CWE - CWE-664: Improper Control of a Resource Through its Lifetime (3.3)

Weakness ID: 664

Abstraction: Class
Structure: Simple

Status: Draft

Presentation Filter:

Description

The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Extended Description

Resources often have explicit instructions on how to be created, used and destroyed. When software does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states.

Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."

Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

Relevant to the view "Research Concepts" (CWE-1000)

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1000	Research Concepts
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	216	Containment Errors (Container Errors)
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	221	Information Loss or Omission
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	284	Improper Access Control
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	372	Incomplete Internal State Distinction
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	400	Uncontrolled Resource Consumption
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	404	Improper Resource Shutdown or Release
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	405	Asymmetric Resource Consumption (Amplification)
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	410	Insufficient Resource Pool
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	471	Modification of Assumed-Immutable Data (MAID)
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	487	Reliance on Package-level Scope
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	488	Exposure of Data Element to Wrong Session
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	495	Private Data Structure Returned From A Public Method
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	496	Public Data Assigned to Private Array-Typed Field
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	498	Cloneable Class Containing Sensitive Information
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	499	Serializable Class Containing Sensitive Data
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	501	Trust Boundary Violation
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	580	clone() Method Without super.clone()
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	610	Externally Controlled Reference to a Resource in Another Sphere
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	662	Improper Synchronization
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	665	Improper Initialization
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	666	Operation on Resource in Wrong Phase of Lifetime
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	668	Exposure of Resource to Wrong Sphere
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	669	Incorrect Resource Transfer Between Spheres
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	673	External Influence of Sphere Definition
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	704	Incorrect Type Conversion or Cast
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	706	Use of Incorrectly-Resolved Name or Reference
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	749	Exposed Dangerous Method or Function
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	908	Use of Uninitialized Resource
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	911	Improper Update of Reference Count
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	913	Improper Control of Dynamically-Managed Code Resources
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	922	Insecure Storage of Sensitive Information

Relevant to the view "Development Concepts" (CWE-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	361	7PK - Time and State
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	704	Incorrect Type Conversion or Cast
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	706	Use of Incorrectly-Resolved Name or Reference
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	922	Insecure Storage of Sensitive Information

Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase	Note
Implementation

Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Other	Technical Impact: Other

Potential Mitigations

Phase: Testing

Use Static analysis tools to check for unreleased resources.

Memberships

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	984	SFP Secondary Cluster: Life Cycle
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1163	SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)

Notes

Maintenance

More work is needed on this node and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CERT C Secure Coding	FIO39-C	CWE More Abstract	Do not alternately input and output from a stream without an intervening flush or positioning call

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-196	Session Credential Falsification through Forging
CAPEC-21	Exploitation of Trusted Credentials
CAPEC-60	Reusing Session IDs (aka Session Replay)
CAPEC-61	Session Fixation
CAPEC-62	Cross Site Request Forgery

Content History

Modifications
Modification Date	Modifier	Organization
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Potential_Mitigations, Time_of_Introduction
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Description, Maintenance_Notes, Relationships, Type
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Related_Attack_Patterns
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Description, Name, Relationships
2009-07-27	CWE Content Team	MITRE
2009-07-27	updated Relationships
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Relationships
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Description, Relationships
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences, Relationships
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Related_Attack_Patterns, Relationships
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2013-02-21	CWE Content Team	MITRE
2013-02-21	updated Relationships
2013-07-17	CWE Content Team	MITRE
2013-07-17	updated Relationships
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2017-01-19	CWE Content Team	MITRE
2017-01-19	updated Relationships
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Relationships, Taxonomy_Mappings
2018-03-27	CWE Content Team	MITRE
2018-03-27	updated Relationships
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated Relationships
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Relationships
Previous Entry Names
Change Date	Previous Entry Name
2009-05-27	Insufficient Control of a Resource Through its Lifetime


	Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2006-2019, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.	Privacy Policy Terms of Use Site Map Contact Us

Common Weakness Enumeration

CWE-664: Improper Control of a Resource Through its Lifetime