CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-703: Improper Check or Handling of Exceptional Conditions

Weakness ID: 703
Abstraction: Class
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality
Availability
Integrity

Technical Impact: Read application data; DoS: crash / exit / restart; Unexpected state

+ Detection Methods

Dynamic Analysis with manual results interpretation

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Fault Injection - source code

  • Fault Injection - binary

Cost effective for partial coverage:

  • Forced Path Execution

Effectiveness: SOAR High

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Manual Source Code Review (not inspections)

Cost effective for partial coverage:

  • Focused Manual Spotcheck - Focused manual analysis of source

Effectiveness: SOAR High

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Source code Weakness Analyzer

  • Context-configured Source Code Weakness Analyzer

Effectiveness: SOAR Partial

Architecture / Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

  • Formal Methods / Correct-By-Construction

Effectiveness: SOAR High

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory388Error Handling
Development Concepts (primary)699
ChildOfCategoryCategory851CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory876CERT C++ Secure Coding Section 08 - Memory Management (MEM)
Weaknesses Addressed by the CERT C++ Secure Coding Standard868
ChildOfCategoryCategory880CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)
Weaknesses Addressed by the CERT C++ Secure Coding Standard (primary)868
ChildOfCategoryCategory961SFP Secondary Cluster: Incorrect Exception Behavior
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base166Improper Handling of Missing Special Element
Research Concepts1000
ParentOfWeakness BaseWeakness Base167Improper Handling of Additional Special Element
Research Concepts1000
ParentOfWeakness BaseWeakness Base168Improper Handling of Inconsistent Special Elements
Research Concepts1000
ParentOfWeakness ClassWeakness Class228Improper Handling of Syntactically Invalid Structure
Research Concepts1000
ParentOfWeakness BaseWeakness Base248Uncaught Exception
Research Concepts1000
ParentOfWeakness BaseWeakness Base274Improper Handling of Insufficient Privileges
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base280Improper Handling of Insufficient Permissions or Privileges
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant333Improper Handling of Insufficient Entropy in TRNG
Research Concepts1000
ParentOfWeakness BaseWeakness Base391Unchecked Error Condition
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base392Missing Report of Error Condition
Research Concepts1000
ParentOfWeakness BaseWeakness Base393Return of Wrong Status Code
Research Concepts1000
ParentOfWeakness BaseWeakness Base397Declaration of Throws for Generic Exception
Research Concepts1000
ParentOfWeakness ClassWeakness Class754Improper Check for Unusual or Exceptional Conditions
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class755Improper Handling of Exceptional Conditions
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView1000Research Concepts
Research Concepts (primary)1000
+ Relationship Notes

This is a high-level class that might have some overlap with other classes. It could be argued that even "normal" weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT Java Secure CodingERR06-JDo not throw undeclared checked exceptions
CERT C++ Secure CodingMEM32-CPPDetect and handle memory allocation errors
CERT C++ Secure CodingERR39-CPPGuarantee exception safety
+ References
Taimur Aslam. "A Taxonomy of Security Faults in the UNIX Operating System". 1995-08-01. <http://ftp.cerias.purdue.edu/pub/papers/taimur-aslam/aslam-taxonomy-msthesis.pdf>.
Taimur Aslam, Ivan Krsul and Eugene H. Spafford. "Use of A Taxonomy of Security Faults". 1995-08-01. <http://csrc.nist.gov/nissc/1996/papers/NISSC96/paper057/PAPER.PDF>.
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 8: C++ Catastrophes." Page 143. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-09-09MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-10-29CWE Content TeamMITREInternal
updated Other_Notes
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2010-12-13CWE Content TeamMITREInternal
updated Name, Relationship_Notes
2011-03-29CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2011-09-13CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships, Taxonomy_Mappings
2014-07-30CWE Content TeamMITREInternal
updated Detection_Factors, Relationships
2017-01-19CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2010-12-13Failure to Handle Exceptional Conditions

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017