This is a repost of a email I found on vuln-dev from last year. I thought it could season some fruitful discussions here
Maybe Steven have a newer version available? Would be nice with some illustrations to each vulnerability listed.
I for one have difficulties understanding the "off-by-one" vulnerability. Maybe a kind soul would step in?
Regards,
Mads
---
List-Id: <vuln-dev.list-id.securityfocus.com> List-Post: <mailto:[EMAIL PROTECTED]> List-Help: <mailto:[EMAIL PROTECTED]> List-Unsubscribe: <mailto:[EMAIL PROTECTED]> List-Subscribe: <mailto:[EMAIL PROTECTED]> Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: moderator for [EMAIL PROTECTED] Received: (qmail 32448 invoked by uid 0); 13 Jun 2003 18:46:58 -0000 Date: Fri, 13 Jun 2003 16:47:51 -0400 (EDT) Message-Id: <[EMAIL PROTECTED]> From: "Steven M. Christey" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Research on Source Code Review -C Status:
dwar keeper <[EMAIL PROTECTED]> said:
>>Am looking to develop source code review guidelines for code written >>in c/c++. I have found a few documents on the net but nothing that >>could be really followed along to do source code review. I also wanted >>to know what people in the field are actually doing and also if they >>could provide first hand experience as to what all they look for and >>how.
Following is a checklist of different vulnerability types to look for, based on some informal work I've been doing in vulnerability classification. I tried using this entire checklist one time for a small software package, and the amount of work required was staggering.
The checklist is still incomplete, but maybe some people will find it useful. Yes, I know this would benefit from listing specific examples of each vuln type
>>2) Signed Overflow >> Signed overflows occur when a signed variable is interpreted as an >>unsigned variable.
While terminology is hardly consistent for vulnerabilities, especially new flavors like this, I believe that the evolving terminology for this type of bug is either "Signed Integer Error" or "Integer Signedness Error."
I don't know if "signed float" vulnerabilities are possible, but maybe they wouldn't reside in the same place that integer-based issues do (e.g. floats probably wouldn't be used *directly* for array indexing or memory allocation). I haven't seen any reported yet, anyway.
- Steve
================================================================ Vulnerability Auditing Checklist ================================================================ Version: 0.0000003 Modified: 2003/02/19 Created: 2002/12/04
Disclaimer: This is a DRAFT document. The list of categories is incomplete. In addition, some categories overlap, and some terms are wholly invented or ill-defined. It has not been compared with other sources. This document is being publicly posted to facilitate discussion of code review/testing procedures.
General Unexpected or Malformed Input Problems ----------------------------------------------
1. Buffer Overflows
1a. Boundary end violation ("classic overflow")
1b. Boundary beginning violation
1c. Array index modification ("index overflow" ?)
1d. Length parameter manipulation
1e. Off-by-one
1f. Other length calculation error
2. Format strings
3. Syntax/grammar violation
3a. "Empty" or blank input
3b. Missing argument
3c. Extra argument
3d. Repeated argument
3e. Missing/repeated/extra separator or delimiter
3f. Wrong data type
3g. Incomplete input
3h. Missing/misplaced special characters (delimiters/etc.)
3i. Unknown/unrecognizable argument/command/whatever
4. Special character mismanagement
4a. Shell metacharacters
4b. Delimiter between fields
4c. Delimiter between values
4d. Delimiter between records
4e. CRLF attacks (line delimiter)
4f. Section delimiter (e.g. CRLF between MIME headers and content)
4g. End-of-input delimiter (e.g. "." in mail message data)
4h. Input terminator
4i. Quoting character
4j. Escape/meta/control character
4k. General separator char
4l. Comment char
4m. Macro symbol or other char for substitution
4n. Variable name leader/terminator (e.g. "$" for env. variable)
4o. Wildcard or "completion" character
5. Dependent Field/Value Inconsistency (e.g.: a "length" field for a buffer does not reflect the actual length of the buffer; or, two fields have values that do not make sense when combined)
6. Null dereference
File/Directory Processing -------------------------
7. Directory traversal
7a. ../filename
7b. /../filename
7c. /absolute/pathname/here
7d. /directory/../filename
7e. directory/../../filename
7f. ..\filename
7g. \..\filename
7h. \absolute\pathname\here
7i. \directory\..\filename
7j. directory\..\..\filename
7k. C:driveletter
7l. ...
7m. ....
7n. \\UNC\share\name\here
7o. //multiple/directory/separator/beginning
7p. /multiple//directory/separator/internal
7q. /multiple/directory/separator/ending//
7r. \double\\windows\\separator
8. Link Following
8a. UNIX symbolic link following
8b. UNIX hard link
8c. Windows .LNK
8d. Windows hard link
9. Windows 8.3 filenames
10. "Virtual" files
10a. Windows MS-DOS device names
10b. Windows ::DATA alternate data stream
10c. Apple ".DS_Store"
Process/Command Execution -------------------------
11. Shell metacharacters
12. Malicious search path execution (search path can be modified by
untrusted user to point to malicious program, e.g. UNIX PATH
environment variable)13. Program/command argument modification
Canonicalization Errors -----------------------
14. Encodings
14a. URL encoding
14b. Unicode
15. Multiple separators or other characters (e.g. as seen in directory
traversal)16. Case sensitivity
17. Validate-Before-Canonicalize (a program "validates" data before it
is canonicalized)18. Validate-Before-Cleanse (program "validates" data before it has
been cleansed)
Leaks -----
19. Information Leak
19a. Sensitive memory not cleared after use
19b. Sensitive memory not cleared due to compiler removal
19c. Command-line arguments visible to other processes
19d. Environment variables visible to other processes
19e. State information leak due to inconsistent results (e.g. user
name enumeration: valid username/wrong pass generates
"incorrect password," but invalid username generates "incorrect
user") 19f. State information leak due to timing discrepancies (e.g. a
"successful" operation takes more time than an unsuccessful
one)19g. Incomplete removal of temporary resources (e.g. files)
19h. Application-controlled diagnostic or error messages
19i. Uncontrolled, external diagnostic or error messages (e.g. the
programming language leaks information on an error that happens
in the application) 19j. Design-intended or configuration-intended leak (information is
intended for publication, but sensitive)20. Resource leaks
20a. UNIX file descriptor leak
Multiple Operation/Action Errors --------------------------------
21. Duplicate operation
21a. Double-free
21b. Double-encoding / double-decoding
22. Improper handler deployment (dispatch error)
23. Inability to handle out-of-order actions (state machine
violations)24. Race Condition (non-file link)
24a. Signal handler race condition
24b. Other TOCTOU
25. Deadlock
Configuration Errors --------------------
26. Permissions, ACLs, and ownership
26a. Bad default or inherited permissions (read, write, execute)
26b. Bad program-assigned permissions (read, write, execute)
26c. Ownership of critical resource not verified
27. Default configuration enables insecure feature
27a. Default password
27b. Default, non-essential service or component
27c. Network-based admin capability accessible to arbitrary hosts
Error Condition Identification/Management Errors ------------------------------------------------
28. Handler dispatch error
28a. Improper handler deployment (the wrong "handler" is assigned
to process an input, e.g. calling a servlet to reveal source
code of a .JSP file, or automatically "determines" type even
if contradictory to an explicitly specified type)28b. Missing handler (handler not available or implemented)
28c. Dangerous handler not cleared/disabled during sensitive
operations29. Insufficient logging of security-critical events
30. Incomplete error detection (product does not properly detect or
check for security-critical error conditions)
GUI Errors ----------
31. Insufficient user warning of "unsafe" actions
32. Interface inconsistency (the user interface, API, or GUI behaves
inconsistently with what operations are actually performed on the
system, e.g. checking a security option does nothing, or user
tells interface "restrict ALL" and it says "restrict SOME")
Product Management Errors -------------------------
33. Design limitations
33a. Incomplete specification
33b. Vague specification
33c. Support (or lack of support) for security-relevant options
34. Distribution Error
34a. Debugging code not omitted from production version
35. Patch Error
35a. Regression error - introduces old vulnerability
35b. Incomplete vulnerability fix
36. Documentation Error
36a. Omission of security-critical information
36b. Error/typo causes user to introduce a vulnerability or risk
37. Developer-introduced back door / Trojan Horse
38. Port Error
A product is ported to a different environment (e.g. OS) and does
not consider differences with the original environment - sometimes
introducing vulnerabilities specific to the new environment39. Interaction Error
Two independent products work correctly and according to
specification, but interact in ways that cause problems.Technology-Specific Problems ----------------------------
This is probably missing a number of issues in web technologies.
40. Cross-site scripting (XSS)
41. Form field / parameter tampering
42. SQL injection
43. PHP-specific issues (PHP has "special" features without
equivalents in other languages)43a. PHP remote file inclusion/execution
43b. PHP untrusted external initialization of critical variables
44. Perl null character injection (technically an interaction
vulnerability, but important to mention specifically)
Other Errors ------------
45. Initialization Error
45a. Insecure default initialization (e.g. variables or
permissions) 45b. Untrusted/externally controlled initialization of trusted
variables or values 45c. Non-exit on failed initialization affecting security-critical
resource (e.g. configuration file format error)46. Resource exhaustion (memory, application-specific objects, general
objects)46a. Memory leak
46b. Other incomplete resource release (resource is not "released"
for re-use or deletion, often as a result of an unusual
error) 46c. Asymmetric resource consumption ("untrusted" process can make
"trusted process" consume more resources than it really needs
to)47. Numeric conversion errors
47a. Integer Signedness Error
47b. Integer overflow / underflow (value "resets" to maximum or
minimum, often through incrementing values)48. Authentication Error
49. Unnecesarily large privilege window (app runs at higher privileges
longer than it "has to")50. Capability operating at higher privilege than necessary without
authentication51. Infinite loop
52. Incomplete/missing security check for standardized
algorithm/technique [e.g. the "Basic Constraints" browser cert
issues]53. Cryptographic error
53a. Stores sensitive data in plaintext (passwords, credit cards,
etc.)53b. Does not use peer-reviewed cryptographic algorithms
53c. Does not perform all required cryptographic steps
54. Insufficient Randomness
54a. Predictable system state (time, process ID, etc.)
54b. Insufficiently large space of random values
54c. Use of "known weak" randomness algorithms
55. Miscellaneous remote code injection (inputs are fed directly into
an interpreted language which is dynamically evaluated; other
"classes" such as SQL injection are covered elsewhere)