CWE-477 对废弃函数的使用

admin
admin
admin
102932
文章
87
评论
2021年12月16日15:50:15评论59 views字数 2550阅读8分30秒阅读模式

CWE-477 对废弃函数的使用

Use of Obsolete Function

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

扩展描述

As programming languages evolve, functions occasionally become obsolete due to:

Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 710 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Other Quality Degradation

检测方法

Automated Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Binary / Bytecode Quality Analysis
Cost effective for partial coverage:
  • Bytecode Weakness Analysis - including disassembler + source code weakness analysis

Manual Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Debugger

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Manual Source Code Review (not inspections)
Cost effective for partial coverage:
  • Focused Manual Spotcheck - Focused manual analysis of source

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Source Code Quality Analyzer
  • Source code Weakness Analyzer
  • Context-configured Source Code Weakness Analyzer

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Origin Analysis

Architecture or Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Formal Methods / Correct-By-Construction
  • Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

可能的缓解方案

Implementation

策略:

Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality.

Requirements

策略:

Consider seriously the security implications of using an obsolete function. Consider using alternate functions.

示例代码

The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.

bad C

...
getpw(uid, pwdline);
for (i=0; icryptpw=strtok(pwdline, ":");
pwdline=0;

}
result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
...文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月16日15:50:15
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-477 对废弃函数的使用https://cn-sec.com/archives/613252.html

发表评论

匿名网友 填写信息