CWE-188 – Reliance on Data/Memory Layout

Read Time:36 Second

Description

The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-1105
CWE-435

 

Consequences

Integrity, Confidentiality: Modify Memory, Read Memory

Can result in unintended modifications or exposure of sensitive memory.

 

Potential Mitigations

Phase: Implementation, Architecture and Design

Description: 

In flat address space situations, never allow computing memory addresses as offsets from another memory address.

Phase: Architecture and Design

Description: 

Fully specify protocol layout unambiguously, providing a structured grammar (e.g., a compilable yacc grammar).

Phase: Testing

Description: 

Testing: Test that the implementation properly handles each case in the protocol grammar.

CVE References