Hello,
The scope of this topic is much wider. It concerns the fundamental
question: What is CWE list?
For me, CWE allows us to define what we are really talking about. In
this context, grouping doesn't matter that much like fundamental units.
I am not saying that it is not important, but from a practical point of
view, the lowest units are the most important. A very nice comparison is
this:
In biology, scientists have argued about taxonomy for hundreds of years.
First, they were guided by the comparison of the anatomical structure,
and then, after the discovery of the genome, by phylogenetic research.
However, the basic species discovered by Linnaeus still exists today.
In my opinion, CWE-506 is more of a fundamental than a grouping unit. If
we want to combine these CWEs, we should rather create a unit over them
than use CWE-506 as parent.
Regards
Wojciech Andrijew
Parasoft Corp.
Jon,
We are aware of this new discovery but haven't researched it closely enough from a CWE perspective. It's
slated to be addressed in CWE 4.7 (around January/February 2022). In my informal consideration of the problem
when it first came out, there seem to be some challenges with respect to CWE-style classification. For
example the bidirectional manipulations in the papers involve a form of "visual overlay," which is
identified as a potential subtype of CWE-451 "User Interface (UI) Misrepresentation of Critical
Information" which, as mentioned in CWE-451's Maintenance notes, probably could use some further
breakdown into Base- or Variant-level weaknesses. However, visual overlay can apply to any number of other
technical elements (e.g. "layers" in GUIs/browsers) so there's a little more consideration that
needs to be made. For homoglyphs - while CWE-1007 doesn't specifically mention Unicode, I believe that it's
in scope, since homoglyphs can be a concern regardless of the encoding being used.
My current thinking around CWE-506 and related "malicious-code" weaknesses from
Landwehr's taxonomy [1] has been evolving. Over the past 10+ years, we've effectively required a
"weakness" to give some kind of (even abstract) notion of the behavior that is
incorrectly implemented. Since a malicious adversary with appropriate privileges could insert *any*
kind of error into code, the characterizations of malicious/trojan/etc. code could be a result of -
or intentionally introduce - any other weakness covered by CWE. Consider a backdoor account
inserted by a malicious adversary - it's also classifiable as incorrect authentication or use of
hardcoded credentials.
Because there's so much overlap between these malware-ish entries and the rest of CWE, it
suggests to me that there is a limitation of the CWE model that requires deeper research,
although this research is currently a lower priority than expansion or discussion of
CWE's scope with respect to other areas such as hardware. My current suspicious is that
the CWE entries that are related to Landwehr's "genesis" model of how
vulnerabilities are introduced is a kind of complementary dimension or facet of
vulnerabilities that may be interesting, but is not centered around a specific mistake -
and therefore, not a weakness per CWE defines it.
[1]
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
- Steve
-----Original Message-----
From: Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA)
<jonathan.w.hood6....@army.mil>
Sent: Tuesday, November 30, 2021 4:51 PM
To: CWE Research Discussion <cwe-research-list@mitre.org>
Subject: CWE Clarification: CWE-1007 and Homoglphys in Source Code
Currently, CWE-1007 is a child of UI misrepresentation. However, source code
can be maliciously injected using bidi and Unicode homoglyphs as well (see
https://www.swatips.com/articles/20211129.html and
https://arxiv.org/abs/2111.00169 and the examples under
https://github.com/nickboucher/trojan-source/tree/main/C%2B%2B). Would it be
appropriate to modify CWE-1007 so that it doesn’t just apply to reflected
Unicode attacks against a user, or would it be more appropriate to create a new
CWE as a child of CWE-506 to reflect injecting source code using Unicode
representations?
Thanks!
Jon