Robert Tice Technical Account Manager What is a CWE Formal list of software weakness types Common language Standard measuring stick for software security tools Baseline for weakness identification mitigation and prevention ID: 801042
Download The PPT/PDF document "Covering CWE with Programming Languages ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Slide2Covering CWE with Programming Languages and Tools
Robert Tice
Technical Account Manager
Slide3What is a CWE?
Formal list of software weakness types:
Common language
Standard measuring stick for software security tools
Baseline for weakness identification, mitigation, and prevention
Slide4Prevention vs Mitigation
Prevention
Entirely absent from application.
Mitigation
Reduced risk but may exist.
Slide5Universal vs Application Specific
Universal
All software should be free of these vulnerabilities. i.e. buffer overflow
Application Specific
Dependent on the application. i.e. SQL Injection
We will talk about these
Slide6CWEs Prevented by Ada
CWE Identifiers
Note
467
,
484
Only affects C and C++
500
Only affects C++ and Java
520, 526
Only affects .NET languages
8, 9, 487, 555, 574
Only affects Java
103, 104, 107, 108, 109, 110, 608
Only affects Struts framework
These relate to specific features of other languages
Slide7CWEs Prevented by Ada
CWE Identifiers
Note
588
Unsafe pointer usage
95
Unvalidated code in dynamic “eval” context
481
,
482
Confusion between assignment and comparison
170
Improper null termination of Strings
228
,
229
,
233
,
237
,
240
(and variants)
Parameters missing/extra/confused
These relate to general problems and constructs of other languages
Slide8CWEs Mitigated by Ada (runtime checks)
CWE
Description
120*
Buffer Overflow
123
Write-what-where condition
124
Buffer Underwrite
125
Out-of-bounds read
126
Buffer Over-read
127
Buffer Under-read
128
Wrap-around-error
129
Improper validation of array index
130
Improper handling of length parameter
131*
Incorrect calculation of buffer size
136
Type errors
190*
Integer overflow or wrap-around
191
Integer underflow or wrap-around193Off-by-one error
CWEDescription194Unexpected sign extension197Numeric truncation error252Unchecked return value253Incorrect check of function return value369Divide-by-zero476Null pointer dereference562Return of stack variable address682Incorrect calculation786Access before start of buffer787Out-of-bounds write788Access after end of buffer805Buffer access with incorrect length824Uninitialized pointer
*
2011 CWE/SANS Top 25 Most Dangerous Software Errors (
https://cwe.mitre.org/top25/)
Slide9CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
void
foo
(
int
*
arr
,
int
length
)
{
for(int i = 0
; i < length;
i++) {
arr
[
i
]++; }}
void
bar
()
{
int
myArray
[
10]; // init the array for(int i = 0; i < 10; i++) myArray[i] = 0; // or memset(&myArray[0], 0, 10 * sizeof
(myArray[0])); foo(&myArray[0], 30);}type My_Array_Type is array (Natural range <>) of Integer;procedure Foo (Arr : in out My_Array_Type)isbegin for I in Arr'Range loop Arr (I) := Arr (I) + 1; end loop;end Foo;procedure Baris My_Array : My_Array_Type (1 .. 10) := (others => 0);begin -- no accidental length computation -- no accidental buffer overflow because of a typo Foo (Arr => My_Array);end Bar;
Buffer overflow!
type
My_Array_Type
is
array (Natural range <>) of Integer;procedure Foo (Arr : in out My_Array_Type; Len : Natural)isbegin for I in 1 .. Len loop Arr (I) := Arr (I) + 1; end loop;end Foo;procedure Baris My_Array : My_Array_Type (1 .. 10) := (others => 0);begin Foo (Arr => My_Array, Len => 30);end Bar;
raised CONSTRAINT_ERROR : buffer_overflow.adb:7 index check failed
Slide10CWE-190: Integer Overflow or Wraparound
volatile
uint32_t myRegister
;
int
waitForFlag
()
{
int
counter
=
0; while
(myRegister == 0
) { counter++
;
}
return counter;
}
My_Register
:
Integer
;
pragma Volatile (My_Register);
function
Wait_For_Flag return Integeris Counter : Integer := 0;begin while My_Register = 0 loop Counter := Counter + 1; end loop; return Counter;end Wait_For_Flag;
Integer overflow!raised CONSTRAINT_ERROR : integer_overflow.adb:9 overflow check failed
Slide11Static Mitigation
CWE-1
2
0: Classic Buffer Overflow
procedure
Main
is
type
My_Array_Type
is
array
(Natural range <>)
of Integer;
procedure Foo (
Arr
:
in out My_Array_Type; Len :
Natural
)
is
begin
for
I in 1 .. Len loop Arr (I) := Arr (I) + 1; end loop; end Foo; procedure Bar is My_Array : My_Array_Type (1 .. 10) :=
(others => 0); begin Foo (Arr => My_Array, Len => 30); end Bar;begin Bar;end Main;CodePeer Results:buffer_overflow.adb:18:7: high: precondition (array index check [CWE 120]) failure on call to main.foo: requires Len = 0 or Len <= Arr'Last
Slide12Static Mitigation CWE-190: Integer Overflow
procedure
Main
is
My_Register
:
Integer
:=
0
;
pragma Volatile (My_Register);
function Wait_For_Flag return Integer
