BF Memory Management (MMN) Bugs Class

Definition

Memory Management (MMN) class – An object is allocated, deallocated, or resized improperly.

Taxonomy

OperationsDefinition
AllocateAllocate operation – Reserve space in memory for an object; defines its initial boundaries and size.
ExtendExtend operation – Reserve additional memory for an object in the same space; redefines its boundaries and size.
Reallocate-ExtendReallocate-Extend operation – Reserve a new larger piece of memory for an object at a new address, reassign its pointer, and release the previous piece of memory.
DeallocateDeallocate operation – Release the allocated memory of an object.
ReduceReduce operation – Release part of the object memory; redefines its boundaries and size.
Reallocate-ReduceReallocate-Reduce operation – Reserve a new smaller space in memory for an object at a new address, reassign the pointer, and release the previous piece of memory.
OperandsDefinition
DataData operand – The data value of an object – stored in object's memory.
AddressAddress operand attribute – The memory address for an object. It is data of another object, the object's pointer, used to reference and traverse the object.
SizeSize operand – The memory size of an object – the number of bytes allocated for an object in memory. Its value is contained by (is data of) of another object.
CausesDefinition
Code BugCode Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Missing CodeMissing Code bug - The operation is entirely absent.
   Mismatched OperationMismatched Operation bug - The deallocation function does not match the allocation function used for the same object.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Data FaultData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value.
   Hardcoded AddressHardcoded Address fault/error – The pointer holds a wrong specific address.
   Forbidden AddressForbidden Address fault/error – The pointer holds an OS protected address (includs the zero address -- a NULL pointer) or non-existing address.
   Single Owned AddressSingle Owned Address fault/error – Exactly one pointer owns the object.
   Wrong SizeWrong Size fault/error – The value used as size does not match the actual size of the object (e.g., to restrict pointer reposition or index increment/decrement in a repetition statement).
Address FaultAddress Fault/Error type – The object address in use is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., pointer to a freed heap object or with a returned by a function stack object address).
   Wrong Position PointerWrong Position Pointer fault/error – Holds the address of a miscalculated position inside its object bounds.
Size FaultSize Fault/Error type – The object size in use is wrong.
   Not Enough MemoryNot Enough Memory fault/error – The allocated memory is too little for the data it should store.
ConsequencesDefinition
Data ErrorData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value.
   NULL PointerNULL Pointer fault/error – Does not point to a valid object; usually holds the zero memory address.
Address ErrorAddress Fault/Error type – The object address in use is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., pointer to a freed heap object or with a returned by a function stack object address).
Size ErrorSize Fault/Error type – The object size in use is wrong.
   Not Enough MemoryNot Enough Memory fault/error – The allocated memory is too little for the data it should store.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure exploitable error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Memory OverflowMemory Overflow exploitable error – More memory is requested than available.
   Memory LeakMemory Leak exploitable error – An object has no pointer pointing to it.
   Double DeallocateDouble Deallocate exploitable error – An attempt to deallocate a deallocated (freed) object or via an uninitialized pointer.
   Object CorruptionObject Corruption exploitable error – An object's data value is unintentionally altered.
Operations AttributesDefinition
MechanismMechanism operation attribute type – Shows how the operation code is performed.
   ImplicitImplicit operation attribute – The operation is performed without a function/method call.
   ExplicitExplicit operation attribute – The operation is via a function/method call.
Source CodeSource Code operation attribute type – Shows where the operation code is in software or firmware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
   Third-PartyThird-Party operation attribute – The operation code is in a third-party software.
   Standard LibraryStandard Library operation attribute – The operation code is in the standard library for a particular programming language.
   Compiler/InterpreterCompiler/Interpreter operation attribute – The operation code is in the language processor that allows execution or creates executables (interpreter, compiler, assembler).
Execution SpaceExecution Space operation attribute type – Shows where the operation code is running or with what privilege level.
   UserlandUserland operation attribute – The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
   KernelKernel operation attribute – The bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture).
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Address StateAddress State operand attribute type - Shows where the address is in the memory layout.
            StackStack operand attribute – The object is a non-static local variable (defined in a function, a passed parameter, or a function return address).
            HeapHeap operand attribute – The object is a dynamically allocated data structure (e.g., via malloc() and new).
            /other//other/ – Other kinds of memory layout (e.g., Uninitialized Data Segment, Data Segment, and Code Segment could be used for C).