Re: Research on Source Code Review -C

["Steven M. Christey" <coley () mitre org>]

dwar keeper <dwarkeeper () hotmail com> said:

> Am looking to develop source code review guidelines for code written
> in c/c++. I have found a few documents on the net but nothing that
> could be really followed along to do source code review. I also wanted
> to know what people in the field are actually doing and also if they
> could provide first hand experience as to what all they look for and
> how.

Following is a checklist of different vulnerability types to look for,
based on some informal work I've been doing in vulnerability
classification.  I tried using this entire checklist one time for a
small software package, and the amount of work required was
staggering.

The checklist is still incomplete, but maybe some people will find it
useful.  Yes, I know this would benefit from listing specific examples
of each vuln type ;-)

> 2) Signed Overflow
> Signed overflows occur when a signed variable is interpreted as an
> unsigned variable.

While terminology is hardly consistent for vulnerabilities, especially
new flavors like this, I believe that the evolving terminology for
this type of bug is either "Signed Integer Error" or "Integer
Signedness Error."

I don't know if "signed float" vulnerabilities are possible, but maybe
they wouldn't reside in the same place that integer-based issues do
(e.g. floats probably wouldn't be used *directly* for array indexing
or memory allocation).  I haven't seen any reported yet, anyway.


- Steve



================================================================
Vulnerability Auditing Checklist
================================================================
Version: 0.0000003
Modified: 2003/02/19
Created: 2002/12/04

Disclaimer: This is a DRAFT document.  The list of categories is
incomplete.  In addition, some categories overlap, and some terms are
wholly invented or ill-defined.  It has not been compared with other
sources.  This document is being publicly posted to facilitate
discussion of code review/testing procedures.


General Unexpected or Malformed Input Problems
----------------------------------------------

1. Buffer Overflows

   1a. Boundary end violation ("classic overflow")

   1b. Boundary beginning violation

   1c. Array index modification ("index overflow" ?)

   1d. Length parameter manipulation

   1e. Off-by-one

   1f. Other length calculation error

2. Format strings

3. Syntax/grammar violation

  3a. "Empty" or blank input

  3b. Missing argument

  3c. Extra argument

  3d. Repeated argument

  3e. Missing/repeated/extra separator or delimiter

  3f. Wrong data type

  3g. Incomplete input

  3h. Missing/misplaced special characters (delimiters/etc.)

  3i. Unknown/unrecognizable argument/command/whatever

4. Special character mismanagement

  4a. Shell metacharacters

  4b. Delimiter between fields

  4c.  Delimiter between values

  4d.  Delimiter between records

  4e.  CRLF attacks (line delimiter)

  4f.  Section delimiter (e.g. CRLF between MIME headers and content)

  4g.  End-of-input delimiter (e.g. "." in mail message data)

  4h.  Input terminator

  4i.  Quoting character

  4j.  Escape/meta/control character

  4k.  General separator char

  4l.  Comment char

  4m.  Macro symbol or other char for substitution

  4n.  Variable name leader/terminator (e.g. "$" for env. variable)

  4o.  Wildcard or "completion" character


5. Dependent Field/Value Inconsistency (e.g.: a "length" field for a
   buffer does not reflect the actual length of the buffer; or, two
   fields have values that do not make sense when combined)

6. Null dereference



File/Directory Processing
-------------------------

7. Directory traversal

  7a. ../filename

  7b. /../filename

  7c. /absolute/pathname/here

  7d. /directory/../filename

  7e. directory/../../filename

  7f. ..\filename

  7g. \..\filename

  7h. \absolute\pathname\here

  7i. \directory\..\filename

  7j. directory\..\..\filename

  7k. C:driveletter

  7l. ...

  7m. ....

  7n. \\UNC\share\name\here

  7o. //multiple/directory/separator/beginning

  7p. /multiple//directory/separator/internal

  7q. /multiple/directory/separator/ending//

  7r. \double\\windows\\separator


8. Link Following

  8a. UNIX symbolic link following

  8b. UNIX hard link

  8c. Windows .LNK

  8d. Windows hard link

9. Windows 8.3 filenames

10. "Virtual" files

   10a. Windows MS-DOS device names

   10b. Windows ::DATA alternate data stream

   10c. Apple ".DS_Store"


Process/Command Execution
-------------------------

11. Shell metacharacters

12. Malicious search path execution (search path can be modified by
    untrusted user to point to malicious program, e.g. UNIX PATH
    environment variable)

13. Program/command argument modification


Canonicalization Errors
-----------------------

14. Encodings

  14a. URL encoding

  14b. Unicode

15. Multiple separators or other characters (e.g. as seen in directory
    traversal)

16. Case sensitivity

17. Validate-Before-Canonicalize (a program "validates" data before it
    is canonicalized)

18. Validate-Before-Cleanse (program "validates" data before it has
    been cleansed)


Leaks
-----

19. Information Leak

  19a. Sensitive memory not cleared after use

  19b. Sensitive memory not cleared due to compiler removal

  19c. Command-line arguments visible to other processes

  19d. Environment variables visible to other processes

  19e. State information leak due to inconsistent results (e.g. user
       name enumeration: valid username/wrong pass generates
       "incorrect password," but invalid username generates "incorrect
       user")

