BF Memory Use (MUS) Bugs Class
Irena Bojanova, Inventor, Creator, PI, Bugs Framework (BF)

Definition

An object is initialized, read, written, or cleared improperly.

Taxonomy

OperationsDefinition
Initialize ObjectChange the undefined data value of an object to a meaningful one -- e.g., after an object is allocated.
DereferenceAccess object for reading or for writing. It is relevant to the operations Initialize Object, Read, Write, and Clear.
ReadUse the value of an object data.
WriteChange the data value of an object to another meaningful value.
ClearChange the meaningful value of an object to a non-meaningful one (e.g. via zeroization) -- e.g. before object's deallocated.
OperandsDefinition
DataThe data value of an object -- stored in object's memory.
TypeThe data type of an object -- the set of allowed values (e.g., char is within [-128, 127]) and the operations allowed over them (e.g., +, *, mod).
AddressThe memory address for an object. Its value is data of another object, the object's pointer, used to reference and traverce the object.
SizeThe memory size of an object -- the number of bytes allocated for an object in memory. Its value is contained by (is data of) of another object.
CausesDefinition
Code Defect BugThe operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability.
   Missing CodeThe entire operation implementation or a part of its specification is absent.
   Mismatched OperationThe deallocation function does not match the allocation function used for the same object.
   Erroneous CodeThe operation implementation has a bug.
Data FaultThe object data has harmed semantics or inconsistent or wrong value
   Forbidden AddressThe pointer points to an OS protected or non-existing address.
   Wrong SizeThe value used as size does not match the actual size of the object.
Type FaultThe set or range of allowed values is wrong or the operations allowed on them are wrong.
   Casted PointerThe pointer does not match the type of the object due to wrong type casting.
Address FaultThe object address in use is wrong.
   NULL PointerPoints to the zero address, a specific invalid address.
   Wild PointerPoints to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.
   Dangling PointerStill points to the address of its successfully deallocated object.
   Untrusted PointerThe pointer is modified to an improperly checked address.
   Over Bounds PointerPoints above the upper boundary of its object.
   Under Bounds PointerPoints below the lower boundary of its object.
   Wrong Position PointerPoints to a miscalculated position inside its object bounds.
Size FaultThe object size in use is wrong.
   Not Enough MemoryThe allocated memory is too little for the data it should store.
ConsequencesDefinition
Data ErrorThe object data has harmed semantics or inconsistent or wrong value
   Uninitialized Object
Memory Corruption/Disclosure Final ErrorAn exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Not Cleared ObjectAn object's data value is not changed to a non-meaningful one before deallocation.
   NULL Pointer DereferenceAn attempt to access an object for reading or writing via a NULL pointer.
   Untrusted Pointer DereferenceAn attempt to access an object via an altered pointer (not legitimate dereference of a tainted pointer).
   Object CorruptionAn object's data value is unintentionally altered.
   Type ConfusionAn object and its pointer have different types.
   Use After FreeAn attempt to use (dereference, read, write, or clear) a deallocated object.
   Buffer OverflowWrites above the upper bound of an object -- aka Buffer Over-Write.
   Buffer UnderflowWrites below the lower bound of an object -- aka Buffer Under-Write.
   Buffer Over-ReadReads above the upper bound of an object.
   Buffer Under-ReadReads below the lower bound of an object.
   Uninitialized Pointer DereferenceAn attempt to access an object for reading or writing via an uninitialized pointer.
Operations AttributesDefinition
MechanismShows how the buggy/faulty operation code is performed.
   DirectThe operation is performed on a particular object element.
   SequentialThe operation is performed after iterating over the object elements.
Source CodeShows where the buggy/faulty operation code is in the program -- in what kind of software.
   CodebaseThe operation is in the programmer's code - in the application itself.
   Third-PartyThe operation is in a third-party software.
   Standard LibraryThe operation is in the standard library for a particular programming language.
   Compiler/InterpreterThe operation is in the language processor that allows execution or creates executables (compiler, assembler, interpreter).
Execution SpaceShows where the buggy/faulty operation code is running or with what privilege level).
   UserlandThe bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
   KernelThe bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture).
   Bare-MetalThe bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Address StateShows where the address is in the memory layout.
            StackThe object is a non-static local variable (defined in a function, a passed parameter, or a function return address).
            HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).
            /other/Other kinds of memory layout (e.g. Uninitialized Data Segment, Data Segment, and Code Segment could be used for C).
         Size KindShows what the limit for traversal of the object is.
            ActualThe real size of an object.
            UsedA supplied size for an object.