Memory Use Bugs (MUS) CLass
We define Memory Use Bugs (MUS) as follows:
An object is initialized, read. written, or cleared, improperly.
Fig. 1 depicts MUS causes, attributes and consequences.
Memory Use Bugs (MUS) Class
- click on image for detailed view.
The MUS operations are: Initialize (Object), Dereference, Read, Write, Clear. They reflect improper use of an object.
|Initialize (object)||The first write into an object, after it is allocated.|
|Read||Gets content from an object.|
|Write||Puts content into an object.|
|Clear||The very last write into an object, before it is deallocated.|
|Dereference||Overreaches Initialize, Read, Write, and Clear, focus is on object access, no matter if it’s for reading or for writing.|
The graph of causes shows that there are three main causes for memory allocation bugs: Improper Operation, Improper Pointer, and Improper Object.
|Missing||The operation is absent.|
|Mismatched||The deallocation function does not match the allocation function used for the same object.|
|Erroneous||There is a bug in the implementation of the operation.|
|NULL Pointer||Points to the zero address, a specific invalid address.|
|Wild Pointer||Points to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used.|
|Dangling Pointer||Still points to the address of its successfully deallo- cated object.|
|Over Bounds||Points over the bounds of its object.|
|Under Bounds||Points under the bounds of its object.|
|Untrusted Pointer||The pointer is modified to an improperly checked address.|
|Wrong Position||Points to a miscalculated position inside object bounds.|
|Casted Pointer||The pointer does not match the type of the object, due to wrong type casting.|
|Forbidden Address||The pointer points to an OS protected or non-existing address.|
|Not Enough Allocated||The allocated memory is too little for the data it should store.|
The graph of consequences shows Memory Error as a consequence.
|Uninitialized Object||Object data is not filled in before use.|
|Not Cleared Object||Object data not overwritten before deallocation.|
|NULL Pointer Dereference||Attempt to access an object for read or write through a NULL pointer.|
|Untrusted Pointer Dereference||Attempt to access an object via an altered pointer (not legitimate derefer- ence of tainted pointers).|
|Object Corruption||Object data is unintentionally altered.|
|Type Confusion||Pointer and object have different types.|
|Use After Free||Attempt to use a deallocated object.|
|Buffer Overflow||Read or write above the object upper bound.|
|Buffer Underflow||Read or write below the object lower bounds.|
|Unitialized Pointer Derefereance||An attempt to access an object for read or write via an uninitialized pointer.|
The attributes of MUS are:
|Mechanism||Direct||The operation is performed over a particular object element.|
|Mechanism||Sequential||The operation is performed after iterating over the object elements.|
|Source Code||Codebase||The operation is in programmer’s code – in the application itself.|
|Source Code||Third Party||The operation is in a third party library.|
|Source Code||Standard Library||The operation is in the standard library for a particular programming language.|
|Source Code||Language Processor||The operation is in the tool that allows execution or creates executable (compiler, assembler, interpreter).|
|Execution Space||Userland||The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).|
|Execution Space||Kernel||The bugged code runs in an environment with privilege levels with access privileged instruc- tions (e.g., ring 0 in x86 architecture).|
|Execution Space||Bare-Metal||The bugged code runs in an environment with-out privilege control. Usually, the program is the only software running and has total access to the hardware.|
|Span||Little||A few bytes of memory are accessed.|
|Span||Moderate||Several bytes of memory are accessed, but less than 1 KB.|
|Span||Huge||More than 1 KB of memory is accessed.|
|Location||Stack||The object is a non-static local variable (defined in a function, a passed parameters, or a function return address).|
|Location||Heap||The object is a dynamically allocated data structure (e.g., via malloc() and new).|
MUS sites are any dereference operators in the source code (
Application examples are provided here.