...
| Anchor | ||||
|---|---|---|---|---|
|
vulnerability [Seacord 2005a]
A set of conditions that allows an attacker to violate an explicit or implicit security policy.
analyzer
mechanism that diagnoses coding flaws in software programs
NOTE Analyzers may include static analysis tools, tools within a compiler suite, or tools in other contexts.
data flow analysis
tracking of value constraints along nonexcluded paths through the code
NOTE 1 Tracking can be performed intraprocedurally, with various assumptions made about what happens at function call boundaries, or interprocedurally, where values are tracked flowing into function calls (directly or indirectly) as arguments and flowing back out either as return values or indirectly through arguments.
NOTE 2 Data flow analysis may or may not track values flowing into or out of the heap or take into account global variables. When this specification refers to values flowing, the key point is contrast with variables or expressions, because a given variable or expression may hold different values along different paths, and a given value may be held by multiple variables or expressions along a path.
4.3
exploit
technique that takes advantage of a security vulnerability to violate an explicit or implicit security policy
4.4
in-band error indicator
a library function return value on error that can never be returned by a successful call to that library function
4.5
mutilated value
result of an operation performed on an untainted value that yields either an undefined result (such as the result of signed integer overflow), the result of right-shifting a negative number, implicit conversion to an integral type where the value cannot be represented in the destination type, or unsigned integer wrapping
EXAMPLE
int j = INT_MAX + 1; // j is mutilated
char c = 1234; // c is mutilated if char is eight bits
unsigned int u = 0U - 1; // u is mutilated
NOTE 1 A mutilated value can be just as dangerous as a tainted value because it can differ either in sign or magnitude from what the programmer expects.
4.7
nonpersistent signal handler
signal handler running on an implementation that requires the program to again register the signal handler after occurrences of the signal to catch subsequent occurrences of that signal
4.7
out-of-band error indicator
a library function return value used to indicate nothing but the error status
4.8
out-of-domain value
one of a set of values that is not in the domain of a particular operator or function
4.9
restricted sink
operands and arguments whose domain is a subset of the domain described by their types
NOTE 1 Undefined or unexpected behavior may occur if a tainted value is supplied as a value to a restricted sink.
NOTE 2 A diagnostic is required if a tainted value is supplied to a restricted sink.
NOTE 3 Different restricted sinks may impose different validity constraints for the same value; a given value can be tainted with respect to one restricted sink but sanitized (and consequently no longer tainted) with respect to a different restricted sink.
NOTE 4 Specific restricted sinks and requirements for sanitizing tainted values are described in specific rules dealing with taint analysis (see 5.8, 5.14, 5.24, 5.30, 5.39, and 5.46).
4.10
sanitize
assure by testing or replacement that a tainted or other value conforms to the constraints imposed by one or more restricted sinks into which it may flow
NOTE If the value does not conform, either the path is diverted to avoid using the value or a different, known-conforming value is substituted.
EXAMPLE Adding a null character to the end of a buffer before passing it as an argument to the
strlen function.
4.11
security flaw
defect that poses a potential security risk
4.12
security policy
set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources
4.13
static analysis
any process for assessing code without executing it [Chess 2007, p. 3]
4.14
tainted source
external source of untrusted data
NOTE Tainted sources include
parameters to the
main function,
the returned values from
localeconv, fgetc, getc, getchar, fgetwc, getwc, and getwchar, and
the strings produced by
getenv, fscanf, vfscanf, vscanf, fgets, fread, fwscanf, vfwscanf, vwscanf, wscanf, and fgetws.
4.15
tainted value
value derived from a tainted source that has not been sanitized
target implementation
implementation of the C programming language whose environmental limits and implementation-defined behavior are assumed by the analyzer during the analysis of a program
4.17
UB
undefined behavior
4.18
unexpected behavior
well-defined behavior that may be unexpected or unanticipated by the programmer; incorrect programming assumptions
4.19
unsigned integer wrapping
computation involving unsigned operands whose result is reduced modulo the number that is one greater than the largest value that can be represented by the resulting type
4.20
untrusted data
data originating from outside of a trust boundary [ISO/IEC 11889-1:2009]
valid pointer
pointer that refers to an element within an array or one past the last element of an array
NOTE 1 For the purposes of this definition, a pointer to an object that is not an element of an array behaves the same as a pointer to the first element of an array of length one with the type of the object as its element type. (See C, sec. 6.5.8, paragraph 4.)
NOTE 2 For the purposes of this definition, an object can be considered to be an array of a certain number of bytes; that number is the size of the object, as produced by the sizeof operator. (See C, sec. 6.3.2.3, paragraph 7.)
vulnerability
set of conditions that allows an attacker to violate an explicit or implicit security policy
...