CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-664: Improper Control of a Resource Through its Lifetime

 
Improper Control of a Resource Through its Lifetime
Weakness ID: 664 (Weakness Class)Status: Draft
+ Description

Description Summary

The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Extended Description

Resources often have explicit instructions on how to be created, used and destroyed. When software fails to follow these instructions, it can lead to unexpected behaviors and potentially exploitable states.

Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."

+ Time of Introduction
  • Implementation
+ Potential Mitigations
PhaseDescription

Use Static analysis tools to check for unreleased resources.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class221Information Loss or Omission
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class282Improper Ownership Management
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class286Incorrect User Management
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base400Uncontrolled Resource Consumption ('Resource Exhaustion')
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class405Asymmetric Resource Consumption (Amplification)
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base410Insufficient Resource Pool
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base471Modification of Assumed-Immutable Data (MAID)
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class485Insufficient Encapsulation
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class514Covert Channel
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class610Externally Controlled Reference to a Resource in Another Sphere
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base665Improper Initialization
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base666Operation on Resource in Wrong Phase of Lifetime
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base667Insufficient Locking
Research Concepts1000
ParentOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class669Incorrect Resource Transfer Between Spheres
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class673External Influence of Sphere Definition
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class704Incorrect Type Conversion or Cast
Research Concepts (primary)1000
MemberOfViewView1000Research Concepts
Research Concepts (primary)1000
+ Maintenance Notes

More work is needed on this node and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.

+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Maintenance Notes, Relationships, Type
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns
2009-05-27CWE Content TeamMITREInternal
updated Description, Name, Relationships
2009-07-27CWE Content TeamMITREInternal
updated Relationships
Back to top
Page Last Updated: October 29, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us