Covering CWE with Programming Languages and Tools Robert Tice Technical Account Manager

What is a CWE? Formal list of software weakness types: Common language Standard measuring stick for software security tools Baseline for weakness identification, mitigation, and prevention

Prevention vs Mitigation Entirely absent from application. Mitigation Reduced risk but may exist.

Universal vs Application Specific All software should be free of these vulnerabilities. i.e. buffer overflow Application Specific Dependent on the application. i.e. SQL Injection We will talk about these

CWEs Prevented by Ada These relate to specific features of other languages CWE Identifiers Note 467, 484 Only affects C and C++ 500 Only affects C++ and Java 520, 526 Only affects .NET languages 8, 9, 487, 555, 574 Only affects Java 103, 104, 107, 108, 109, 110, 608 Only affects Struts framework

CWEs Prevented by Ada These relate to general problems and constructs of other languages CWE Identifiers Note 588 Unsafe pointer usage 95 Unvalidated code in dynamic “eval” context 481, 482 Confusion between assignment and comparison 170 Improper null termination of Strings 228, 229, 233, 237, 240 (and variants) Parameters missing/extra/confused

CWEs Mitigated by Ada (runtime checks) Description 120* Buffer Overflow 123 Write-what-where condition 124 Buffer Underwrite 125 Out-of-bounds read 126 Buffer Over-read 127 Buffer Under-read 128 Wrap-around-error 129 Improper validation of array index 130 Improper handling of length parameter 131* Incorrect calculation of buffer size 136 Type errors 190* Integer overflow or wrap-around 191 Integer underflow or wrap-around 193 Off-by-one error CWE Description 194 Unexpected sign extension 197 Numeric truncation error 252 Unchecked return value 253 Incorrect check of function return value 369 Divide-by-zero 476 Null pointer dereference 562 Return of stack variable address 682 Incorrect calculation 786 Access before start of buffer 787 Out-of-bounds write 788 Access after end of buffer 805 Buffer access with incorrect length 824 Uninitialized pointer * 2011 CWE/SANS Top 25 Most Dangerous Software Errors (https://cwe.mitre.org/top25/)

CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) void foo(int* arr, int length) { for(int i = 0; i < length; i++) { arr[i]++; } } void bar() { int myArray[10]; // init the array for(int i = 0; i < 10; i++) myArray[i] = 0; // or memset(&myArray[0], 0, 10 * sizeof(myArray[0])); foo(&myArray[0], 30); } type My_Array_Type is array (Natural range <>) of Integer; procedure Foo (Arr : in out My_Array_Type; Len : Natural) is begin for I in 1 .. Len loop Arr (I) := Arr (I) + 1; end loop; end Foo; procedure Bar is My_Array : My_Array_Type (1 .. 10) := (others => 0); begin Foo (Arr => My_Array, Len => 30); end Bar; type My_Array_Type is array (Natural range <>) of Integer; procedure Foo (Arr : in out My_Array_Type) is begin for I in Arr'Range loop Arr (I) := Arr (I) + 1; end loop; end Foo; procedure Bar My_Array : My_Array_Type (1 .. 10) := (others => 0); -- no accidental length computation -- no accidental buffer overflow because of a typo Foo (Arr => My_Array); end Bar; Buffer overflow! raised CONSTRAINT_ERROR : buffer_overflow.adb:7 index check failed

CWE-190: Integer Overflow or Wraparound volatile uint32_t myRegister; int waitForFlag() { int counter = 0; while(myRegister == 0) { counter++; } return counter; } My_Register : Integer; pragma Volatile (My_Register); function Wait_For_Flag return Integer is Counter : Integer := 0; begin while My_Register = 0 loop Counter := Counter + 1; end loop; return Counter; end Wait_For_Flag; Integer overflow! raised CONSTRAINT_ERROR : integer_overflow.adb:9 overflow check failed

Static Mitigation CWE-120: Classic Buffer Overflow procedure Main is type My_Array_Type is array (Natural range <>) of Integer; procedure Foo (Arr : in out My_Array_Type; Len : Natural) is begin for I in 1 .. Len loop Arr (I) := Arr (I) + 1; end loop; end Foo; procedure Bar is My_Array : My_Array_Type (1 .. 10) := (others => 0); begin Foo (Arr => My_Array, Len => 30); end Bar; begin Bar; end Main; CodePeer Results: buffer_overflow.adb:18:7: high: precondition (array index check [CWE 120]) failure on call to main.foo: requires Len = 0 or Len <= Arr'Last

Static Mitigation CWE-190: Integer Overflow procedure Main is My_Register : Integer := 0; pragma Volatile (My_Register); function Wait_For_Flag return Integer is Counter : Integer := 0; begin while My_Register = 0 loop Counter := Counter + 1; end loop; return Counter; end Wait_For_Flag; Ret : Integer; begin Ret := Wait_For_Flag; end Main; CodePeer Results: integer_overflow.adb:10:32: low: overflow check [CWE 190] might fail: requires Counter <= Integer_32'Last-1

