This document holds the TrustInSoft Analyzer CWE Coverage Claims using the The CWE Coverage Claims Representation format.
It is a subset of CWE-658: Weaknesses in Software Written in C.
Notice that TrustInSoft Analyzer is based on static analyses techniques. In the cases were the analysis cannot be precise, some false alarms may occur due to over-approximations. Moreover, the results rely on the provided specifications for the called function when the body is not available.
The coverage of the following CWE is achieved with TrustInSoft Analyzer. The alarms triggered are the one of the value analysis.
Name: Compiler Removal of Code to Clear Buffers
Reference: CWE 14
Description:
Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka “dead store removal.”
Accuracy: Exact
Comment:
TrustInSoft Analyzer performs spare code analysis to detect compiler optimizations.
Name: Improper Restriction of Operations within the Bounds of a Memory Buffer
Reference: CWE 119
Description:
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Accuracy: Exact
Comment:
This is a very general CWE that is the parent of many of more specific CWE listed below. TrustInSoft Analyzer value analysis emits one of the following alarms as soon as a memory access is not well defined for sure, whatever the reason is.
Rules:
This particular alarm is only emitted by internal built-ins such
as memset
and other standard library functions.
This rule is triggered by internal built-ins for the string standard library functions.
Name: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
Reference: CWE 120
Description:
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Stack-based Buffer Overflow
Reference: CWE 121
Description:
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Heap-based Buffer Overflow
Reference: CWE 122
Description:
A heap overflow condition is a buffer overflow, where the buffer
that can be overwritten is allocated in the heap portion of memory,
generally meaning that the buffer was allocated using a routine such
as malloc()
.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Write-what-where Condition
Reference: CWE 123
Description:
Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Buffer Underwrite (‘Buffer Underflow’)
Reference: CWE 124
Description:
The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Out-of-bounds Read
Reference: CWE 125
Description:
The software reads data past the end, or before the beginning, of the intended buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.
Name: Buffer Over-read
Reference: CWE 126
Description:
The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.
Name: Buffer Under-read
Reference: CWE 127
Description:
The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.
Name: Wrap-around Error
Reference: CWE 128
Description:
Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore “wraps around” to a very small, negative, or undefined value.
Accuracy: CWE-more-abstract
Comment:
On signed integers only.
Rules:
Name: Improper Validation of Array Index
Reference: CWE 129
Description:
The product uses not trusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Accuracy: Exact
Comment:
The alarm is emitted when using the index, and only if there is a chance that its value is out-of-bound.
Rules:
Name: Improper Handling of Length Parameter Inconsistency
Reference: CWE 130
Description:
The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Incorrect Calculation of Buffer Size
Reference: CWE 131
Description:
The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Reliance on Data/Memory Layout
Reference: CWE 188
Description:
The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.
Accuracy: Exact
Comment:
Rules:
Name: Integer Overflow or Wraparound
Reference: CWE 190
Description:
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
Accuracy: CWE-more-specific
Comment:
On signed integers only, but same rule for underflow and overflow.
Rules:
Name: Integer Underflow (Wrap or Wraparound)
Reference: CWE 191
Description:
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Accuracy: CWE-more-specific
Comment:
On signed integers only, but same rule for underflow and overflow.
Rules:
Name: Signed to Unsigned Conversion Error
Reference: CWE 195
Description:
The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
Accuracy: Not-Covered
Comment:
The value analysis doesn’t emit any alarm,
but the RTE plug-in can be used with the
-warn-signed-downcast
and -warn-unsigned-downcast
options
to generate the relevant assertions before starting an analysis.
These assertions are then checked like any other user assertions.
Name: Unsigned to Signed Conversion Error
Reference: CWE 196
Description:
The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.
Accuracy: Not-Covered
Comment:
Similar to CWE-195 above.
Name: Use of Inherently Dangerous Function
Reference: CWE 242
Description:
The program calls a function that can never be guaranteed to work safely.
Accuracy: CWE-more-abstract
Comment:
TrustInSoft Analyzer GUI allows to search functions. For a given list of dangerous functions, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.
Name: Creation of chroot Jail Without Changing Working Directory
Reference: CWE 243
Description:
The program uses the chroot()
system call to create a jail, but
does not change the working directory afterward. This does not
prevent access to files outside of the jail.
Accuracy: Exact
Comment:
TrustInSoft Analyzer GUI allows to search functions, in particular
chroot()
. The search results of TrustInSoft Analyzer for chroot()
includes all functions calls including calls through pointer of
functions, and the user can check manually the presence of
chdir()
function for each call.
Name: Improper Clearing of Heap Memory Before Release (‘Heap Inspection’)
Reference: CWE 244
Description:
Using realloc()
to re-size buffers that store sensitive
information can leave the sensitive information exposed to attack,
because it is not removed from memory.
Accuracy: Exact
Comment:
TrustInSoft Analyzer GUI allows to search functions, in particular
realloc()
. The search results of TrustInSoft Analyzer for realloc()
includes all functions calls including calls through pointer of
functions, and the user can check manually that the reallocated
variable is not a sensitive data.
Name: Divide By Zero
Reference: CWE 369
Description:
The product divides a value by zero.
Accuracy: Exact
Comment:
Rules:
Name: Improper Release of Memory Before Removing Last Reference (‘Memory Leak’)
Reference: CWE 401
Description:
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
Accuracy: CWE-partial
Comment:
TrustInSoft Analyzer provides the tis_check_leak()
builtin that may be
called to print the list of allocated memory blocks
that are no longer referenced by any other memory block.
But the CWE is only partially covered because
a cycle of allocated blocks never referenced
by any other global/alive local is not detected yet.
Name: Use After Free
Reference: CWE 416
Description:
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-825 described below. TrustInSoft Analyzer considers it as similar, so the sames rules apply.
Name: Use of Uninitialized Variable
Reference: CWE 457
Description:
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
Accuracy: Exact
Comment:
Rules:
Name: Deletion of Data Structure Sentinel
Reference: CWE 463
Description:
The accidental deletion of a data-structure sentinel can cause serious programming logic problems.
Accuracy: CWE-partial
Comment:
As long as TrustInSoft Analyzer value analysis remains precise enough to compute the string, TrustInSoft Analyzer will detect any deletion of a data-structure sentinel.
Rules:
This particular alarm is only emitted by internal built-ins such as
memset
and other standard library functions.
This rule is triggered by internal built-ins for the string standard library functions.
Name: Addition of Data Structure Sentinel
Reference: CWE 464
Description:
The accidental addition of a data-structure sentinel can cause serious programming logic problems.
Accuracy: CWE-partial
Comment:
As long as TrustInSoft Analyzer value analysis remains precise enough to compute the string, TrustInSoft Analyzer will detect any addition of a data-structure sentinel.
However, TrustInSoft Analyzer doesn’t warn if the addition of the sentinel can be considered as a normal behavior of the program.
Rules:
This particular alarm is only emitted by internal built-ins such as
memset
and other standard library functions.
This rule is triggered by internal built-ins for the string standard library functions.
Name: Return of Pointer Value Outside of Expected Range
Reference: CWE 466
Description:
A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.
Accuracy: Not-Covered
Comment:
TrustInSoft Analyzer doesn’t warn on pointers having invalid values, but it does as soon as the pointer is used lated on.
Name: Use of sizeof() on a Pointer Type
Reference: CWE 467
Description:
The code calls sizeof()
on a malloced pointer type, which always
returns the wordsize/8. This can produce an unexpected result if the
programmer intended to determine how much memory has been allocated.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Incorrect Pointer Scaling
Reference: CWE 468
Description:
In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Use of Pointer Subtraction to Determine Size
Reference: CWE 469
Description:
The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.
Accuracy: CWE-more-abstract
Comment:
TrustInSoft Analyzer doesn’t warn on every pointer subtraction, but only on those where there might be a problem (different blocks).
Rules:
Name: Use of Function with Inconsistent Implementations
Reference: CWE 474
Description:
The code uses a function that has inconsistent implementations across operating systems and versions.
Accuracy: Unknown
Comment:
TrustInSoft Analyzer GUI allows to search functions. For a given list of functions with inconsistent implementations, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.
Name: NULL Pointer Dereference
Reference: CWE 476
Description:
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Accuracy: Exact
Comment:
Rules:
Name: Use of getlogin() in Multithreaded Application
Reference: CWE 558
Description:
The application uses the getlogin()
function in a multithreaded
context, potentially causing it to return incorrect values.
Accuracy: CWE-more-abstract
Comment:
TrustInSoft Analyzer GUI allows to search functions, in particular
getlogin()
. The search results of TrustInSoft Analyzer for
getlogin()
includes all functions calls including calls through
pointer of functions, and the user can check manually the absence of
this function.
Name: Use of umask() with chmod-style Argument
Reference: CWE 560
Description:
The product calls umask()
with an incorrect argument that is
specified as if it is an argument to chmod()
.
Accuracy: CWE-more-abstract
Comment:
TrustInSoft Analyzer GUI allows to search functions, in particular
umask()
. The search results of TrustInSoft Analyzer for umask()
includes all functions calls including calls through pointer of
functions, and the user can check manually the absence of this
function.
Name: Dead Code
Reference: CWE 561
Description:
The software contains dead code, which can never be executed.
Accuracy: Exact
Comment:
Rules:
tis-info-statements
This CWE doesn’t generates an alarm, but the information is available among the About Statements elements. The coverage information in About Functions can also be used for a more global overview.
Name: Return of Stack Variable Address
Reference: CWE 562
Description:
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
Accuracy: Unknown
Comment:
Notice that TrustInSoft Analyzer doesn’t warn on the return, but when using the pointer later on.
Rules:
Name: Expression is Always False
Reference: CWE 570
Description:
The software contains an expression that will always evaluate to false.
Accuracy: Exact
Comment:
Rules:
tis-info-statements
This CWE doesn’t generates an alarm, but the information is available among the About Statements elements.
Name: Expression is Always True
Reference: CWE 571
Description:
The software contains an expression that will always evaluate to true.
Accuracy: Exact
Comment:
Rules:
tis-info-statements
This CWE doesn’t generates an alarm, but the information is available among the About Statements elements.
Name: Assignment of a Fixed Address to a Pointer
Reference: CWE 587
Description:
The software sets a pointer to a specific address other than NULL or 0.
Accuracy: Unknown
Comment:
When using a pointer that has been set to a fixed address,
the default is to emit a Memory_assess
alarm
since all absolute addresses are assumed to be invalid.
The -absolute-valid-range min-max
option can be used to tell TrustInSoft Analyzer
that addresses between min and max are valid memory addresses.
Rules:
Name: Incorrect Conversion between Numeric Types
Reference: CWE 681
Description:
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
Accuracy: CWE-more-abstract
Comment:
This CWE is about converting from one numeric data type to another, but the rule below is only about float to int conversion.
Rules:
This alarm is emitted when a floating-point value appears to exceed the range of the integer type it is converted to.
Name: Incorrect Calculation
Reference: CWE 682
Description:
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Accuracy: CWE-more-abstract
Comment:
This CWE is very general and groups anything that can goes wrong after calculation that generates incorrect or unintended results, but there no more specific CWE about floating-point results that can be an infinite value or NaN.
Rules:
Name: Function Call With Incorrect Number of Arguments
Reference: CWE 685
Description:
The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.
Accuracy: Exact
Comment:
This CWE is detected even without any value analysis.
Rules:
kernel user error messages
The kernel emit one of the two error below:
[kernel] user error: Too few arguments in call to ...
[kernel] user error: Too many arguments in call to ...
Name: Unchecked Return Value to NULL Pointer Dereference
Reference: CWE 690
Description:
The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
Accuracy: Not-Covered
Comment:
TrustInSoft Analyzer doesn’t specifically whether returned values are tested or not, but it does detect NULL pointer dereference where ever it comes from (see CWE-476).
Name: Compiler Optimization Removal or Modification of Security-critical Code
Reference: CWE 733
Description:
The developer builds a security-critical protection mechanism into the software but the compiler optimizes the program such that the mechanism is removed or modified.
Accuracy: Exact
Comment:
TrustInSoft Analyzer performs the value analysis on the preprocessed source file. This CWE is a child of CWE-14 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Mismatched Memory Management Routines
Reference: CWE 762
Description:
The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.
Accuracy: Exact
Comment:
TrustInSoft Analyzer automatically checks that dynamically allocated objects
are correctly deallocated with the right primitive
(e.g. malloc/free
, new/delete
).
Name: Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Reference: CWE 781
Description:
The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.
Accuracy: CWE-more-abstract
Comment:
TrustInSoft Analyzer GUI allows to search functions. For a given list of functions that performs improper address validation, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.
Name: Exposed IOCTL with Insufficient Access Control
Reference: CWE 782
Description:
The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.
Accuracy: Not-Covered
Comment:
Name: Access of Memory Location Before Start of Buffer
Reference: CWE 786
Description:
The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Out-of-bounds Write
Reference: CWE 787
Description:
The software writes data past the end, or before the beginning, of the intended buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Access of Memory Location After End of Buffer
Reference: CWE 788
Description:
The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Uncontrolled Memory Allocation
Reference: CWE 789
Description:
The product allocates memory based on a not trusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.
Accuracy: Exact
Comment:
TrustInSoft Analyzer provides a language specification (ACSL) so the user
may add a precondition to a user defined malloc
. TrustInSoft Analyzer
will automatically checks that the size always satisfies this
precondition.
Name: Buffer Access with Incorrect Length Value
Reference: CWE 805
Description:
The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Buffer Access Using Size of Source Buffer
Reference: CWE 806
Description:
The software uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Untrusted Pointer Dereference
Reference: CWE 822
Description:
The program obtains a value from a not trusted source, converts this value to a pointer, and dereferences the resulting pointer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Use of Out-of-range Pointer Offset
Reference: CWE 823
Description:
The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
Accuracy: CWE-more-specific
Comment:
This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.
Name: Access of Uninitialized Pointer
Reference: CWE 824
Description:
The program accesses or uses a pointer that has not been initialized.
Accuracy: CWE-more-specific
Comment:
The alarm below is emitted for any access to an uninitialized value, whether it is a pointer or not.
Rules:
Name: Expired Pointer Dereference
Reference: CWE 825
Description:
The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
Accuracy: Unknown
Comment:
Rules: