- We define Memory Use Bugs (MUS) as follows:
- An object is initialized, read. written, or cleared, improperly.
- Fig. 1 depicts MUS causes, attributes and consequences.
Fig 1. Memory Use Bugs (MUS) Class - click on image for detailed view.
-
The MUS operations are: Initialize (Object), Dereference, Read, Write, Clear. They reflect improper use of an
object.
| Operation Value | Definition |
|---|---|
| Initialize (object) | The first write into an object, after it is allocated. |
| Read | Gets content from an object. |
| Write | Puts content into an object. |
| Clear | The very last write into an object, before it is deallocated. |
| Dereference | Overreaches Initialize, Read, Write, and Clear, focus is on object access, no matter if it’s for reading or for writing. |
- The graph of causes shows that there are three main causes for memory allocation bugs: Improper Operation,
Improper Pointer, and Improper Object.
| Improper Operation | |
|---|---|
| Value | Definition |
| Missing | The operation is absent. |
| Mismatched | The deallocation function does not match the allocation function used for the same object. |
| Erroneous | There is a bug in the implementation of the operation. |
| Improper Pointer | |
|---|---|
| Value | Definition |
| NULL Pointer | Points to the zero address, a specific invalid address. |
| Wild Pointer | Points to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used. |
| Dangling Pointer | Still points to the address of its successfully deallo- cated object. |
| Over Bounds | Points over the bounds of its object. |
| Under Bounds | Points under the bounds of its object. |
| Untrusted Pointer | The pointer is modified to an improperly checked address. |
| Wrong Position | Points to a miscalculated position inside object bounds. |
| Casted Pointer | The pointer does not match the type of the object, due to wrong type casting. |
| Forbidden Address | The pointer points to an OS protected or non-existing address. |
| Improper Object | |
|---|---|
| Value | Definition |
| Not Enough Allocated | The allocated memory is too little for the data it should store. |
- The graph of consequences shows Memory Error as a consequence.
| Memory Error | |
|---|---|
| Value | Definition |
| Uninitialized Object | Object data is not filled in before use. |
| Not Cleared Object | Object data not overwritten before deallocation. |
| NULL Pointer Dereference | Attempt to access an object for read or write through a NULL pointer. |
| Untrusted Pointer Dereference | Attempt to access an object via an altered pointer (not legitimate derefer- ence of tainted pointers). |
| Object Corruption | Object data is unintentionally altered. |
| Type Confusion | Pointer and object have different types. |
| Use After Free | Attempt to use a deallocated object. |
| Buffer Overflow | Read or write above the object upper bound. |
| Buffer Underflow | Read or write below the object lower bounds. |
| Unitialized Pointer Derefereance | An attempt to access an object for read or write via an uninitialized pointer. |
- The attributes of MUS are:
| Name | Value | Definition |
|---|---|---|
| Mechanism | Direct | The operation is performed over a particular object element. |
| Sequential | The operation is performed after iterating over the object elements. | |
| Source Code | Codebase | The operation is in programmer’s code – in the application itself. |
| Third Party | The operation is in a third party library. | |
| Standard Library | The operation is in the standard library for a particular programming language. | |
| Language Processor | The operation is in the tool that allows execution or creates executable (compiler, assembler, interpreter). | |
| Execution Space | Userland | The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture). |
| Kernel | The bugged code runs in an environment with privilege levels with access privileged instruc- tions (e.g., ring 0 in x86 architecture). | |
| Bare-Metal | The bugged code runs in an environment with-out privilege control. Usually, the program is the only software running and has total access to the hardware. | |
| Span | Little | A few bytes of memory are accessed. |
| Moderate | Several bytes of memory are accessed, but less than 1 KB. | |
| Huge | More than 1 KB of memory is accessed. | |
| Location | Stack | The object is a non-static local variable (defined in a function, a passed parameters, or a function return address). |
| Heap | The object is a dynamically allocated data structure (e.g., via malloc() and new). |
- MUS sites are any dereference operators in the source code (
*, [], ->,
.).- Application examples are provided here.