Jon,

We are aware of this new discovery but haven't researched it closely enough 
from a CWE perspective. It's slated to be addressed in CWE 4.7 (around 
January/February 2022). In my informal consideration of the problem when it 
first came out, there seem to be some challenges with respect to CWE-style 
classification. For example the bidirectional manipulations in the papers 
involve a form of "visual overlay," which is identified as a potential subtype 
of CWE-451 "User Interface (UI) Misrepresentation of Critical Information" 
which, as mentioned in CWE-451's Maintenance notes, probably could use some 
further breakdown into Base- or Variant-level weaknesses. However, visual 
overlay can apply to any number of other technical elements (e.g. "layers" in 
GUIs/browsers) so there's a little more consideration that needs to be made. 
For homoglyphs - while CWE-1007 doesn't specifically mention Unicode, I believe 
that it's in scope, since homoglyphs can be a concern regardless of the 
encoding being used.

My current thinking around CWE-506 and related "malicious-code" weaknesses from 
Landwehr's taxonomy [1] has been evolving. Over the past 10+ years, we've 
effectively required a "weakness" to give some kind of (even abstract) notion 
of the behavior that is incorrectly implemented. Since a malicious adversary 
with appropriate privileges could insert *any* kind of error into code, the 
characterizations of malicious/trojan/etc. code could be a result of - or 
intentionally introduce - any other weakness covered by CWE. Consider a 
backdoor account inserted by a malicious adversary - it's also classifiable as 
incorrect authentication or use of hardcoded credentials.

Because there's so much overlap between these malware-ish entries and the rest 
of CWE, it suggests to me that there is a limitation of the CWE model that 
requires deeper research, although this research is currently a lower priority 
than expansion or discussion of CWE's scope with respect to other areas such as 
hardware. My current suspicious is that the CWE entries that are related to 
Landwehr's "genesis" model of how vulnerabilities are introduced is a kind of 
complementary dimension or facet of vulnerabilities that may be interesting, 
but is not centered around a specific mistake - and therefore, not a weakness 
per CWE defines it.

[1] 
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf

- Steve


-----Original Message-----
From: Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA) 
<jonathan.w.hood6....@army.mil> 
Sent: Tuesday, November 30, 2021 4:51 PM
To: CWE Research Discussion <cwe-research-list@mitre.org>
Subject: CWE Clarification: CWE-1007 and Homoglphys in Source Code

Currently, CWE-1007 is a child of UI misrepresentation. However, source code 
can be maliciously injected using bidi and Unicode homoglyphs as well (see 
https://www.swatips.com/articles/20211129.html and 
https://arxiv.org/abs/2111.00169 and the examples under 
https://github.com/nickboucher/trojan-source/tree/main/C%2B%2B). Would it be 
appropriate to modify CWE-1007 so that it doesn’t just apply to reflected 
Unicode attacks against a user, or would it be more appropriate to create a new 
CWE as a child of CWE-506 to reflect injecting source code using Unicode 
representations?

Thanks!
Jon

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to