CWE - CWE-227: Failure to Fulfill API Contract ('API Abuse') (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-227: Failure to Fulfill API Contract ('API Abuse')

Failure to Fulfill API Contract ('API Abuse')

Weakness ID: 227 (Weakness Class)

Status: Draft

Description

Description Summary

The software uses an API in a manner contrary to its intended use.

Extended Description

An API is a contract between a caller and a callee. The most common forms of API misuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.

Alternate Terms

API Abuse

Time of Introduction

Architecture and Design
Implementation

Observed Examples

Reference	Description
CVE-2006-7140	crypto implementation removes padding when they shouldn't, allowing forged signatures
CVE-2006-4339	crypto implementation removes padding when they shouldn't, allowing forged signatures

Potential Mitigations

Phase	Description
	Always utilize APIs in the specified manner.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	18	Source Code	Development Concepts (primary)699
ChildOf	Weakness Class	710	Coding Standards Violation	Research Concepts (primary)1000
RequiredBy	Compound Element: Composite	120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')	Research Concepts1000
ParentOf	Weakness Base	242	Use of Inherently Dangerous Function	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Weakness Variant	243	Failure to Change Working Directory in chroot Jail	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Weakness Variant	244	Failure to Clear Heap Memory Before Release ('Heap Inspection')	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Weakness Variant	245	J2EE Bad Practices: Direct Management of Connections	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Weakness Variant	246	J2EE Bad Practices: Direct Use of Sockets	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Weakness Variant	247	Reliance on DNS Lookups in a Security Decision	Development Concepts (primary)699
ParentOf	Weakness Base	248	Uncaught Exception	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Weakness Class	250	Execution with Unnecessary Privileges	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Category	251	Often Misused: String Management	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Weakness Base	252	Unchecked Return Value	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
ParentOf	Weakness Base	253	Incorrect Check of Function Return Value	Development Concepts (primary)699
ParentOf	Weakness Variant	382	J2EE Bad Practices: Use of System.exit()	Development Concepts699
ParentOf	Weakness Variant	558	Use of getlogin() in Multithreaded Application	Seven Pernicious Kingdoms (primary)700
ParentOf	Category	559	Often Misused: Arguments and Parameters	Development Concepts (primary)699
ParentOf	Weakness Class	573	Failure to Follow Specification	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Variant	586	Explicit Call to Finalize()	Research Concepts (primary)1000
ParentOf	Weakness Variant	589	Call to Non-ubiquitous API	Development Concepts (primary)699
ParentOf	Weakness Base	605	Multiple Binds to the Same Port	Development Concepts (primary)699
ParentOf	Weakness Base	648	Incorrect Use of Privileged APIs	Research Concepts1000
ParentOf	Weakness Variant	650	Trusting HTTP Permission Methods on the Server Side	Research Concepts1000
PeerOf	Weakness Class	675	Duplicate Operations on Resource	Research Concepts1000
ParentOf	Weakness Base	684	Failure to Provide Specified Functionality	Development Concepts (primary)699 Research Concepts (primary)1000
MemberOf	View	700	Seven Pernicious Kingdoms	Seven Pernicious Kingdoms (primary)700

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
7 Pernicious Kingdoms			API Abuse

Content History

Submissions
Submission Date	Submitter	Organization	Source
	7 Pernicious Kingdoms		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Description, Relationships, Taxonomy Mappings
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Name, Relationships

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us