Comprehensive Categorization: Resource Lifecycle Management

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompa...

The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the...

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be ...

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary ...

Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.

The product contains a clone() method that does not call super.clone() to obtain the new object.

The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the j...

A static code block creates an instance of a class.

The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.

The product creates an immutable text string using string concatenation operations.

Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.

The product accesses a data resource through a database without using a connection pooling capability.

The product performs a data query with a large number of joins and sub-queries on a large data table.

The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches t...

The product contains an index range scan for a large data table, but the scan can cover a large number of rows.

The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, l...

The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous meth...

The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. t...

A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.

Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessi...

A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a cov...

A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitect...

The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.

The product does not prevent the definition of control spheres from external actors.

The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

The product contains a finalize() method that does not call super.finalize().

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, p...

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or exe...

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or...

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache ...

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the ...

The product does not release or incorrectly releases a resource before it is made available for re-use.

The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the am...

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive...

The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capab...

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not ...

The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.

The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.

The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memor...

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting to...

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect oper...

The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting va...

The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is ac...

The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).

Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides ...

The product does not correctly convert an object, resource, or structure from one type to a different type.

The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typ...

The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computati...

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

The product initializes data using hard-coded values that act as network resource identifiers.

The product, by default, initializes an internal variable with an insecure or less secure value than is possible.

The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside ...

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be...

The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) l...

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

A function or method contains too many operations that utilize a data manager or file resource.

The product uses a large data table that contains an excessively large number of indices.

The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

The product does not initialize a critical resource.

The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.

The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

The product does not properly protect an assumed-immutable element from being modified by an attacker.

The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use ...

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

Assigning public data to a private array is equivalent to giving public access to the array.

A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in th...

The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information a...

The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be...

The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class...

A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.

The product mixes trusted and untrusted data in the same data structure or structured message.

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, ev...

The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, ...

Security-critical logic is not set to a known value on reset.

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not ...

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.

The product uses or accesses a resource that has not been initialized.

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...