logo

Use of Function with Inconsistent Implementations

Draft Base
Structure: Simple
Description

This vulnerability occurs when code relies on a function whose behavior changes across different operating systems or versions, leading to unpredictable security risks when the software runs in an unexpected environment.

Extended Description

Functions can behave differently depending on where your code runs. These inconsistencies might involve how parameters are interpreted, what return codes mean, or whether the function even exists on a given platform. When you build or deploy software in an environment other than the one you tested in, these subtle differences can cause crashes, logic errors, or unexpected behavior that attackers might exploit. Some implementations of a function might have known security flaws, while others are safe. This means your application's security could depend entirely on the underlying system it's running on, creating a hidden risk. To avoid this, never assume a function behaves identically everywhere; always check documentation for the specific platforms you target and consider using standardized, portable alternatives where possible.
Common Consequences 1
Scope: Other

Impact: Quality DegradationVaries by Context
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Architecture and DesignRequirements
Do not accept inconsistent behavior from the API specifications when the deviant behavior increase the risk level.
References 1
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and MetricsNIST
07-11-2005
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
ID: REF-6
Applicable Platforms
Languages:
C : OftenPHP : OftenNot Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior (CWE-758)
Taxonomy Mapping
  • 7 Pernicious Kingdoms
  • Software Fault Patterns