CWE Coverage¶

Name: Compiler Removal of Code to Clear Buffers

Reference: CWE 14

Description:

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka “dead store removal.”

Accuracy: Exact

Comment:

TrustInSoft Analyzer performs spare code analysis to detect compiler optimizations.

Name: Improper Restriction of Operations within the Bounds of a Memory Buffer

Reference: CWE 119

Description:

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Accuracy: Exact

Comment:

This is a very general CWE that is the parent of many of more specific CWE listed below. TrustInSoft Analyzer value analysis emits one of the following alarms as soon as a memory access is not well defined for sure, whatever the reason is.

Rules:

• memory_access

• index_out_of_bound

• logic_memory_access

  This particular alarm is only emitted by internal built-ins such as memset and other standard library functions.

• valid_string

  This rule is triggered by internal built-ins for the string standard library functions.

Name: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

Reference: CWE 120

Description:

The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Stack-based Buffer Overflow

Reference: CWE 121

Description:

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Heap-based Buffer Overflow

Reference: CWE 122

Description:

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Write-what-where Condition

Reference: CWE 123

Description:

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Buffer Underwrite (‘Buffer Underflow’)

Reference: CWE 124

Description:

The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Out-of-bounds Read

Reference: CWE 125

Description:

The software reads data past the end, or before the beginning, of the intended buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.

Name: Buffer Over-read

Reference: CWE 126

Description:

The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.

Name: Buffer Under-read

Reference: CWE 127

Description:

The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.

Name: Wrap-around Error

Reference: CWE 128

Description:

Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore “wraps around” to a very small, negative, or undefined value.

Accuracy: CWE-more-abstract

Comment:

On signed integers only.

Rules:

• Overflow

Name: Improper Validation of Array Index

Reference: CWE 129

Description:

The product uses not trusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Accuracy: Exact

Comment:

The alarm is emitted when using the index, and only if there is a chance that its value is out-of-bound.

Rules:

• index_out_of_bound

Name: Improper Handling of Length Parameter Inconsistency

Reference: CWE 130

Description:

The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Incorrect Calculation of Buffer Size

Reference: CWE 131

Description:

The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Reliance on Data/Memory Layout

Reference: CWE 188

Description:

The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

Accuracy: Exact

Comment:

Rules:

• memory_access

Name: Integer Overflow or Wraparound

Reference: CWE 190

Description:

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Accuracy: CWE-more-specific

Comment:

On signed integers only, but same rule for underflow and overflow.

Rules:

• Overflow

Name: Integer Underflow (Wrap or Wraparound)

Reference: CWE 191

Description:

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Accuracy: CWE-more-specific

Comment:

On signed integers only, but same rule for underflow and overflow.

Rules:

• Overflow

Name: Signed to Unsigned Conversion Error

Reference: CWE 195

Description:

The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

Accuracy: Not-Covered

Comment:

The value analysis doesn’t emit any alarm, but the RTE plug-in can be used with the -warn-signed-downcast and -warn-unsigned-downcast options to generate the relevant assertions before starting an analysis. These assertions are then checked like any other user assertions.

Name: Unsigned to Signed Conversion Error

Reference: CWE 196

Description:

The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.

Accuracy: Not-Covered

Comment:

Similar to CWE-195 above.

Name: Use of Inherently Dangerous Function

Reference: CWE 242

Description:

The program calls a function that can never be guaranteed to work safely.

Accuracy: CWE-more-abstract

Comment:

TrustInSoft Analyzer GUI allows to search functions. For a given list of dangerous functions, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.

Name: Creation of chroot Jail Without Changing Working Directory

Reference: CWE 243

Description:

The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.

Accuracy: Exact

Comment:

TrustInSoft Analyzer GUI allows to search functions, in particular chroot(). The search results of TrustInSoft Analyzer for chroot() includes all functions calls including calls through pointer of functions, and the user can check manually the presence of chdir() function for each call.

Name: Improper Clearing of Heap Memory Before Release (‘Heap Inspection’)

Reference: CWE 244

Description:

Using realloc() to re-size buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

Accuracy: Exact

Comment:

TrustInSoft Analyzer GUI allows to search functions, in particular realloc(). The search results of TrustInSoft Analyzer for realloc() includes all functions calls including calls through pointer of functions, and the user can check manually that the reallocated variable is not a sensitive data.

Name: Divide By Zero

Reference: CWE 369

Description:

The product divides a value by zero.

Accuracy: Exact

Comment:

Rules:

• division_by_zero

Name: Improper Release of Memory Before Removing Last Reference (‘Memory Leak’)

Reference: CWE 401

Description:

The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Accuracy: CWE-partial

Comment:

TrustInSoft Analyzer provides the tis_check_leak() builtin that may be called to print the list of allocated memory blocks that are no longer referenced by any other memory block. But the CWE is only partially covered because a cycle of allocated blocks never referenced by any other global/alive local is not detected yet.

Name: Double Free

Reference: CWE 415

Description:

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

Accuracy: CWE-more-specific

Comment:

Rules:

• dangling

Name: Use After Free

Reference: CWE 416

Description:

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-825 described below. TrustInSoft Analyzer considers it as similar, so the sames rules apply.

Name: Use of Uninitialized Variable

Reference: CWE 457

Description:

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

Accuracy: Exact

Comment:

Rules:

• initialization

Name: Deletion of Data Structure Sentinel

Reference: CWE 463

Description:

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

Accuracy: CWE-partial

Comment:

As long as TrustInSoft Analyzer value analysis remains precise enough to compute the string, TrustInSoft Analyzer will detect any deletion of a data-structure sentinel.

Rules:

• logic_memory_access

  This particular alarm is only emitted by internal built-ins such as memset and other standard library functions.

• valid_string

  This rule is triggered by internal built-ins for the string standard library functions.

Name: Addition of Data Structure Sentinel

Reference: CWE 464

Description:

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

Accuracy: CWE-partial

Comment:

As long as TrustInSoft Analyzer value analysis remains precise enough to compute the string, TrustInSoft Analyzer will detect any addition of a data-structure sentinel.

However, TrustInSoft Analyzer doesn’t warn if the addition of the sentinel can be considered as a normal behavior of the program.

Rules:

• logic_memory_access

  This particular alarm is only emitted by internal built-ins such as memset and other standard library functions.

• valid_string

  This rule is triggered by internal built-ins for the string standard library functions.

Name: Return of Pointer Value Outside of Expected Range

Reference: CWE 466

Description:

A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.

Accuracy: Not-Covered

Comment:

TrustInSoft Analyzer doesn’t warn on pointers having invalid values, but it does as soon as the pointer is used lated on.

Name: Use of sizeof() on a Pointer Type

Reference: CWE 467

Description:

The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Incorrect Pointer Scaling

Reference: CWE 468

Description:

In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Use of Pointer Subtraction to Determine Size

Reference: CWE 469

Description:

The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

Accuracy: CWE-more-abstract

Comment:

TrustInSoft Analyzer doesn’t warn on every pointer subtraction, but only on those where there might be a problem (different blocks).

Rules:

• differing_blocks

Name: Use of Function with Inconsistent Implementations

Reference: CWE 474

Description:

The code uses a function that has inconsistent implementations across operating systems and versions.

Accuracy: Unknown

Comment:

TrustInSoft Analyzer GUI allows to search functions. For a given list of functions with inconsistent implementations, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.

Name: NULL Pointer Dereference

Reference: CWE 476

Description:

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Accuracy: Exact

Comment:

Rules:

• memory_access

Name: Use of getlogin() in Multithreaded Application

Reference: CWE 558

Description:

The application uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

Accuracy: CWE-more-abstract

Comment:

TrustInSoft Analyzer GUI allows to search functions, in particular getlogin(). The search results of TrustInSoft Analyzer for getlogin() includes all functions calls including calls through pointer of functions, and the user can check manually the absence of this function.

Name: Use of umask() with chmod-style Argument

Reference: CWE 560

Description:

The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().

Accuracy: CWE-more-abstract

Comment:

TrustInSoft Analyzer GUI allows to search functions, in particular umask(). The search results of TrustInSoft Analyzer for umask() includes all functions calls including calls through pointer of functions, and the user can check manually the absence of this function.

Name: Dead Code

Reference: CWE 561

Description:

The software contains dead code, which can never be executed.

Accuracy: Exact

Comment:

Rules:

• tis-info-statements

  This CWE doesn’t generates an alarm, but the information is available among the About Statements elements. The coverage information in About Functions can also be used for a more global overview.

Name: Return of Stack Variable Address

Reference: CWE 562

Description:

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

Accuracy: Unknown

Comment:

Notice that TrustInSoft Analyzer doesn’t warn on the return, but when using the pointer later on.

Rules:

• dangling

Name: Expression is Always False

Reference: CWE 570

Description:

The software contains an expression that will always evaluate to false.

Accuracy: Exact

Comment:

Rules:

• tis-info-statements

  This CWE doesn’t generates an alarm, but the information is available among the About Statements elements.

Name: Expression is Always True

Reference: CWE 571

Description:

The software contains an expression that will always evaluate to true.

Accuracy: Exact

Comment:

Rules:

• tis-info-statements

  This CWE doesn’t generates an alarm, but the information is available among the About Statements elements.

Name: Assignment of a Fixed Address to a Pointer

Reference: CWE 587

Description:

The software sets a pointer to a specific address other than NULL or 0.

Accuracy: Unknown

Comment:

When using a pointer that has been set to a fixed address, the default is to emit a Memory_assess alarm since all absolute addresses are assumed to be invalid. The -absolute-valid-range min-max option can be used to tell TrustInSoft Analyzer that addresses between min and max are valid memory addresses.

Rules:

• memory_access

Name: Incorrect Conversion between Numeric Types

Reference: CWE 681

Description:

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Accuracy: CWE-more-abstract

Comment:

This CWE is about converting from one numeric data type to another, but the rule below is only about float to int conversion.

Rules:

• float_to_int

  This alarm is emitted when a floating-point value appears to exceed the range of the integer type it is converted to.

Name: Incorrect Calculation

Reference: CWE 682

Description:

The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Accuracy: CWE-more-abstract

Comment:

This CWE is very general and groups anything that can goes wrong after calculation that generates incorrect or unintended results, but there no more specific CWE about floating-point results that can be an infinite value or NaN.

Rules:

• is_nan_or_infinite

Name: Function Call With Incorrect Number of Arguments

Reference: CWE 685

Description:

The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

Accuracy: Exact

Comment:

This CWE is detected even without any value analysis.

Rules:

• kernel user error messages

  The kernel emit one of the two error below:

  • [kernel] user error: Too few arguments in call to ...

  • [kernel] user error: Too many arguments in call to ...

Name: Unchecked Return Value to NULL Pointer Dereference

Reference: CWE 690

Description:

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.

Accuracy: Not-Covered

Comment:

TrustInSoft Analyzer doesn’t specifically whether returned values are tested or not, but it does detect NULL pointer dereference where ever it comes from (see CWE-476).

Name: Compiler Optimization Removal or Modification of Security-critical Code

Reference: CWE 733

Description:

The developer builds a security-critical protection mechanism into the software but the compiler optimizes the program such that the mechanism is removed or modified.

Accuracy: Exact

Comment:

TrustInSoft Analyzer performs the value analysis on the preprocessed source file. This CWE is a child of CWE-14 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Mismatched Memory Management Routines

Reference: CWE 762

Description:

The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.

Accuracy: Exact

Comment:

TrustInSoft Analyzer automatically checks that dynamically allocated objects are correctly deallocated with the right primitive (e.g. malloc/free, new/delete).

Name: Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

Reference: CWE 781

Description:

The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.

Accuracy: CWE-more-abstract

Comment:

TrustInSoft Analyzer GUI allows to search functions. For a given list of functions that performs improper address validation, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.

Name: Exposed IOCTL with Insufficient Access Control

Reference: CWE 782

Description:

The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

Accuracy: Not-Covered

Comment:

Name: Access of Memory Location Before Start of Buffer

Reference: CWE 786

Description:

The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Out-of-bounds Write

Reference: CWE 787

Description:

The software writes data past the end, or before the beginning, of the intended buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Access of Memory Location After End of Buffer

Reference: CWE 788

Description:

The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Uncontrolled Memory Allocation

Reference: CWE 789

Description:

The product allocates memory based on a not trusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.

Accuracy: Exact

Comment:

TrustInSoft Analyzer provides a language specification (ACSL) so the user may add a precondition to a user defined malloc. TrustInSoft Analyzer will automatically checks that the size always satisfies this precondition.

Name: Buffer Access with Incorrect Length Value

Reference: CWE 805

Description:

The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Buffer Access Using Size of Source Buffer

Reference: CWE 806

Description:

The software uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Untrusted Pointer Dereference

Reference: CWE 822

Description:

The program obtains a value from a not trusted source, converts this value to a pointer, and dereferences the resulting pointer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Use of Out-of-range Pointer Offset

Reference: CWE 823

Description:

The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

Accuracy: CWE-more-specific

Comment:

This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

Name: Access of Uninitialized Pointer

Reference: CWE 824

Description:

The program accesses or uses a pointer that has not been initialized.

Accuracy: CWE-more-specific

Comment:

The alarm below is emitted for any access to an uninitialized value, whether it is a pointer or not.

Rules:

• initialization

Name: Expired Pointer Dereference

Reference: CWE 825

Description:

The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

Accuracy: Unknown

Comment:

Rules:

• memory_access