Trends in Memory Errors

This page lists a number of plots that depict trends in discovered memory errors. We look at both vulnerabilities (extracted from the CVE data feed) and exploits (via exploit-db). We classify vulnerabilities and exploits by searching for keywords: issues with the words php, sql, or xss are said to be web-related; stack-based vulnerabilities and exploits contain the words stack-based or stack overflow in their description, for heap-based ones, we look for heap-based, heap overflow, use-after-free, and double free; integer issues must contain the words integer, signedness, or off-by-one; we identify pointer issues by looking for dereference, and dangling pointer; issues describing format string issues should contain the string format string; and finally vulnerabilities and exploits that contain the word overflow are dubbed as other.

Each vulnerability is counted only once in above order, i.e., a format string issue that allows an attacker to execute sql commands on a remote server is considered a web vulnerability. This may not always yield honest results, but it still gives an useful insight in trends in memory-errors.

In the top right corner, you can select whether vulnerabilities and exploits should be processed per 1, 2, or 3 months; using a higher time unit result in less fluctuations. You can click on a title to show or hide its figure and description, allowing you to compare graphs with each other easily.

The source code for this project is open source. Feel free to do with it what you want, but remember, if it breaks something, you get to keep both halves. If you want to know more about memory errors in general, have a look at our paper Memory Errors: The Past, the Present, and the Future.

Memory error vulnerabilities
This figure shows the absolute number of reported memory-error vulnerabilities per time unit. As of August 2016, it shows a clear linear trend over the period 1997-2007, after which the number of reported issues seems to stabilize to around 60 per month.
Memory error vulnerabilities and exploits
This figure shows the absolute number of both reported memory-error vulnerabilities and exploits per time unit. It shows that the number of available exploits is following the same (but slightly delayed) trend as reported vulnerabilities.
Memory error vulnerabilities compared to total
This figure shows the absolute number of both reported memory-errors and all vulnerabilities. Clearly, the latter is going all over the place, while the number of found memory-errors seems relatively stable.
Memory error vulnerabilities compared to total (including web)
This figure shows the absolute number of reported memory-error, web, and all vulnerabilities. It shows that the irregularities of all reported vulnerabilities can be contributed to web vulnerabilities.
Percentage of memory error vulnerabilities and exploits
This figure shows the relative number of memory-error vulnerabilities and exploits, subject to the total number of reported vulnerabilities and available exploits. It shows that since 2006, memory-errors are responsible for 10 to 20% of all issues, and that exploiting is a bit harder than finding an issue. Although 2013 may have been the start of a downward trend, recent numbers from 2015 and 2016 indicate that memory errors are back in business, justifying system security research.
Percentage of memory error vulnerabilities and exploits (including web)
This figure shows the relative number of memory-error and web vulnerabilities and exploits, subject to their totals. It shows that the downward trend in the percentage of memory-errors around the year 2003 can solely be contributed to the rise of the world-wide web. It also shows that over the last years, web issues seem to become less dominant, resulting in a slight increase of memory-errors.
Categorization of memory error vulnerabilities
This figure shows the number of reported memory-error vulnerabilities, categorized in stack-based, heap-based, integer, pointer, format string, and other issues. As expected, it shows that the stack was a popular attack vector in the early years, while recently the heap has become a more prevalent topic. This might indicate that stack-based issues are easier to find and solve automatically (e.g., by compiler extensions), while the heap is still much more difficult to reason about.
Categorization of memory error exploits
This figure shows the number of reported memory error exploits, categorized in stack-based, heap-based, integer, pointer, format string, and other issues. It shows that exploits are slowly catching up with trends in reported vulnerabilities: up till 2015, the stack was still the most popular attack vector, while only recently attackers started to look with more detail into heap attacks. It also shows that format string exploits are basically non-existent.