Hello,

The scope of this topic is much wider. It concerns the fundamental question: What is CWE list? For me, CWE allows us to define what we are really talking about. In this context, grouping doesn't matter that much like fundamental units. I am not saying that it is not important, but from a practical point of view, the lowest units are the most important. A very nice comparison is this: In biology, scientists have argued about taxonomy for hundreds of years. First, they were guided by the comparison of the anatomical structure, and then, after the discovery of the genome, by phylogenetic research. However, the basic species discovered by Linnaeus still exists today. In my opinion, CWE-506 is more of a fundamental than a grouping unit. If we want to combine these CWEs, we should rather create a unit over them than use CWE-506 as parent.

Regards
Wojciech Andrijew
Parasoft Corp.

Jon,

We are aware of this new discovery but haven't researched it closely enough from a CWE perspective. It's 
slated to be addressed in CWE 4.7 (around January/February 2022). In my informal consideration of the problem 
when it first came out, there seem to be some challenges with respect to CWE-style classification. For 
example the bidirectional manipulations in the papers involve a form of "visual overlay," which is 
identified as a potential subtype of CWE-451 "User Interface (UI) Misrepresentation of Critical 
Information" which, as mentioned in CWE-451's Maintenance notes, probably could use some further 
breakdown into Base- or Variant-level weaknesses. However, visual overlay can apply to any number of other 
technical elements (e.g. "layers" in GUIs/browsers) so there's a little more consideration that 
needs to be made. For homoglyphs - while CWE-1007 doesn't specifically mention Unicode, I believe that it's 
in scope, since homoglyphs can be a concern regardless of the encoding being used.

My current thinking around CWE-506 and related "malicious-code" weaknesses from 
Landwehr's taxonomy [1] has been evolving. Over the past 10+ years, we've effectively required a 
"weakness" to give some kind of (even abstract) notion of the behavior that is 
incorrectly implemented. Since a malicious adversary with appropriate privileges could insert *any* 
kind of error into code, the characterizations of malicious/trojan/etc. code could be a result of - 
or intentionally introduce - any other weakness covered by CWE. Consider a backdoor account 
inserted by a malicious adversary - it's also classifiable as incorrect authentication or use of 
hardcoded credentials.

Because there's so much overlap between these malware-ish entries and the rest of CWE, it 
suggests to me that there is a limitation of the CWE model that requires deeper research, 
although this research is currently a lower priority than expansion or discussion of 
CWE's scope with respect to other areas such as hardware. My current suspicious is that 
the CWE entries that are related to Landwehr's "genesis" model of how 
vulnerabilities are introduced is a kind of complementary dimension or facet of 
vulnerabilities that may be interesting, but is not centered around a specific mistake - 
and therefore, not a weakness per CWE defines it.

[1] 
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf

- Steve


-----Original Message-----
From: Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA) 
<jonathan.w.hood6....@army.mil>
Sent: Tuesday, November 30, 2021 4:51 PM
To: CWE Research Discussion <cwe-research-list@mitre.org>
Subject: CWE Clarification: CWE-1007 and Homoglphys in Source Code

Currently, CWE-1007 is a child of UI misrepresentation. However, source code 
can be maliciously injected using bidi and Unicode homoglyphs as well (see 
https://www.swatips.com/articles/20211129.html and 
https://arxiv.org/abs/2111.00169 and the examples under 
https://github.com/nickboucher/trojan-source/tree/main/C%2B%2B). Would it be 
appropriate to modify CWE-1007 so that it doesn’t just apply to reflected 
Unicode attacks against a user, or would it be more appropriate to create a new 
CWE as a child of CWE-506 to reflect injecting source code using Unicode 
representations?

Thanks!
Jon

Reply via email to