is Counter :
Integer := 0;
begin
while
My_Register = 0
loop
Counter
:=
Counter + 1
;
end loop;
return Counter; end Wait_For_Flag; Ret : Integer;begin Ret := Wait_For_Flag;end Main;CodePeer Results:integer_overflow.adb:10:32: low: overflow check [CWE 190] might fail: requires Counter <= Integer_32'Last-1
Slide13CWEs Mitigated with CodePeer
CWE
Description
137
Representation errors
362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
366
Race Condition within a Thread
457
Use of Uninitialized Variable
561
Dead Code
563
Assignment to Variable without Use
570
Expression is always false
571
Expression is always true
820
Missing synchronization
821
Incorrect synchronization
835
Loop with unreachable exit
CWE
Description
194
Unexpected sign extension197
Numeric truncation error252Unchecked return value253Incorrect check of function return value369Divide-by-zero476Null pointer dereference562Return of stack variable address682Incorrect calculation786Access before start of buffer787Out-of-bounds write788Access after end of buffer805Buffer access with incorrect length824Uninitialized pointerCWE’s mitigated by Ada… plus these!CWE
Description
120*
Buffer Overflow
123
Write-what-where condition
124
Buffer Underwrite
125 Out-of-bounds read126Buffer Over-read127Buffer Under-read128Wrap-around-error129Improper validation of array index130Improper handling of length parameter131*Incorrect calculation of buffer size136Type errors190*Integer overflow or wrap-around191Integer underflow or wrap-around193Off-by-one error
Slide14Static Mitigation CWE-457:
Use of Uninitialized Variable
with
Ada
.
Text_IO
;
use
Ada
.
Text_IO
;
procedure Mainis
Global : Integer;
procedure Init_Global
is
begin Global :=
0
;
end Init_Global;
begin
-- Init_Global;
Global := Global + 5; Put_Line (Global'Img);end Main;CodePeer Results:uninit_var.adb:17:15: high: validity check [CWE 457]: Global is uninitialized here
Slide15How many CWE violations will CodePeer find?
with
Ada
.
Text_IO
;
use
Ada
.
Text_IO
;
procedure
Mainis
Flag : Boolean := False
; Counter : Integer
;
begin
loop if
Flag
then
Put_Line
("Exiting...");
exit
;
else Counter := Counter + 1; Put_Line ("Loop #" & Counter'Img); end if; end loop;end Main;CodePeer Results:unreachable_exit.adb:11:12: medium warning: loop does not complete normally [CWE 835]unreachable_exit.adb:11:12: low warning: test always false [CWE 570] because Flag = falseunreachable_exit.adb:12:13: medium warning: dead code [CWE 561] because Flag = false
unreachable_exit.adb:15:24: low: validity check [CWE 457]: Counter might be uninitializedunreachable_exit.adb:15:32: low: overflow check [CWE 190] might fail: requires Counter <= Integer_32'Last-1
Slide16CWEs Mitigated with SPARK Pro
CWE
Description
188
Reliance on data layout
466
Return of pointer value outside expected range
468
Incorrect pointer scaling
469
Use of pointer subtraction to determine size
822
Untrusted pointer access
823
Out-of-range pointer offset
825
Expired pointer dereference
CWE
Description
194
Unexpected sign extension
197
Numeric truncation error
252
Unchecked return value
253
Incorrect check of function return value
369
Divide-by-zero476
Null pointer dereference562Return of stack variable address682Incorrect calculation786Access before start of buffer787Out-of-bounds write788Access after end of buffer805Buffer access with incorrect length824Uninitialized pointerCWE’s mitigated by AdaCWEDescription120*Buffer Overflow123Write-what-where condition124Buffer Underwrite125 Out-of-bounds read
126
Buffer Over-read
127
Buffer Under-read
128
Wrap-around-error
129
Improper validation of array index130Improper handling of length parameter131*Incorrect calculation of buffer size136Type errors190*Integer overflow or wrap-around191Integer underflow or wrap-around193Off-by-one errorCWEDescription137Representation errors362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')366Race Condition within a Thread457Use of Uninitialized Variable561Dead Code563Assignment to Variable without Use570Expression is always false571
Expression is always true820
Missing synchronization
821
Incorrect synchronization
835
Loop with unreachable exit
CWE’s mitigated with CodePeer
… plus these!
Slide17Restricting to Prevent
Restriction Identifier
CWE’s Prevented
No_Allocators
122, 244, 415, 416, 467, 590, 761
No_Tasking
362, 364, 366, 432, 479, 543, 558, 567, 572, 585, 662, 663, 820, 821, 828, 831, 833
No_Recursion
674
No_Exceptions
248, 396, 397, 460, 584, 600
No_Exception_Handlers
396, 584
No_Finalization
568, 583, 586
No_Streams
499
No_Unchecked_Conversion
197, 588, 704, 843
No_Wide_Characters
135, 176
No_Dependence
676
*
pragma Restrictions (Restriction_Identifier)
*
2011 CWE/SANS Top 25 Most Dangerous Software Errors (
https://cwe.mitre.org/top25/)
Slide18Reduce risk!
Use Ada, SPARK, & CodePeer
Mitre recognized CWE-compatible products!
Slide19