Improper Control of a Resource Through its Lifetime
Weakness ID: 664 (Weakness Class)Status: Draft
+ Description

Description Summary

The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Extended Description

Resources often have explicit instructions on how to be created, used and destroyed. When software fails to follow these instructions, it can lead to unexpected behaviors and potentially exploitable states.

Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."

+ Time of Introduction
  • Implementation
+ Potential Mitigations

Use Static analysis tools to check for unreleased resources.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class221Information Loss or Omission
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class282Improper Ownership Management
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class286Incorrect User Management
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base400Uncontrolled Resource Consumption ('Resource Exhaustion')
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class405Asymmetric Resource Consumption (Amplification)
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base410Insufficient Resource Pool
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base471Modification of Assumed-Immutable Data (MAID)
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class485Insufficient Encapsulation
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class514Covert Channel
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class610Externally Controlled Reference to a Resource in Another Sphere
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base665Improper Initialization
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base666Operation on Resource in Wrong Phase of Lifetime
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base667Insufficient Locking
Research Concepts1000
ParentOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class669Incorrect Resource Transfer Between Spheres
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class673External Influence of Sphere Definition
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class704Incorrect Type Conversion or Cast
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class706Use of Incorrectly-Resolved Name or Reference
Research Concepts (primary)1000
MemberOfViewView1000Research Concepts
Research Concepts (primary)1000
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
21Exploitation of Session Variables, Resource IDs and other Trusted Credentials
60Reusing Session IDs (aka Session Replay)
61Session Fixation
62Cross Site Request Forgery (aka Session Riding)
+ Maintenance Notes

More work is needed on this node and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.

+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Maintenance Notes, Relationships, Type
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns
2009-05-27CWE Content TeamMITREInternal
updated Description, Name, Relationships
2009-07-27CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-05-27Insufficient Control of a Resource Through its Lifetime
Back to top