  19f. State information leak due to timing discrepancies (e.g. a
       "successful" operation takes more time than an unsuccessful
       one)

  19g. Incomplete removal of temporary resources (e.g. files)

  19h. Application-controlled diagnostic or error messages

  19i. Uncontrolled, external diagnostic or error messages (e.g. the
       programming language leaks information on an error that happens
       in the application)

  19j. Design-intended or configuration-intended leak (information is
       intended for publication, but sensitive)

20. Resource leaks

   20a. UNIX file descriptor leak


Multiple Operation/Action Errors
--------------------------------

21. Duplicate operation

    21a. Double-free

    21b. Double-encoding / double-decoding

22. Improper handler deployment (dispatch error)

23. Inability to handle out-of-order actions (state machine
    violations)

24. Race Condition (non-file link)

    24a. Signal handler race condition

    24b. Other TOCTOU

25. Deadlock


Configuration Errors
--------------------

26. Permissions, ACLs, and ownership

   26a. Bad default or inherited permissions (read, write, execute)

   26b. Bad program-assigned permissions (read, write, execute)

   26c. Ownership of critical resource not verified

27. Default configuration enables insecure feature

    27a. Default password

    27b. Default, non-essential service or component

    27c. Network-based admin capability accessible to arbitrary hosts


Error Condition Identification/Management Errors
------------------------------------------------

28. Handler dispatch error

    28a. Improper handler deployment (the wrong "handler" is assigned
         to process an input, e.g. calling a servlet to reveal source
         code of a .JSP file, or automatically "determines" type even
         if contradictory to an explicitly specified type)

    28b. Missing handler (handler not available or implemented)

    28c. Dangerous handler not cleared/disabled during sensitive
         operations

29. Insufficient logging of security-critical events

30. Incomplete error detection (product does not properly detect or
    check for security-critical error conditions)


GUI Errors
----------

31. Insufficient user warning of "unsafe" actions

32. Interface inconsistency (the user interface, API, or GUI behaves
    inconsistently with what operations are actually performed on the
    system, e.g. checking a security option does nothing, or user
    tells interface "restrict ALL" and it says "restrict SOME")


Product Management Errors
-------------------------

33. Design limitations

   33a. Incomplete specification

   33b. Vague specification

   33c. Support (or lack of support) for security-relevant options

34. Distribution Error

    34a. Debugging code not omitted from production version

35. Patch Error

    35a. Regression error - introduces old vulnerability

    35b. Incomplete vulnerability fix

36. Documentation Error

   36a. Omission of security-critical information

   36b. Error/typo causes user to introduce a vulnerability or risk

37. Developer-introduced back door / Trojan Horse

38. Port Error

    A product is ported to a different environment (e.g. OS) and does
    not consider differences with the original environment - sometimes
    introducing vulnerabilities specific to the new environment

39. Interaction Error

    Two independent products work correctly and according to
    specification, but interact in ways that cause problems.



Technology-Specific Problems
----------------------------

This is probably missing a number of issues in web technologies.

40. Cross-site scripting (XSS)

41. Form field / parameter tampering

42. SQL injection

43. PHP-specific issues (PHP has "special" features without
    equivalents in other languages)

    43a. PHP remote file inclusion/execution

    43b. PHP untrusted external initialization of critical variables

44. Perl null character injection (technically an interaction
    vulnerability, but important to mention specifically)


Other Errors
------------

45. Initialization Error

    45a. Insecure default initialization (e.g. variables or
         permissions)

    45b. Untrusted/externally controlled initialization of trusted
         variables or values

    45c. Non-exit on failed initialization affecting security-critical
         resource (e.g. configuration file format error)

46. Resource exhaustion (memory, application-specific objects, general
    objects)

    46a. Memory leak

    46b. Other incomplete resource release (resource is not "released"
         for re-use or deletion, often as a result of an unusual
         error)

    46c. Asymmetric resource consumption ("untrusted" process can make
         "trusted process" consume more resources than it really needs
         to)

47. Numeric conversion errors

    47a. Integer Signedness Error

    47b. Integer overflow / underflow (value "resets" to maximum or
         minimum, often through incrementing values)

48. Authentication Error

49. Unnecesarily large privilege window (app runs at higher privileges
    longer than it "has to")

50. Capability operating at higher privilege than necessary without
    authentication

51. Infinite loop

52. Incomplete/missing security check for standardized
    algorithm/technique [e.g. the "Basic Constraints" browser cert
    issues]

53. Cryptographic error

    53a. Stores sensitive data in plaintext (passwords, credit cards,
         etc.)

    53b. Does not use peer-reviewed cryptographic algorithms

    53c. Does not perform all required cryptographic steps

54. Insufficient Randomness

    54a. Predictable system state (time, process ID, etc.)

    54b. Insufficiently large space of random values

    54c. Use of "known weak" randomness algorithms

55. Miscellaneous remote code injection (inputs are fed directly into
    an interpreted language which is dynamically evaluated; other
    "classes" such as SQL injection are covered elsewhere)