CWEs Mitigated with CodePeer Description 120* Buffer Overflow 123 Write-what-where condition 124 Buffer Underwrite 125 Out-of-bounds read 126 Buffer Over-read 127 Buffer Under-read 128 Wrap-around-error 129 Improper validation of array index 130 Improper handling of length parameter 131* Incorrect calculation of buffer size 136 Type errors 190* Integer overflow or wrap-around 191 Integer underflow or wrap-around 193 Off-by-one error CWE’s mitigated by Ada … plus these! CWE Description 137 Representation errors 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 366 Race Condition within a Thread 457 Use of Uninitialized Variable 561 Dead Code 563 Assignment to Variable without Use 570 Expression is always false 571 Expression is always true 820 Missing synchronization 821 Incorrect synchronization 835 Loop with unreachable exit CWE Description 194 Unexpected sign extension 197 Numeric truncation error 252 Unchecked return value 253 Incorrect check of function return value 369 Divide-by-zero 476 Null pointer dereference 562 Return of stack variable address 682 Incorrect calculation 786 Access before start of buffer 787 Out-of-bounds write 788 Access after end of buffer 805 Buffer access with incorrect length 824 Uninitialized pointer

Static Mitigation CWE-457: Use of Uninitialized Variable with Ada.Text_IO; use Ada.Text_IO; procedure Main is Global : Integer; procedure Init_Global is begin Global := 0; end Init_Global; begin -- Init_Global; Global := Global + 5; Put_Line (Global'Img); end Main; CodePeer Results: uninit_var.adb:17:15: high: validity check [CWE 457]: Global is uninitialized here

How many CWE violations will CodePeer find? with Ada.Text_IO; use Ada.Text_IO; procedure Main is Flag : Boolean := False; Counter : Integer; begin loop if Flag then Put_Line ("Exiting..."); exit; else Counter := Counter + 1; Put_Line ("Loop #" & Counter'Img); end if; end loop; end Main; CodePeer Results: unreachable_exit.adb:11:12: medium warning: loop does not complete normally [CWE 835] unreachable_exit.adb:11:12: low warning: test always false [CWE 570] because Flag = false unreachable_exit.adb:12:13: medium warning: dead code [CWE 561] because Flag = false unreachable_exit.adb:15:24: low: validity check [CWE 457]: Counter might be uninitialized unreachable_exit.adb:15:32: low: overflow check [CWE 190] might fail: requires Counter <= Integer_32'Last-1

CWEs Mitigated with SPARK Pro Description 120* Buffer Overflow 123 Write-what-where condition 124 Buffer Underwrite 125 Out-of-bounds read 126 Buffer Over-read 127 Buffer Under-read 128 Wrap-around-error 129 Improper validation of array index 130 Improper handling of length parameter 131* Incorrect calculation of buffer size 136 Type errors 190* Integer overflow or wrap-around 191 Integer underflow or wrap-around 193 Off-by-one error CWE’s mitigated by Ada CWE Description 137 Representation errors 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 366 Race Condition within a Thread 457 Use of Uninitialized Variable 561 Dead Code 563 Assignment to Variable without Use 570 Expression is always false 571 Expression is always true 820 Missing synchronization 821 Incorrect synchronization 835 Loop with unreachable exit CWE’s mitigated with CodePeer … plus these! CWE Description 188 Reliance on data layout 466 Return of pointer value outside expected range 468 Incorrect pointer scaling 469 Use of pointer subtraction to determine size 822 Untrusted pointer access 823 Out-of-range pointer offset 825 Expired pointer dereference CWE Description 194 Unexpected sign extension 197 Numeric truncation error 252 Unchecked return value 253 Incorrect check of function return value 369 Divide-by-zero 476 Null pointer dereference 562 Return of stack variable address 682 Incorrect calculation 786 Access before start of buffer 787 Out-of-bounds write 788 Access after end of buffer 805 Buffer access with incorrect length 824 Uninitialized pointer

Restricting to Prevent pragma Restrictions (Restriction_Identifier) Restriction Identifier CWE’s Prevented No_Allocators 122, 244, 415, 416, 467, 590, 761 No_Tasking 362, 364, 366, 432, 479, 543, 558, 567, 572, 585, 662, 663, 820, 821, 828, 831, 833 No_Recursion 674 No_Exceptions 248, 396, 397, 460, 584, 600 No_Exception_Handlers 396, 584 No_Finalization 568, 583, 586 No_Streams 499 No_Unchecked_Conversion 197, 588, 704, 843 No_Wide_Characters 135, 176 No_Dependence 676* * 2011 CWE/SANS Top 25 Most Dangerous Software Errors (https://cwe.mitre.org/top25/)

Reduce risk! Use Ada, SPARK, & CodePeer Mitre recognized CWE-compatible products!