Examples of Name and Relationship Changes in CWE Draft 9
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Examples of Name and Relationship Changes in CWE Draft 9
by Steven M. Christey-2
::
Rate this Message:
If you examine the difference report at
http://cwe.mitre.org/data/reports/diff_draft_8_9.html , you will see that we changed the names of over 200 entries in Draft 9 alone, and we added 275 relationships while removing 75. We also changed nearly 200 descriptions. The main goals were: - make the CWE name and description more clear about the weakness being covered, and try to keep the perspective on the weakness itself, instead of the attack or consequence - but preserve such terminology if it's commonplace. - when the CWE is identifying a weakness, try to classify it under the Natural Hierarchy view (CWE-1000), i.e. it should have a parent that is a Weakness (Variant, Base, or Class). If a new node is necessary, create it (or flag the issue for review after Draft 9's release). We tried to change the names so that a CWE consumer would not have to depend so much on looking up the item's description and context notes, just to figure out what the item was talking about. We tried to remove perspective problems where feasible, such as when a name was too focused on the associated attack. The litmus test for a name change was simple: if a CWE analyst didn't know what the issue was about upon reading the name, then most CWE users probably wouldn't know either. As a result, we removed a lot of non-specific terms such as "insecure," "improper," and "erroneous," or tried to develop some consistency when we needed to use more general terms, such as "sanitization" as an over-arching term that could cover failure to filter, decode, quote, validate, etc. We didn't identify all the names that needed fixing, but 37% of CWE entries were modified, so this was a solid start. We definitely didn't identify the natural parents for every entry, although this effort did produce many of the new entries that were added to Draft 9. We expect this to be an ongoing process. See the CWE-1000 definition for additional explanation of the natural hierarchy. Below are a few examples of the name changes, along with relationships that we added, to give people a sense of what we did and why. -------------------------------------------------------- 582: Mobile Code: Unsafe Array Declaration - what's unsafe about it - is this permissions? buffer overflow? something else? New name: Array Declared Public, Final, and Static -------------------------------------------------------- 568: Erroneous Finalize Method - what's the error? does the software define the finalize method incorrectly? is this permissions? Does the method do too much? too little? operates on the wrong object? has a memory leak? sends private data? New name: finalize() Method Without super.finalize() Old parent: 399: Resource Management Errors New parents: 573 - Failure to Follow Specification 404 - Improper Resource Shutdown or Release -------------------------------------------------------- 73: Path Manipulation - name is attack-focused - how is it being manipulated - symbolic link? long pathname? path traversal? appending "%20" to retrive source code? - first code example is path traversal (CWE-22) - second code example may or may not be path traversal - RENAMED: "External Control of File Name or Path" - ADDED ChildOf 99 Insufficient Control of Resource Identifiers (aka 'Resource Injection') -------------------------------------------------------- 4: J2EE Environment Issues This is a general category node whose name is self-explanatory. In draft 8, however, its children rarely had any natural parents. child: 5 J2EE Misconfiguration: Insecure Transport RENAMED: J2EE Misconfiguration: Data Transmission Without Encryption ADDED: ChildOf 311 Failure to Encrypt Sensitive Data child: 555 J2EE Misconfiguration: Password in Configuration File RENAMED: J2EE Misconfiguration: Plaintext Password in Configuration File ADDED: ChildOf 522 Insufficiently Protected Credentials DESCRIPTION: modified child: 6 J2EE Misconfiguration: Insufficient Session-ID Length ADDED: ChildOf 334 Small Space of Random Values child: 7 J2EE Misconfiguration: Missing Error Handling Unchanged child: 8 J2EE Misconfiguration: Entity Bean Declared Remote ADDED: ChildOf 668 Exposure of Resource to Wrong Sphere child: 9 J2EE Misconfiguration: Weak Access Permissions RENAMED: J2EE Misconfiguration: Weak Access Permissions for EJB Methods ADDED: ChildOf 275 Permission Issues -------------------------------------------------------- 597 Erroneous String Compare - what's the error - only a portion of the string is compared? It compares a string in a case-insensitive manner? It doesn't handle when one string is shorter than the other? RENAMED: Use of Wrong Operator in String Comparison -------------------------------------------------------- 591 Memory Locking - is this about not locking memory? Locking it incorrectly? is this a category of all different types of weaknesses that can occur during memory locking? RENAMED: Sensitive Data Storage in Improperly Locked Memory -------------------------------------------------------- 590 Improperly Freeing Heap Memory - does this mean double free? running free() on an object that was allocated using new() ? RENAMED: Free of Invalid Pointer Not on the Heap -------------------------------------------------------- 560 Often Misused: umask() - is this about setting an insecure umask? Not specifying a umask and using one that you've inherited from the caller of your program? RENAMED: Use of umask() with chmod-style Argument FORMER PARENT: 559 "Often Misused: Arguments and Parameters" New parent: 687 Function Call With Incorrectly Specified Argument Value -------------------------------------------------------- 474 Inconsistent Implementations - is this about things like how web browsers can behave differently? RENAMED: Use of Function with Inconsistent Implementations -------------------------------------------------------- 401 Memory Leak RENAMED: Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak') Natural parents: none in draft 8 ADDED: ChildOf 404 Improper Resource Shutdown or Release |
|
|
Re: Examples of Name and Relationship Changes in CWE Draft 9
by David A. Wheeler-2
::
Rate this Message:
Steven M. Christey wrote:
> we changed the names of over 200 entries in Draft 9 alone ... > 401 Memory Leak > > RENAMED: Failure to Release Memory Before Removing Last Reference > (aka 'Memory Leak') I like the _idea_ of more-specific-names, but this one isn't quite right on two counts: 1. Many memory leaks are due to circular structures, e.g., A references B, and B references A, yet NOTHING refers to either. This _IS_ a memory leak, but not by this name. 2. Memory leaks only happen if the run-time doesn't support the necessary kind of garbage collection. Some systems build in reference-counting collectors, which means you don't need to worry about releasing memory UNLESS there's a circularity. I think what you mean is something like "Failure to Release Memory After It Becomes Unreferenceable" --- David A. Wheeler |
| Free embeddable forum powered by Nabble | Forum Help |
