Bug Classes

This page contains a list of the various classes of bugs that fuzz testing can find. It contains explanations and example of each bug type, and will be maintained over time as our fuzzing capabilities expand.

Buffer Overflow

Buffer overflows occur when a memory buffer has more data written to it than its size, or when a memory buffer is read beyond its boundaries. In the case of reads, this can result in unintended data exposure. Classic examples include Heartbleed and Cloudbleed. In the case of writes, an attacker may be able to execute arbitrary code or alter the intended control flow of the program. In either case, an attacker may cause unintended crashes or Denial of Service.

Relevant CWEs: CWE 119, CWE 680, CWE 131

Array Index Out of Bounds

Array index out of bounds errors occur when an array index larger than the length of an array is accessed. They can cause unhandled exceptions, denial of service, and other unintended crashes and errors.

Relevant CWEs: CWE 129

Improper Input Validation

Improper input validation can be the source of many unintended errors. Attackers can use malicious inputs to to modify data, deny service, or alter control flow in unexpected ways, including arbitrary command execution.

Relevant listings: OWASP Top 10, CWE 20

Memory Use After Free

Memory use after free occurs when a pointer to memory is kept around and accessed after the memory it points to has been freed for use elsewhere. If malicious data is entered, and then used by the old code, it can result in arbitrary code execution. Many zero-day vulnerabilities in applications like Google Chrome and Firefox come in the form of a memory use after free that is then used to gain further access.

Relevant CWE: CWE 416

Invalid Free of Memory

Invalid frees have the potential to cause memory corruption, which could enable an attacker to cause free() to operate on controllable memory locations to modify critical program variables or execute code. In some situations it can also cause the program to crash, resulting in denial of service.

Relevant CWE: CWE 590

Hangs & Timeouts

Hangs and timeouts occur when software takes far longer than the allowed time to process an input, potentially due to infinite loops, deadlocks, or other timing-sensitive issues. In the case of security-sensitive software, attackers can use timing bugs as the basis for various side-channel attacks. Attackers can also exploit these problems by forcing the system to consume excessive amounts of physical resources like CPU, memory, and disk.

Relevant CWEs: CWE 833, CWE 835

Off by One Errors

Off by one errors occur when programmers miscalculate the size of a data structure prior to processing. They can lead to crashes or undefined behavior, as well as infinite loops, data corruption, wrap-around errors and other memory corruption problems.

Relevant CWE: CWE 193

Invalid Bounds Checks

Invalid or improper bounds checks can affect software availability, by causing reads beyond the end of memory buffers resulting in corruption or crashes. They can also cause data integrity issues by mis-validating data, and allowing invalid inputs further into software.

Relevant CWE: CWE 839

Integer Overflow/Wraparound

Integer overflows or wraparounds can result in undefined behavior, crashes, and data integrity issues. In the context of looping they can also result in infinite loops, which may cause unintended hangs and timeouts.

Relevant CWE: CWE 190

Type Error/Confusion

Type errors, confusion and incorrect casts can result in data loss & integrity issues, as well as undefined behavior, crashes, and unhandled exceptions.

Relevant CWEs: CWE 704, CWE 483

Out of Bounds Read

Out of Bounds reads occur when developers miscalculate the boundary of a buffer, and reads data past the end or beginning of the buffer. This can allow attackers to read sensitive information from other memory locations, or in some situations cause crashes and denial of service.

Relevant CWE: CWE 125

Out of Bounds Write

Out of Bounds writes occur when developers miscalculate the boundary of a buffer, and writes data past the end or beginning of the buffer. This can result in data corruption or crashes, and in some situations can be exploited by an attacker to achieve arbitrary code execution capabilities.

Relevant CWE: CWE 787

Memory Corruption

Memory corruption bugs involve the improper handling and usage of memory in unsafe languages like C or C++. They can involve access control violations, undefined behavior, data integrity issues, and other serious vulnerabilities.

Relevant CWEs: CWE 1257, CWE 1260

Null Pointer Dereference

Null pointer dereferences occur when a program attempts to dereference a pointer it expects to be valid, but instead turns out to be null. They generally result in denial of service as a result of crashes or unexpected aborts.

Relevant CWE: CWE 476

Invalid Memory Pointer

Invalid pointer errors occur when incorrectly-calculated memory pointers are used to access data. They can result in data confidentiality problems, memory corruption errors, and potentially arbitrary code execution.

Relevant CWE: CWE 786

Race Conditions

Race conditions include all classes of bugs to do with improper handling of concurrent code execution. They can include misuse of mutexes, improper handling of concurrent reads and writes to shared data structures, or other synchronization and idempotency bugs. Race conditions may result in data integrity issues, memory corruption, denial of service, and other crashes.

Relevant CWEs: CWE 366, CWE 364, CWE 362, CWE 421, CWE 662, CWE 1223, CWE 368

Undefined Behavior

Undefined behavior consists of the class of bugs related to mishandling of memory, or reliance on unspecified implementation details, that can result in undefined behavior. Examples can include signed integer overflows, null pointer dereferences, returning pointers to stack variables from functions, or reliance on behviors that are undefined in the specification of the programming language in use. Undefined behavior can result in data integrity problems, memory corruption, crashes, denial of service, and in some situations enable attackers to achieve remote/arbitrary code execution.

Relevant CWEs: CWE 562, CWE 758, CWE 232

Unhandled Exceptions

Unhandled exceptions occur when developers to not take every possible exception into account when handling errors. Improper exception handling can result in crashes, sensitive data exposure, and denial of service.

Relevant CWE: CWE 248

Denial of Service

Denial of service encompasses all types of unhandled exceptions, memory corruption, and crashing errors that result in critical services becoming unexpectedly unavailable.

Relevant listings: OWASP Top 10, OAT-015,

Infinite Loop

Infinite loops occur when developers miscalculate the proper boundary or exit conditions for a loop. Attackers can exploit these loops to consume excessive amounts of physical resources like CPU, memory, and disk.

Relevant CWE: CWE 835