Re: CWE Clarification: CWE-1007 and Homoglphys in Source Code

2021-12-02 Thread Wojtek Andrijew 

Hello,

The scope of this topic is much wider. It concerns the fundamental 
question: What is CWE list?
For me, CWE allows us to define what we are really talking about. In 
this context, grouping doesn't matter that much like fundamental units. 
I am not saying that it is not important, but from a practical point of 
view, the lowest units are the most important. A very nice comparison is 
this:
In biology, scientists have argued about taxonomy for hundreds of years. 
First, they were guided by the comparison of the anatomical structure, 
and then, after the discovery of the genome, by phylogenetic research. 
However, the basic species discovered by Linnaeus still exists today.
In my opinion, CWE-506 is more of a fundamental than a grouping unit. If 
we want to combine these CWEs, we should rather create a unit over them 
than use CWE-506 as parent.


Regards
Wojciech Andrijew
Parasoft Corp.


Jon,

We are aware of this new discovery but haven't researched it closely enough from a CWE perspective. It's 
slated to be addressed in CWE 4.7 (around January/February 2022). In my informal consideration of the problem 
when it first came out, there seem to be some challenges with respect to CWE-style classification. For 
example the bidirectional manipulations in the papers involve a form of "visual overlay," which is 
identified as a potential subtype of CWE-451 "User Interface (UI) Misrepresentation of Critical 
Information" which, as mentioned in CWE-451's Maintenance notes, probably could use some further 
breakdown into Base- or Variant-level weaknesses. However, visual overlay can apply to any number of other 
technical elements (e.g. "layers" in GUIs/browsers) so there's a little more consideration that 
needs to be made. For homoglyphs - while CWE-1007 doesn't specifically mention Unicode, I believe that it's 
in scope, since homoglyphs can be a concern regardless of the encoding being used.

My current thinking around CWE-506 and related "malicious-code" weaknesses from 
Landwehr's taxonomy [1] has been evolving. Over the past 10+ years, we've effectively required a 
"weakness" to give some kind of (even abstract) notion of the behavior that is 
incorrectly implemented. Since a malicious adversary with appropriate privileges could insert *any* 
kind of error into code, the characterizations of malicious/trojan/etc. code could be a result of - 
or intentionally introduce - any other weakness covered by CWE. Consider a backdoor account 
inserted by a malicious adversary - it's also classifiable as incorrect authentication or use of 
hardcoded credentials.

Because there's so much overlap between these malware-ish entries and the rest of CWE, it 
suggests to me that there is a limitation of the CWE model that requires deeper research, 
although this research is currently a lower priority than expansion or discussion of 
CWE's scope with respect to other areas such as hardware. My current suspicious is that 
the CWE entries that are related to Landwehr's "genesis" model of how 
vulnerabilities are introduced is a kind of complementary dimension or facet of 
vulnerabilities that may be interesting, but is not centered around a specific mistake - 
and therefore, not a weakness per CWE defines it.

[1] 
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf

- Steve


-Original Message-
From: Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA) 

Sent: Tuesday, November 30, 2021 4:51 PM
To: CWE Research Discussion 
Subject: CWE Clarification: CWE-1007 and Homoglphys in Source Code

Currently, CWE-1007 is a child of UI misrepresentation. However, source code 
can be maliciously injected using bidi and Unicode homoglyphs as well (see 
https://www.swatips.com/articles/20211129.html and 
https://arxiv.org/abs/2111.00169 and the examples under 
https://github.com/nickboucher/trojan-source/tree/main/C%2B%2B). Would it be 
appropriate to modify CWE-1007 so that it doesn’t just apply to reflected 
Unicode attacks against a user, or would it be more appropriate to create a new 
CWE as a child of CWE-506 to reflect injecting source code using Unicode 
representations?

Thanks!
Jon

RE: CWE Clarification: CWE-1007 and Homoglphys in Source Code

2021-11-30 Thread Steven M Christey 
Jon,

We are aware of this new discovery but haven't researched it closely enough 
from a CWE perspective. It's slated to be addressed in CWE 4.7 (around 
January/February 2022). In my informal consideration of the problem when it 
first came out, there seem to be some challenges with respect to CWE-style 
classification. For example the bidirectional manipulations in the papers 
involve a form of "visual overlay," which is identified as a potential subtype 
of CWE-451 "User Interface (UI) Misrepresentation of Critical Information" 
which, as mentioned in CWE-451's Maintenance notes, probably could use some 
further breakdown into Base- or Variant-level weaknesses. However, visual 
overlay can apply to any number of other technical elements (e.g. "layers" in 
GUIs/browsers) so there's a little more consideration that needs to be made. 
For homoglyphs - while CWE-1007 doesn't specifically mention Unicode, I believe 
that it's in scope, since homoglyphs can be a concern regardless of the 
encoding being used.

My current thinking around CWE-506 and related "malicious-code" weaknesses from 
Landwehr's taxonomy [1] has been evolving. Over the past 10+ years, we've 
effectively required a "weakness" to give some kind of (even abstract) notion 
of the behavior that is incorrectly implemented. Since a malicious adversary 
with appropriate privileges could insert *any* kind of error into code, the 
characterizations of malicious/trojan/etc. code could be a result of - or 
intentionally introduce - any other weakness covered by CWE. Consider a 
backdoor account inserted by a malicious adversary - it's also classifiable as 
incorrect authentication or use of hardcoded credentials.

Because there's so much overlap between these malware-ish entries and the rest 
of CWE, it suggests to me that there is a limitation of the CWE model that 
requires deeper research, although this research is currently a lower priority 
than expansion or discussion of CWE's scope with respect to other areas such as 
hardware. My current suspicious is that the CWE entries that are related to 
Landwehr's "genesis" model of how vulnerabilities are introduced is a kind of 
complementary dimension or facet of vulnerabilities that may be interesting, 
but is not centered around a specific mistake - and therefore, not a weakness 
per CWE defines it.

[1] 
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf

- Steve


-Original Message-
From: Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA) 
 
Sent: Tuesday, November 30, 2021 4:51 PM
To: CWE Research Discussion 
Subject: CWE Clarification: CWE-1007 and Homoglphys in Source Code

Currently, CWE-1007 is a child of UI misrepresentation. However, source code 
can be maliciously injected using bidi and Unicode homoglyphs as well (see 
https://www.swatips.com/articles/20211129.html and 
https://arxiv.org/abs/2111.00169 and the examples under 
https://github.com/nickboucher/trojan-source/tree/main/C%2B%2B). Would it be 
appropriate to modify CWE-1007 so that it doesn’t just apply to reflected 
Unicode attacks against a user, or would it be more appropriate to create a new 
CWE as a child of CWE-506 to reflect injecting source code using Unicode 
representations?

Thanks!
Jon


smime.p7s
Description: S/MIME cryptographic signature