BF Memory Use (MUS) Bugs Class

Definition

Memory Use (MUS) class – An object is initialized, read, written, or cleared improperly.

Taxonomy

OperationsDefinition
Initialize ObjectInitialize Object operation – Change the undefined data value of an object to a meaningful one – e.g., after an object is allocated.
ReadRead operation – Retrieve the data value of an object from memory.
WriteWrite operation – Change the data value of an object stored in memory to another meaningful value.
ClearClear operation – Change the meaningful data value of an object to a non-meaningful one (e.g., via zeroization) – e.g., before object deallocation.
OperandsDefinition
DataData operand – The data value of an object – i.e., the actual value that is stored in memory.
TypeType operand – The data type of an object – i.e., the set of allowed values (e.g., char is within [-128, 127]) and operations over them (e.g., +, *, mod).
AddressAddress operand attribute – The memory address for an object. Its value is data of another object -- the object's pointer, used to reference and traverse it.
SizeSize operand – The size of an object – i.e., the amount of memory allocated for an object. Its value is data of another object.
CausesDefinition
Code BugCode Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Missing CodeMissing Code bug - The operation is entirely absent.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Data FaultData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value.
   NULL PointerNULL Pointer fault/error – Does not point to a valid object; usually holds the zero memory address.
   Forbidden AddressForbidden Address fault/error – The pointer holds an OS protected address or a non-existing address.
   Wrong SizeWrong Size fault/error – The value used as size does not match the actual size of the object memory (e.g., to restrict pointer reposition or index increment/decrement in a repetition statement).
Type FaultType Fault/Error type – The set or range of allowed values is wrong or the operations allowed on them are wrong.
   Casted PointerCasted Pointer fault/error – A pointer is type cast to a data type that is incompatible with its object's data type.
Address FaultAddress Fault/Error type – The object address in use is wrong.
   Wild PointerWild Pointer fault/error – Holds an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.
   Dangling PointerDangling Pointer fault/error – Still holds the address of its successfully deallocated object (e.g., a pointer to a freed heap object or a returned by a function address of a stack object).
   Untrusted PointerUntrusted Pointer fault/error – The pointer is modified to an improperly checked address.
   Over Bounds PointerOver Bounds Pointer fault/error – Holds an address above the upper boundary of its object.
   Under Bounds PointerUnder Bounds Pointer fault/error – Holds an address below the lower boundary of its object.
   Wrong Position PointerWrong Position Pointer fault/error – Holds the address of a miscalculated position inside its object bounds.
Size FaultSize Fault/Error type – The object size in use is wrong.
   Not Enough MemoryNot Enough Memory fault/error – The allocated memory is too little for the data it should store.
ConsequencesDefinition
Data ErrorData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value.
   Uninitialized ObjectUninitialized Object fault/error – The object was never assigned a meaningful value.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure final error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Not Cleared ObjectNot Cleared Object final error – An object's data value is not changed to a non-meaningful one before deallocation.
   Object CorruptionObject Corruption final error – An object's data value is unintentionally altered.
   Type ConfusionType Confusion final error – A casted pointer and its object have incompatible data types.
   Use After Deallocateuse after free or use after return) final error – An attempt to use (dereference, read, write, or clear) a deallocated object (e.g., via a pointer to a freed or reallocated heap object -- use after free) or out of scope object (e.g., via a returned by a function pointer to a stack object -- use after return).
   Buffer OverflowBuffer Overflow final error – Write data above the upper bound of an object (i.e., buffer overwrite).
   Buffer UnderflowBuffer Underflow final error – Write data below the lower bound of an object (i.e., buffer under-write).
   Buffer Over-ReadBuffer Over-Read final error – Read data above the upper bound of an object.
   Buffer Under-ReadBuffer Under-Read final error – Read data below the lower bound of an object.
Operations AttributesDefinition
MechanismMechanism operation attribute type – Shows how the operation is performed.
   DirectDirect operation attribute – The operation is on a particular object element.
   SequentialSequential operation attribute – The operation is via iterating over the object elements.
Source CodeSource Code operation attribute type – Shows where the operation code resides within the software, firmware, or circuit logic code.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
   Third-PartyThird-Party operation attribute – The operation code is in a third-party software.
   Standard LibraryStandard Library operation attribute – The operation code is in the standard library for a particular programming language.
   Compiler/InterpreterCompiler/Interpreter operation attribute – The operation code is in the language processor that allows execution or creates executables (interpreter, compiler, assembler).
Execution SpaceExecution Space operation attribute type – Shows where the operation is executed or the privilege level at which it runs.
   UserlandUserland operation attribute – The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
   KernelKernel operation attribute – The bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture).
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operands AttributesDefinition
         Address KindAddress Kind operand attribute type - Shows how much memory is accessed outside object's bounds.
            HugeHuge operand attribute - More than 1 KB of memory.
            ModerateModerate operand attribute - Several bytes, but less than 1 KB, of memory.
            LittleLittle operand attribute - A few bytes of memory.
         Address StateAddress State operand attribute type - Shows where the address is in the memory layout.
            StackStack operand attribute – The object is a non-static local variable (defined in a function, a passed parameter, or a function return address).
            HeapHeap operand attribute – The object is a dynamically allocated data structure (e.g., via malloc() and new).
            /other//other/ – Other kinds of memory layout (e.g., Uninitialized Data Segment, Data Segment, and Code Segment could be used for C).
         Size KindSize Kind operand attribute type – Shows the object's limit for traversal.
            UsedUsed operand attribute – A supplied size of an object.