Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should format string and memory safety reqs be Level 1? #2478

Open
tghosth opened this issue Dec 17, 2024 · 3 comments
Open

Should format string and memory safety reqs be Level 1? #2478

tghosth opened this issue Dec 17, 2024 · 3 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet requirement level Issue related to requirement levels V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@tghosth
Copy link
Collaborator

tghosth commented Dec 17, 2024

We currently have an explanation of the thinking around L1 which can be found here.

There are a few major areas where we have differing opinions about whether a particular type of control falls into the category of L1 for version 5.0.

This issue is to discuss format string and memory safety requirements from the current chapter 5.

The requirements being considered for L1 are below (ignore the level marking below).

# Description L1 L2 L3 CWE
5.2.13 [MODIFIED, MOVED FROM 5.4.2] Verify that format strings which might resolve in an unexpected or malicious way when used are sanitized before being processed. 134
5.4.1 Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows. 120
5.4.3 Verify that sign, range, and input validation techniques are used to prevent integer overflows. 190
5.4.4 [ADDED] Verify that dynamically allocated memory and resources are properly released, and that references or pointers to freed memory are removed or set to null to prevent dangling pointers and use-after-free vulnerabilities. 416

Personally I am a little split on this issue.

On the one hand, memory safety issues still seem very prevalent as do format string vulnerabilities. These are considered relatively basic having been around for years and the fixes require more defensive coding but are less labour insensitive than some other requirements that might have a wider process or business impact.

On the other hand, how many web applications (which is the scope of ASVS) are written in non-memory safe code. Does that make these requirements too niche to make it into L1.

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements requirement level Issue related to requirement levels _5.0 - prep This needs to be addressed to prepare 5.0 labels Dec 17, 2024
@jmanico
Copy link
Member

jmanico commented Dec 17, 2024

My initial reaction is to agree that memory issues are mostly not a web thing, but that is changing:

  • Memory vulnerabilities are absolutely relevant when discussing WebAssembly. Wasm brings languages like C and C++ into the web world. (Out-of-Bounds Read/Write in WebAssembly)
  • Years and years of Java PermGen issues to fight.
  • Memory leaks in Node.js
  • Spectre and Meltdown impacting browsers and servers
  • Resource Abuse Attacks: Tools like slowloris or XML Bombs

@elarlang
Copy link
Collaborator

elarlang commented Jan 3, 2025

Just to give some feedback - if it is not widespread enough with high impact or high likelihood, then I recommend to leave those for level 2 just to have only "really-really-must-have" requirements for level 1.

@jmanico
Copy link
Member

jmanico commented Jan 3, 2025

Agree that if these are kept, level 2 is best. +1 @elarlang

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet requirement level Issue related to requirement levels V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Development

No branches or pull requests

3 participants