Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Data Type Bugs Taxonomy: Integer Overflow, Juggling, and Pointer Arithmetics in Spotlight

Published

Author(s)

Irena Bojanova, Carlos Eduardo Cardoso Galhardo, Sara Moshtari

Abstract

In this work, we present an orthogonal classification of data type bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define four language-independent classes that cover all possible kinds of data type bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause-->consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence–cause transitions. With our newly developed classes Declaration Bugs, Name Resolution Bugs, Type Conversion Bugs, and Type Computation Bugs, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). The proposed classes allow clear communication about software bugs which are related to misuse of data types, and provide a structured way to precisely describe data type-related vulnerabilities.
Conference Dates
October 3-6, 2022
Conference Location
All Vitrual, MD, US
Conference Title
29th Annual IEEE Software Technology Conference (STC 2022)

Keywords

Bug classification, bug taxonomy, software vulnerability, software weakness, type conversion, integer overflow, pointer scaling, juggling.

Citation

Bojanova, I. , Cardoso Galhardo, C. and Moshtari, S. (2022), Data Type Bugs Taxonomy: Integer Overflow, Juggling, and Pointer Arithmetics in Spotlight, 29th Annual IEEE Software Technology Conference (STC 2022), All Vitrual, MD, US, [online], https://doi.org/10.1109/STC55697.2022.00035, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935220 (Accessed December 4, 2022)
Created November 18, 2022, Updated November 29, 2022