logo

Reliance on Data/Memory Layout

Draft Base
Structure: Simple
Description

This vulnerability occurs when software incorrectly assumes how data is structured in memory or within network packets, leading to unexpected behavior when those underlying layouts change.

Extended Description

At the system level, memory layout is not universal. Different compilers, architectures, or platform updates can change how variables are ordered, aligned, or padded in memory. For example, one system might place two variables adjacent to each other, while another inserts space between them for performance alignment. If your code assumes a specific, fixed arrangement—like calculating offsets between variables—it will break when ported or run in a different environment, potentially reading corrupt data or causing crashes. In network protocols, similar risks exist when parsing messages. Developers often use fixed offsets relative to known header fields to locate specific data. However, new protocol versions, optional extensions, or edge cases can introduce unexpected padding or reorder fields. This causes the software to misinterpret packet contents, treating one type of data (like a length field) as another (like payload data), which can lead to security flaws like information disclosure or denial of service.
Common Consequences 1
Scope: IntegrityConfidentiality

Impact: Modify MemoryRead Memory

Can result in unintended modifications or exposure of sensitive memory.
Detection Methods 1
FuzzingHigh
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Potential Mitigations 3
Phase: ImplementationArchitecture and Design
In flat address space situations, never allow computing memory addresses as offsets from another memory address.
Phase: Architecture and Design
Fully specify protocol layout unambiguously, providing a structured grammar (e.g., a compilable yacc grammar).
Phase: Testing
Testing: Test that the implementation properly handles each case in the protocol grammar.
Demonstrative Examples 1

ID : DX-216

In this example function, the memory address of variable b is derived by adding 1 to the address of variable a. This derived address is then used to assign the value 0 to b.

Code Example:

Bad
C
c
Here, b may not be one byte past a. It may be one byte in front of a. Or, they may have three bytes between them because they are aligned on 32-bit boundaries.
References 2
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
Likelihood of Exploit

Low

Applicable Platforms
Languages:
C : UndeterminedC++ : Undetermined
Modes of Introduction
Implementation
Functional Areas
  1. Memory Management
Affected Resources
  1. Memory
Related Weaknesses
ChildOf: Insufficient Encapsulation of Machine-Dependent Functionality (CWE-1105)
ChildOf: Improper Interaction Between Multiple Correctly-Behaving Entities (CWE-435)
Taxonomy Mapping
  • CLASP