BF Specification of CWE-468 Example 1
-0.png)
Wrong Code to Cast ((char *)(p + 1) instead of (char *)p + 1) of Pointer data of Primitive type using Pass In mechanism in Codebase source code (CWE-468-Example-1) in Local execution space leads to Wrong Type (int instead of char) error, which propagates to
Wrong Argument Type to Call (+ operator) of Object name of Primitive type using Ad-hoc Bind mechanism in Codebase source code (CWE-468-Example-1) in Local execution space that results in Wrong Overloaded Function Bound (+(int*,int) instead of +(char*,int)) error, which propagates to
Wrong Overloaded Function Bound to Calculate of Bound name of Pointer data using Operator mechanism in Codebase source code (CWE-468-Example-1) in Local execution space that results in Wrong Result (Pointer position) error, which propagates to
Wrong Index to Reposition on Stack with Actual size using Direct mechanism in Codebase source code (CWE-468-Example-1) in Userland execution space that results in Overbound Pointer error, which propagates to
Overbound Pointer to Read on Stack with Actual size using Direct mechanism in Codebase source code (CWE-468-Example-1) in Userland execution space that results in Buffer Over-Read final error, which can be exploited toward
Information Exposure (IEX) (confidentiality loss) security failure.
|
|
| Class | Definition |
| TCV | Type Conversion (TCV) class – Data are converted or coerced into other type improperly. |
| NRS | Name Resolution (NRS) class – The name of an object, a function, or a type is resolved improperly or bound to an improper type or implementation. |
| TCM | Type Computation (TCM) class – An arithmetic expression (over numbers, strings, or pointers) is calculated improperly, or a boolean condition is evaluated improperly. |
| MAD | Memory Addressing (MAD) class – The pointer to an object is initialized, dereferenced, repositioned, or reassigned to an improper memory address. |
| MUS | Memory Use (MUS) class – An object is initialized, read, written, or cleared improperly. |
| Operation | Definition |
| Cast | Cast operation – Explicitly convert the value of an object to another data type. |
| Call | Call operation – Invoke a function implementation. The Type System binds a function implementation to the resolved function name. A polymorphic function implementation is first resolved and then bound. |
| Calculate | Calculate operation – Find the result of a numeric, pointer, or string operation. |
| Reposition | Reposition operation – Change the pointer to another position inside its object. |
| Read | Read operation – Retrieve the data value of an object from memory. |
| Cause/Consequence | Definition |
| Code Bug | Code Bug type – An error in the implementation of an operation – proper operands over an improper operation. It is the roor cause of a security vulnerability. Must be fixed to resolve the vulnerability. |
| Wrong Code | Wrong Code bug - An incorrect operator or function is used, or an incorrect data type is specified. |
| Type | Type error (or fault) type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong. |
| Wrong Type | Wrong Type error (or fault) – A data type range or structure is not correct. |
| Wrong Argument Type | Wrong Argument Type error (or fault) – An argument to an overloaded function is of incorrect data type. |
| Name Error/Fault | Name error (or fault) type – The fully resolved name of an entity is wrong. |
| Wrong Overloaded Function Bound | Wrong Overloaded Function Bound error (or fault) – Wrong overloaded implementation is bound due to wrong function arguments. |
| Data Error/Fault | Data error (or fault) type – The data of an object has harmed semantics or inconsistent or wrong value. |
| Wrong Result | Wrong Result error (or fault) – Incorrect value – from type conversion or computation. |
| Wrong Index | Wrong Index error (or fault) – Incorrect index position – hardcoded or from computation. |
| Address Error/Fault | Address error (or fault) type – The address of an object is wrong. |
| Overbound Pointer | Overbound Pointer error (or fault) – Holds an address that is above the upper boundary of its object. |
| Memory Corruption/Disclosure Final Error | Memory Corruption/Disclosure final error/exploit vector type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, or deallocation bugs. |
| Buffer Over-Read | Buffer Over-Read final error – Read data above the upper bound of an object. |
| Operation Attribute | Definition |
| Mechanism | Mechanism operation attribute type – Shows how the operation with a bug or faulty operand is performed. |
| Pass In | Pass In operation attribute – The operation is via in arguments' values to a function/ operator. |
| Ad-hoc Bind | Ad-hoc Bind operation attribute – The operation resolves an overloaded function via signature and sets its implementation. |
| Operator | Operator operation attribute – The operation is via a function with a symbolic name that implements a mathematical, relational or logical operation. |
| Direct | Direct operation attribute – The operation is on a particular object element. |
| Source Code | Source Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware. |
| Codebase | Codebase operation attribute – The operation is in the programmer's code - in the application itself. |
| Execution Space | Execution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs. |
| Local | Local operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission. |
| Userland | Userland operation attribute – The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture). |
| Operand Attribute | Definition |
| Data Kind | Data Kind operand attribute type – Shows what the type or category of data is. |
| Pointer | Pointer operand attribute – A holder of the memory address of an object. |
| Type Kind | Type Kind operand attribute type – Shows what the data type composition is. |
| Primitive | Primitive operand attribute – A scalar data type that mimics the hardware units - e.g., int (long, short, signed), float, double, string, Boolean. A primitive data type is only language defined and is not built from other data types. |
| Name Kind | Name Kind operand attribute type – Shows what the entity with this name is. |
| Object | Object operand attribute – A memory region used to store data. |
| Name State | Name State operand attribute type – Shows what the stage of the entity name is. |
| Bound | Bound operand attribute – The name is linked to a declared (or inferred) data type, a defined object's data, or a called function implementation. |
| Address State | Address State operand attribute type – Shows where the address is (i.e., its location) in the memory layout. |
| Stack | The object is a non-static local variable (defined in a function, a passed parameter, or a function return address). |
| Size Kind | Size Kind operand attribute type – Shows what is used as the size or length (i.e., the number of elements) of an object - e.g., as the limit for traversal over the elements. |
| Actual | Actual operand attribute – The real size or length (i.e., the number of elements) of the allocated memory for an object. |
| Failure | Definition |
| IEX | Information Exposure (IEX) – Inadvertent disclosure of information that leads to confidentiality loss. |