Abstract

Input-handling bugs share two common patterns: insufficient recognition, where input-checking logic is unfit to validate a program’s assumptions about inputs, and parser differentials, wherein two or more components of a system fail to interpret input equivalently. We argue that these patterns are artifacts of avoidable weaknesses in the development process and explore these patterns both in general and via recent CVE instances. We break ground on defining the input-handling code weaknesses that should be actionable findings and propose a refactoring of existing CWEs to accommodate them. We propose a set of new CWEs to name such weaknesses that will help code auditors and penetration testers precisely express their findings of likely vulnerable code structures.

Antipatterns

• Shotgun parsing (ad-hoc validation during processing)
• Non-minimalist input-handling code
• Input language more complex than deterministic context-free
• Differing interpretations of input language
• Incomplete protocol specification
• Overloaded field in input format
• Permissive processing of invalid input