Reliance on Data/Memory Layout |
Weakness ID: 188 (Weakness Base) | Status: Draft |
Description Summary
Scope | Effect |
---|---|
Integrity Confidentiality | Can result in unintended modifications or information leaks of data. |
Example 1
Here, b may not be one byte past a. It may be one byte in front of a. Or, they may have three bytes between them because they get aligned to 32-bit boundaries.
Design and Implementation: In flat address space situations, never allow computing memory addresses as offsets from another memory address. |
Phase: Architecture and Design Fully specify protocol layout unambiguously, providing a structured grammar (e.g., a compilable yacc grammar). |
Testing: Test that the implementation properly handles each case in the protocol grammar. |
When changing platforms or protocol versions, data may move in unintended ways. For example, some architectures may place local variables a and b right next to each other with a on top; some may place them next to each other with b on top; and others may add some padding to each. This ensured that each variable is aligned to a proper word size. In protocol implementations, it is common to offset relative to another field to pick out a specific piece of data. Exceptional conditions -- often involving new protocol versions -- may add corner cases that lead to the data layout changing in an unusual way. The result can be that an implementation accesses a particular part of a packet, treating data of one type as data of another type. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 137 | Representation Errors | Development Concepts (primary)699 |
ChildOf | Weakness Class | 435 | Interaction Error | Research Concepts1000 |
ChildOf | Weakness Class | 758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 198 | Use of Incorrect Byte Ordering | Research Concepts (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Common Consequences, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Common Consequences | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Reliance on Data Layout | |||