Failure to Add Integrity Check Value |
Weakness ID: 353 (Weakness Base) | Status: Draft |
Description Summary
Extended Description
The failure to include checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets. Failure to add this functionality to a protocol specification, or in the implementation of that protocol, needlessly ignores a simple solution for a very significant problem and should never be skipped.
Scope | Effect |
---|---|
Integrity | Data that is parsed and used may be corrupted. |
Non-Repudiation | Without a checksum it is impossible to determine if any changes have been made to the data after it was sent. |
Example 1
Phase: Architecture and Design Add an appropriately sized checksum to the protocol, ensuring that data received may be simply validated before it is parsed and used. |
Phase: Implementation Ensure that the checksums present in the protocol design are properly implemented and added to each message before it is sent. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 345 | Insufficient Verification of Data Authenticity | Development Concepts (primary)699 Research Concepts (primary)1000 |
PeerOf | Weakness Base | 354 | Improper Validation of Integrity Check Value | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Failure to add integrity check value |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes |