   NULL PointerNULL Pointer fault/error – Does not point to a valid object; usually holds the zero memory address.
   Forbidden AddressForbidden Address fault/error – The pointer holds an OS protected address or a non-existing address.
Address ErrorAddress Fault/Error type – The object address in use is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., a pointer to a freed heap object or a returned by a function address of a stack object).
   Untrusted PointerUntrusted Pointer fault/error – The pointer is modified to an improperly checked address.
   Over Bounds PointerOver Bounds Pointer fault/error – Holds an address above the upper boundary of its object.
   Under Bounds PointerUnder Bounds Pointer fault/error – Holds an address below the lower boundary of its object.
   Wrong Position PointerWrong Position Pointer fault/error – Holds the address of a miscalculated position inside its object bounds.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure final error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   NULL Pointer DereferenceNULL Pointer Dereference final error – An attempt to access an object for reading or writing via a NULL pointer.
   Untrusted Pointer DereferenceUntrusted Pointer Dereference final error – An attempt to access an object via an altered pointer (not legitimate dereference of a tainted pointer).
   Uninitialized Pointer DereferenceUninitialized Pointer Dereference final error – An attempt to access an object for reading or writing via an uninitialized pointer.
   Memory LeakMemory Leak final error – An object has no pointer pointing to it.
Operations AttributesDefinition
MechanismMechanism operation attribute type – Shows how the operation is performed.
   DirectDirect operation attribute – The operation is on a particular object element.
   SequentialSequential operation attribute – The operation is via iterating over the object elements.
Source CodeSource Code operation attribute type – Shows where the operation code resides within the software, firmware, or circuit logic code.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
   Third-PartyThird-Party operation attribute – The operation code is in a third-party software.
   Standard LibraryStandard Library operation attribute – The operation code is in the standard library for a particular programming language.
   Compiler/InterpreterCompiler/Interpreter operation attribute – The operation code is in the language processor that allows execution or creates executables (interpreter, compiler, assembler).
Execution SpaceExecution Space operation attribute type – Shows where the operation is executed or the privilege level at which it runs.
   UserlandUserland operation attribute – The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
   KernelKernel operation attribute – The bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture).
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Address StateAddress State operand attribute type - Shows where the address is in the memory layout.
            StackStack operand attribute – The object is a non-static local variable (defined in a function, a passed parameter, or a function return address).
            HeapHeap operand attribute – The object is a dynamically allocated data structure (e.g., via malloc() and new).
            /other//other/ – Other kinds of memory layout (e.g., Uninitialized Data Segment, Data Segment, and Code Segment could be used for C).
         Size KindSize Kind operand attribute type – Shows the object's limit for traversal.
            ActualActual operand attribute – The size of the allocated memory of an object.
            UsedUsed operand attribute – A supplied size of an object.