Category-361: 7PK-时间和状态

ID: 361 Status: Incomplete

Summary

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Membership

ID NAME
CWE-362 使用共享资源的并发执行不恰当同步问题(竞争条件)
CWE-364 信号处理例程中的竞争条件
CWE-367 检查时间与使用时间(TOCTOU)的竞争条件
CWE-371 状态问题
CWE-376 临时文件问题
CWE-376 临时文件问题
CWE-377 不安全的临时文件
CWE-380 特定技术的时间和状态问题
CWE-382 J2EE不安全实践:使用System.exit()
CWE-383 J2EE不安全实践:直接使用线程
CWE-384 会话固定
CWE-384 会话固定
CWE-385 隐蔽时间通道
CWE-386 符号名称未能映射到正确对象
CWE-387 信号错误
CWE-412 未加限制的外部可访问锁
CWE-412 未加限制的外部可访问锁
CWE-557 并发问题
CWE-609 双重检查的加锁机制
CWE-613 不充分的会话过期机制
CWE-662 不恰当的同步机制
CWE-663 在并发上下文中使用不可再入的函数
CWE-664 在生命周期中对资源的控制不恰当
CWE-668 将资源暴露给错误范围
CWE-669 在范围间的资源转移不正确
CWE-672 在过期或释放后对资源进行操作
CWE-673 范围定义的外部影响
CWE-674 未经控制的递归
CWE-698 重定向后执行(EAR)

References

REF-6 Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors