Re: [EXT] CWE for memory safety failures?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] CWE for memory safety failures?

asummers
Administrator
Jim,

Thanks for your note. I agree that memory safety is a key security topic, especially related to programming language. We do not currently have a label for sets of weaknesses in the way you describe. We do, however, have a hierarchical structure that may provide for you an illustration of these types of issues: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer (https://cwe.mitre.org/data/definitions/119.html) comes to mind. Within that entry there is a number of "child" relationships for weaknesses related to memory safety issues. Is this helpful?

Cheers,
Alec

--
Alec J. Summers
Cyber Solutions Division
Group Leader, Software Assurance
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World
 

On 6/9/20, 10:51 PM, "Jim Duncan" <[hidden email]> wrote:

    Is there a CWE entry specifically for memory safety failures?

    I haven't found one. Is there any alternative to iterating through specific entries to identify them as such?

    This could be a powerful weakness label. Organizations are looking for justifications to switch to memory-safe languages like Rust. It would be extremely valuable to be able to point to entire swaths of flaws that result from failures of memory safety.

    BTW, "memory safety" would also be a useful term to add to the vulnerability theory glossary.

    Thanks in advance.

    Jim

    ==
    James N. Duncan, CISSP
    Security Engineer, Juniper Secure Development Lifecycle (SDL) Program
    E-mail: [hidden email]    Mobile: +1 919-608-0748
    PGP key fingerprint: E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821


Reply | Threaded
Open this post in threaded view
|

Re: [EXT] CWE for memory safety failures?

jnduncan
Alex, thanks for your reply.

I am aware of CWE-119, but memory safety is more than keeping the lines inside the box.

Consider this work in progress, just my first pass at collating a list of memory safety issues, below, between the "=====". I have marked the entries I believe are strongly correlated with "(*)". I marked questionable entries with "(?)". All are subject to modification; this is not a finished work.

Note that CWE-119 is linked to maybe about a dozen of these 99 items.

Let me know your thoughts. Thanks again.

        Jim

=====

118:Incorrect Access of Indexable Resource ('Range Error')
119:Improper Restriction of Operations within the Bounds of a Memory Buffer (*)
120:Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (*)
121:Stack-based Buffer Overflow (*)
122:Heap-based Buffer Overflow (*)
123:Write-what-where Condition (*)
124:Buffer Underwrite ('Buffer Underflow') (*)
125:Out-of-bounds Read (*)
126:Buffer Over-read (*)
127:Buffer Under-read (*)
128:Wrap-around Error (*)
129:Improper Validation of Array Index (*)
130:Improper Handling of Length Parameter Inconsistency (*)
131:Incorrect Calculation of Buffer Size (*)
134:Use of Externally-Controlled Format String (*)
135:Incorrect Calculation of Multi-Byte String Length (*)

170:Improper Null Termination (*)
188:Reliance on Data/Memory Layout (?)
190:Integer Overflow or Wraparound (*)
191:Integer Underflow (Wrap or Wraparound) (*)
192:Integer Coercion Error
193:Off-by-one Error (*)
194:Unexpected Sign Extension
195:Signed to Unsigned Conversion Error (*)
196:Unsigned to Signed Conversion Error (*)
197:Numeric Truncation Error (*)

226:Sensitive Information Uncleared in Resource Before Release for Reuse
242:Use of Inherently Dangerous Function (?)
244:Improper Clearing of Heap Memory Before Release ('Heap Inspection')
369:Divide By Zero (?)
395:Use of NullPointerException Catch to Detect NULL Pointer Dereference

401:Missing Release of Memory after Effective Lifetime
415:Double Free (*)
416:Use After Free (*)
456:Missing Initialization of a Variable (*)
457:Use of Uninitialized Variable
463:Deletion of Data Structure Sentinel
464:Addition of Data Structure Sentinel
465:Pointer Issues
466:Return of Pointer Value Outside of Expected Range (*)
467:Use of sizeof() on a Pointer Type (*)
468:Incorrect Pointer Scaling
469:Use of Pointer Subtraction to Determine Size (*)
476:NULL Pointer Dereference (*)
479:Signal Handler Use of a Non-reentrant Function

493:Critical Public Variable Without Final Modifier
495:Private Data Structure Returned From A Public Method
496:Public Data Assigned to Private Array-Typed Field
499:Serializable Class Containing Sensitive Data (?)
500:Public Static Field Not Marked Final

543:Use of Singleton Pattern Without Synchronization in a Multithreaded Context (?)
562:Return of Stack Variable Address
567:Unsynchronized Access to Shared Data in a Multithreaded Context
582:Array Declared Public, Final, and Static
587:Assignment of a Fixed Address to a Pointer
588:Attempt to Access Child of a Non-structure Pointer (*)
590:Free of Memory not on the Heap (*)
591:Sensitive Data Storage in Improperly Locked Memory
621:Variable Extraction Error

663:Use of a Non-reentrant Function in a Concurrent Context (?)
680:Integer Overflow to Buffer Overflow (*)
681:Incorrect Conversion between Numeric Types
682:Incorrect Calculation
690:Unchecked Return Value to NULL Pointer Dereference
704:Incorrect Type Conversion or Cast
761:Free of Pointer not at Start of Buffer (*)
762:Mismatched Memory Management Routines (*)
763:Release of Invalid Pointer or Reference
766:Critical Data Element Declared Public (?)
767:Access to Critical Private Variable via Public Method (?)
771:Missing Reference to Active Allocated Resource (?)
781:Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code (?)

785:Use of Path Manipulation Function without Maximum-sized Buffer (*)
786:Access of Memory Location Before Start of Buffer (*)
787:Out-of-bounds Write (*)
788:Access of Memory Location After End of Buffer (*)
789:Uncontrolled Memory Allocation
805:Buffer Access with Incorrect Length Value (*)
806:Buffer Access Using Size of Source Buffer
822:Untrusted Pointer Dereference (*)
823:Use of Out-of-range Pointer Offset (*)
824:Access of Uninitialized Pointer (*)
825:Expired Pointer Dereference (*)
832:Unlock of a Resource that is not Locked (?)
839:Numeric Range Comparison Without Minimum Check (*)
843:Access of Resource Using Incompatible Type ('Type Confusion') (*)
908:Use of Uninitialized Resource (?)
909:Missing Initialization of Resource (?)
911:Improper Update of Reference Count (?)

=====

==
James N. Duncan, CISSP
Security Engineer, Juniper Secure Development Lifecycle (SDL) Program
E-mail: [hidden email]    Mobile: +1 919-608-0748
PGP key fingerprint: E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821

On 2020-06-10, 08:40, "Alec J Summers" <[hidden email]> wrote:

[External Email. Be cautious of content]


Jim,

Thanks for your note. I agree that memory safety is a key security topic, especially related to programming language. We do not currently have a label for sets of weaknesses in the way you describe. We do, however, have a hierarchical structure that may provide for you an illustration of these types of issues: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer (https://urldefense.com/v3/__https://cwe.mitre.org/data/definitions/119.html__;!!NEt6yMaO-gk!V_agoYSBbG20Ls0wVjT0l-RDXjDBfmRdin3D-heO_CjFrqF8Dr1jDvfRodr6cxFk$ ) comes to mind. Within that entry there is a number of "child" relationships for weaknesses related to memory safety issues. Is this helpful?

Cheers,
Alec

--
Alec J. Summers
Cyber Solutions Division
Group Leader, Software Assurance
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World


On 6/9/20, 10:51 PM, "Jim Duncan" <[hidden email]> wrote:

    Is there a CWE entry specifically for memory safety failures?

    I haven't found one. Is there any alternative to iterating through specific entries to identify them as such?

    This could be a powerful weakness label. Organizations are looking for justifications to switch to memory-safe languages like Rust. It would be extremely valuable to be able to point to entire swaths of flaws that result from failures of memory safety.

    BTW, "memory safety" would also be a useful term to add to the vulnerability theory glossary.

    Thanks in advance.

        Jim

    ==
    James N. Duncan, CISSP
    Security Engineer, Juniper Secure Development Lifecycle (SDL) Program
    E-mail: [hidden email]    Mobile: +1 919-608-0748
    PGP key fingerprint: E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821



Reply | Threaded
Open this post in threaded view
|

RE: [EXT] CWE for memory safety failures?

Christey, Steven M.
Jim,

With the hierarchical structure of CWE, many of the weaknesses you mention are associated with CWE-119, but as grandchildren or other descendants.  For example, CWE-787(out-of-bounds write) has children for stack-based overflow (CWE-121) and heap-based overflow (CWE-122), and buffer underwrite (CWE-124), etc.

There are various weaknesses that are not themselves memory safety problems, but they can lead to memory safety problems.  Some of the CWE examples you gave, such as calculation errors including integer overflow (CWE-190) or numeric comparison without a minimum check (CWE-839), would be reflected as chaining relationships (typically CanPrecede/CanFollow).

I agree that "memory safety" as a term probably should be reflected somewhere, since it's commonly used.  It's not immediately clear to me how to address that, although CWE-119 itself should probably have it listed as an alternate term.

However, many CWE entries have a Common Consequence element with a Technical Impact of "Modify Memory" or "Read Memory" which probably gets closer to what you're thinking about.

In CWE 4.0, we introduced "view filters" that allow you to highlight certain subsets of a view based on certain criteria.  For example, for the CWE research view 1000, you could visit:

   https://cwe.mitre.org/custom/view.html?id=1000

  and select Consequences of "Modify Memory" and/or "Read Memory" to then yield this result:

    https://cwe.mitre.org/cgi-bin/viewgen.cgi?id=1000&qs=_0_0_0_3

  Note that this filter behavior currently includes any CWE with a "Varies by Context" impact, but we will revisit that behavior, as it can cause confusion by highlighting unexpected entries.

A quick perusal of these results shows that some entries need to have a modify/read memory noted in the Common Consequences, so we will update CWE data for this.

Finally - I wonder what differences there are - or should be - between "memory management" and "memory safety."  For example, your list includes memory leaks (CWE-401) - if your program inadvertently consumes memory, is that considered a "memory safety" problem?

Hope this helps, and thank you for identifying some improvements that we could make within CWE.

- Steve


-----Original Message-----
From: Jim Duncan <[hidden email]>
Sent: Wednesday, June 10, 2020 10:23 PM
To: Alec J Summers <[hidden email]>
Cc: CWE Research Discussion <[hidden email]>
Subject: Re: [EXT] CWE for memory safety failures?

Alex, thanks for your reply.

I am aware of CWE-119, but memory safety is more than keeping the lines inside the box.

Consider this work in progress, just my first pass at collating a list of memory safety issues, below, between the "=====". I have marked the entries I believe are strongly correlated with "(*)". I marked questionable entries with "(?)". All are subject to modification; this is not a finished work.

Note that CWE-119 is linked to maybe about a dozen of these 99 items.

Let me know your thoughts. Thanks again.

        Jim

=====

118:Incorrect Access of Indexable Resource ('Range Error') 119:Improper Restriction of Operations within the Bounds of a Memory Buffer (*) 120:Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (*) 121:Stack-based Buffer Overflow (*) 122:Heap-based Buffer Overflow (*) 123:Write-what-where Condition (*) 124:Buffer Underwrite ('Buffer Underflow') (*) 125:Out-of-bounds Read (*) 126:Buffer Over-read (*) 127:Buffer Under-read (*) 128:Wrap-around Error (*) 129:Improper Validation of Array Index (*) 130:Improper Handling of Length Parameter Inconsistency (*) 131:Incorrect Calculation of Buffer Size (*) 134:Use of Externally-Controlled Format String (*) 135:Incorrect Calculation of Multi-Byte String Length (*)

170:Improper Null Termination (*)
188:Reliance on Data/Memory Layout (?)
190:Integer Overflow or Wraparound (*)
191:Integer Underflow (Wrap or Wraparound) (*) 192:Integer Coercion Error 193:Off-by-one Error (*) 194:Unexpected Sign Extension 195:Signed to Unsigned Conversion Error (*) 196:Unsigned to Signed Conversion Error (*) 197:Numeric Truncation Error (*)

226:Sensitive Information Uncleared in Resource Before Release for Reuse 242:Use of Inherently Dangerous Function (?) 244:Improper Clearing of Heap Memory Before Release ('Heap Inspection') 369:Divide By Zero (?) 395:Use of NullPointerException Catch to Detect NULL Pointer Dereference

401:Missing Release of Memory after Effective Lifetime 415:Double Free (*) 416:Use After Free (*) 456:Missing Initialization of a Variable (*) 457:Use of Uninitialized Variable 463:Deletion of Data Structure Sentinel 464:Addition of Data Structure Sentinel 465:Pointer Issues 466:Return of Pointer Value Outside of Expected Range (*) 467:Use of sizeof() on a Pointer Type (*) 468:Incorrect Pointer Scaling 469:Use of Pointer Subtraction to Determine Size (*) 476:NULL Pointer Dereference (*) 479:Signal Handler Use of a Non-reentrant Function

493:Critical Public Variable Without Final Modifier 495:Private Data Structure Returned From A Public Method 496:Public Data Assigned to Private Array-Typed Field 499:Serializable Class Containing Sensitive Data (?) 500:Public Static Field Not Marked Final

543:Use of Singleton Pattern Without Synchronization in a Multithreaded Context (?) 562:Return of Stack Variable Address 567:Unsynchronized Access to Shared Data in a Multithreaded Context 582:Array Declared Public, Final, and Static 587:Assignment of a Fixed Address to a Pointer 588:Attempt to Access Child of a Non-structure Pointer (*) 590:Free of Memory not on the Heap (*) 591:Sensitive Data Storage in Improperly Locked Memory 621:Variable Extraction Error

663:Use of a Non-reentrant Function in a Concurrent Context (?) 680:Integer Overflow to Buffer Overflow (*) 681:Incorrect Conversion between Numeric Types 682:Incorrect Calculation 690:Unchecked Return Value to NULL Pointer Dereference 704:Incorrect Type Conversion or Cast 761:Free of Pointer not at Start of Buffer (*) 762:Mismatched Memory Management Routines (*) 763:Release of Invalid Pointer or Reference 766:Critical Data Element Declared Public (?) 767:Access to Critical Private Variable via Public Method (?) 771:Missing Reference to Active Allocated Resource (?) 781:Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code (?)

785:Use of Path Manipulation Function without Maximum-sized Buffer (*) 786:Access of Memory Location Before Start of Buffer (*) 787:Out-of-bounds Write (*) 788:Access of Memory Location After End of Buffer (*) 789:Uncontrolled Memory Allocation 805:Buffer Access with Incorrect Length Value (*) 806:Buffer Access Using Size of Source Buffer 822:Untrusted Pointer Dereference (*) 823:Use of Out-of-range Pointer Offset (*) 824:Access of Uninitialized Pointer (*) 825:Expired Pointer Dereference (*) 832:Unlock of a Resource that is not Locked (?) 839:Numeric Range Comparison Without Minimum Check (*) 843:Access of Resource Using Incompatible Type ('Type Confusion') (*) 908:Use of Uninitialized Resource (?) 909:Missing Initialization of Resource (?) 911:Improper Update of Reference Count (?)

=====

==
James N. Duncan, CISSP
Security Engineer, Juniper Secure Development Lifecycle (SDL) Program
E-mail: [hidden email]    Mobile: +1 919-608-0748
PGP key fingerprint: E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821