Jon, We are aware of this new discovery but haven't researched it closely enough from a CWE perspective. It's slated to be addressed in CWE 4.7 (around January/February 2022). In my informal consideration of the problem when it first came out, there seem to be some challenges with respect to CWE-style classification. For example the bidirectional manipulations in the papers involve a form of "visual overlay," which is identified as a potential subtype of CWE-451 "User Interface (UI) Misrepresentation of Critical Information" which, as mentioned in CWE-451's Maintenance notes, probably could use some further breakdown into Base- or Variant-level weaknesses. However, visual overlay can apply to any number of other technical elements (e.g. "layers" in GUIs/browsers) so there's a little more consideration that needs to be made. For homoglyphs - while CWE-1007 doesn't specifically mention Unicode, I believe that it's in scope, since homoglyphs can be a concern regardless of the encoding being used.
My current thinking around CWE-506 and related "malicious-code" weaknesses from Landwehr's taxonomy [1] has been evolving. Over the past 10+ years, we've effectively required a "weakness" to give some kind of (even abstract) notion of the behavior that is incorrectly implemented. Since a malicious adversary with appropriate privileges could insert *any* kind of error into code, the characterizations of malicious/trojan/etc. code could be a result of - or intentionally introduce - any other weakness covered by CWE. Consider a backdoor account inserted by a malicious adversary - it's also classifiable as incorrect authentication or use of hardcoded credentials. Because there's so much overlap between these malware-ish entries and the rest of CWE, it suggests to me that there is a limitation of the CWE model that requires deeper research, although this research is currently a lower priority than expansion or discussion of CWE's scope with respect to other areas such as hardware. My current suspicious is that the CWE entries that are related to Landwehr's "genesis" model of how vulnerabilities are introduced is a kind of complementary dimension or facet of vulnerabilities that may be interesting, but is not centered around a specific mistake - and therefore, not a weakness per CWE defines it. [1] https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf - Steve -----Original Message----- From: Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA) <jonathan.w.hood6....@army.mil> Sent: Tuesday, November 30, 2021 4:51 PM To: CWE Research Discussion <cwe-research-list@mitre.org> Subject: CWE Clarification: CWE-1007 and Homoglphys in Source Code Currently, CWE-1007 is a child of UI misrepresentation. However, source code can be maliciously injected using bidi and Unicode homoglyphs as well (see https://www.swatips.com/articles/20211129.html and https://arxiv.org/abs/2111.00169 and the examples under https://github.com/nickboucher/trojan-source/tree/main/C%2B%2B). Would it be appropriate to modify CWE-1007 so that it doesn’t just apply to reflected Unicode attacks against a user, or would it be more appropriate to create a new CWE as a child of CWE-506 to reflect injecting source code using Unicode representations? Thanks! Jon
smime.p7s
Description: S/MIME cryptographic signature