BF Memory Management (MMN) Bugs Class

Definition

Memory Management (MMN) class – An object is allocated, resized, or deallocated improperly.

Taxonomy

OperationsDefinition
AllocateAllocate operation – Reserve space in memory for an object; defines its initial boundaries and size.
ExtendExtend operation – Reserve additional memory for an object in the same space; redefines its boundaries and size.
Reallocate-ExtendReallocate-Extend operation – Reserve a new larger piece of memory for an object at a new address, reassign its pointer, and release the previous piece of memory.
Reallocate-ReduceReallocate-Reduce operation – Reserve a new smaller space in memory for an object at a new address, reassign the pointer, and release the previous piece of memory.
ReduceReduce operation – Release part of the object memory; redefines its boundaries and size.
DeallocateDeallocate operation – Release the allocated memory of an object.
OperandsDefinition
DataData operand – The data value of an object – i.e., the actual value that is stored in memory.
AddressAddress operand attribute – The memory address for an object. Its value is data of another object -- the object's pointer, used to reference and traverse it.
SizeSize operand – The memory size of an object – the number of bytes allocated for an object in memory. Its value is contained by (is data of) of another object.
CausesDefinition
Code BugCode Bug type – An error in the implementation of an operation – proper operands over an improper operation. It is the roor cause of a security vulnerability. Must be fixed to resolve the vulnerability.
   Missing CodeMissing Code bug - The operation is misplaced entirely absent.
   Mismatched OperationMismatched Operation bug - The deallocation function does not match the allocation function used for the same object.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Data FaultData Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value.
   Hardcoded AddressHardcoded Address fault/error – The pointer holds a wrong specific address.
   Forbidden AddressForbidden Address fault/error – The pointer holds an OS protected address or a non-existing address.
   Single Owned AddressSingle Owned Address fault/error – Exactly one pointer owns the object.
   Wrong SizeWrong Size fault/error – The value used as size or length (i.e., the number of elements) does not match the object's memory size or length (e.g., to limit a pointer reposition or index increment/decrement in a repetition statement).
Address FaultAddress Fault/Error type – The address of an object is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine was used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., a pointer to a freed heap object or address of a stack object returned by a function).
   Wrong Position PointerWrong Position Pointer fault/error – Holds the address of a miscalculated position inside its object bounds.
Size FaultType Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong.
   Insufficient SizeInsufficient Size fault/error – The allocated memory is too little for the data it should store.
ConsequencesDefinition
Data ErrorData Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value.
   NULL PointerNULL Pointer fault/error – The pointer does not point to a valid object; usually holds the zero memory address.
Address ErrorAddress Fault/Error type – The address of an object is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine was used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., a pointer to a freed heap object or address of a stack object returned by a function).
Size ErrorType Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong.
   Insufficient SizeInsufficient Size fault/error – The allocated memory is too little for the data it should store.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure final error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, or deallocation bugs.
   Memory OverflowMemory Overflow final error – More memory is requested than available.
   Memory LeakMemory Leak final error – An object has no pointer pointing to it.
   Double DeallocateDouble Deallocate final error – An attempt to deallocate a deallocated (freed) object.
   Object CorruptionObject Corruption final error – An object's data value is unintentionally altered.
Operations AttributesDefinition
MechanismMechanism operation attribute type – Shows how the operation the operation with a bug or faulty operand is performed.
   ImplicitImplicit operation attribute – The operation is performed without a function/method call.
   ExplicitExplicit operation attribute – The operation is via a function/method call.
Source CodeSource Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
   Third-PartyThird-Party operation attribute – The operation code is in a third-party source.
   Standard LibraryStandard Library operation attribute – The operation code is in the standard library for a particular programming language.
   Compiler/InterpreterCompiler/Interpreter operation attribute – The operation code is in the language processor that allows execution or creates executables (interpreter, compiler, assembler).
Execution SpaceExecution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs.
   UserlandUserland operation attribute – The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
   KernelKernel operation attribute – The bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture).
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Size KindSize Kind operand attribute type – Shows what is used as the size or length (i.e., the number of elements) of an object - e.g., as the limit for traversal over the elements.
            ActualActual operand attribute – The real size or length (i.e., the number of elements) of the allocated memory for an object.
            UsedUsed operand attribute – A supplied value to be used as the size or length (i.e., the number of elements) of an object.