Scientific Programming

Research Article

A Pattern-Based Software Testing Framework for Exploitability Evaluation of Metadata Corruption Vulnerabilities

Table 5

Typical mapping relation for a heap allocator.


o

A	C₁	.L_Fi=<0,0,0,c₁,c₂, …,c_N-1>,c_A = c_N
	¬C₁∧C₂	.L_Si=<0,0,1,c₂, …,c_N>,c_A = c₁
	¬C₁∧¬C₂∧C₃	ChBins(.L_L,.L_S),.U=Nul, c_A = c₁
	¬C₁∧¬C₂∧¬C₃∧C₄	Split(c₁,c_i,c_j) ∧c_i.s_c = size, c_A = c_i, ChBins(.L_L,.L_S),.U=Nul
	¬C₁∧¬C₂∧¬C₃∧¬C₄∧C₅	Split(c_k,c_i,c_j) ∧c_i.s_c = size, c_A = c_i,ChSpl(c_j)
	¬C₁∧¬C₂∧¬C₃∧¬C₄∧¬C₅∧	.L_Si=<0,0,1,c₂, …,c_N>,c_A = c₁
	¬C₁∧¬C₂∧¬C₃∧¬C₄∧¬C₅∧¬∧	Split(c₁,c_i,c_j) ∧c_i.s_c = size, c_A = c_i, ChBins(.L_L,.L_S),.U=Nul
	¬C₁∧¬C₂∧¬C₃∧¬C₄∧¬C₅∧¬∧¬∧C₆	Split(T,c_i,c_j) ∧c_i.s_c = size, c_A = c_i,T.s_c = c_j.s_c

F	C₇	.L_Fi=<0,0,0,c₁,c₂, …,c_N,c_F>
	¬C₇∧C₈	Merge(c_L,c_F),.U=<1,0,1,c₁,c₂, …,c_N,c_L>
	¬C₇∧¬C₈∧C₉	Merge(T,c_F)
	¬C₇∧¬C₈∧¬C₉∧C₁₀	Merge(c_F,c_H),.U=<1,0,1,c₁,c₂, …,c_N,c_F>

A, allocation; , deallocation; reallocation can be regarded as one of these. The allocator needs to check and again after checking the previous 5 conditions.