Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Unreleased Resource: Streams

Abstract

The program can potentially fail to release a system resource.

Explanation

The program can potentially fail to release a system resource.

Resource leaks have at least two common causes:

- Error conditions and other exceptional circumstances.

- Confusion over which part of the program is responsible for releasing the resource.

Most unreleased resource issues result in general software reliability problems. However, if an attacker can intentionally trigger a resource leak, the attacker may be able to launch a denial of service attack by depleting the resource pool.

Example: The following method never closes the file handle it opens. The Finalize() method for StreamReader eventually calls Close(), but there is no guarantee as to how long it will take before the Finalize() method is invoked. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, this can result in the VM using up all of its available file handles.


private void processFile(string fName) {
        StreamWriter sw = new StreamWriter(fName);
        string line;
        while ((line = sr.ReadLine()) != null)
                processLine(line);
}

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 772

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[20] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.dotnet.unreleased_resource_streams

Abstract

The program can potentially fail to release a system resource.

Explanation

The program can potentially fail to release a system resource.

Resource leaks have at least two common causes:

- Error conditions and other exceptional circumstances.

- Confusion over which part of the program is responsible for releasing the resource.

Most unreleased resource issues result in general software reliability problems. However, if an attacker can intentionally trigger a resource leak, the attacker may be able to launch a denial of service attack by depleting the resource pool.

Example: The following method never closes the file handle it opens. The finalize() method for FileInputStream eventually calls close(), but there is no guarantee as to how long it will take before the finalize() method will be invoked. In a busy environment, this can result in the JVM using up all of its file handles.


private void processFile(String fName) throws FileNotFoundException, IOException {
  FileInputStream fis = new FileInputStream(fName);
  int sz;
  byte[] byteArray = new byte[BLOCK_SIZE];
  while ((sz = fis.read(byteArray)) != -1) {
    processBytes(byteArray, sz);
  }
}

References

[1] FIO04-J. Release resources when they are no longer needed CERT

[2] DOS-2: Release resources in all cases Oracle

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 772

[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[22] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.java.unreleased_resource_streams

Abstract

The identified function sometimes fails to release a system resource.

Explanation


...
CFIndex numBytes;
do {
    UInt8 buf[bufferSize];
    numBytes = CFReadStreamRead(readStream, buf, sizeof(buf));
    if( numBytes > 0 ) {
        handleBytes(buf, numBytes);
    } else if( numBytes < 0 ) {
        CFStreamError error = CFReadStreamGetError(readStream);
        reportError(error);
    }
} while( numBytes > 0 );
...