Exécuter une analyse statique (SAST) sur le code source à la recherche du motif non sécurisé dans le flux de données.
CWE-440 Base Brouillon
Expected Behavior Violation
This weakness occurs when a software component, such as a function, API, or feature, fails to act as documented or intended. The system's actual behavior deviates from its promised specification,…
Définition
What is CWE-440?
This weakness occurs when a software component, such as a function, API, or feature, fails to act as documented or intended. The system's actual behavior deviates from its promised specification, leading to unpredictable results.
At its core, this violation is a trust issue between the developer and the component's interface. When you call a function or use an API, you rely on its documented contract—what inputs it accepts, what processing it performs, and what outputs or side effects it guarantees. If the component silently breaks this contract, your application logic can fail, security assumptions can be invalidated, and the entire system's stability is compromised. This often stems from ambiguous documentation, implementation bugs, or unintended side effects that the spec didn't account for.
For developers, mitigating this requires a proactive approach. First, treat specifications as critical requirements, not suggestions. Implement rigorous input validation and error handling even for 'trusted' components. Second, employ defensive programming practices: write comprehensive unit and integration tests that verify both the happy path and edge cases against the documented behavior. Fuzz testing can be particularly effective in uncovering unexpected behaviors. Finally, when designing your own APIs, ensure your specifications are precise, complete, and tested, as unclear docs are a primary cause of downstream violations.
Impact réel
Real-world CVEs caused by CWE-440
-
Program uses large timeouts on unconfirmed connections resulting from inconsistency in linked lists implementations.
-
"strncpy" in Linux kernel acts different than libc on x86, leading to expected behavior difference - sort of a multiple interpretation error?
-
Buffer overflow in product stems the use of a third party library function that is expected to have internal protection against overflows, but doesn't.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
The provided code is extracted from the Control and Status Register (CSR), csr_regfile, module within the Hack@DAC'21 OpenPiton System-on-Chip (SoC). This module is designed to implement CSR registers in accordance with the RISC-V specification. The mie (machine interrupt enable) register is a 64-bit register [REF-1384], where bits correspond to different interrupt sources. As the name suggests, mie is a machine-level register that determines which interrupts are enabled. Note that in the example below the mie_q and mie_d registers represent the conceptual mie reigster in the RISC-V specification. The mie_d register is the value to be stored in the mie register while the mie_q register holds the current value of the mie register [REF-1385].
- 2
The mideleg (machine interrupt delegation) register, also 64-bit wide, enables the delegation of specific interrupt sources from machine privilege mode to lower privilege levels. By setting specific bits in the mideleg register, the handling of certain interrupts can be delegated to lower privilege levels without engaging the machine-level privilege mode. For example, in supervisor mode, the mie register is limited to a specific register called the sie (supervisor interrupt enable) register. If delegated, an interrupt becomes visible in the sip (supervisor interrupt pending) register and can be enabled or blocked using the sie register. If no delegation occurs, the related bits in sip and sie are set to zero.
- 3
The sie register value is computed based on the current value of mie register, i.e., mie_q, and the mideleg register.
- 4
The above code snippet illustrates an instance of a vulnerable implementation of the sie register update logic, where users can tamper with the mie_d register value through the utval (user trap value) register. This behavior violates the RISC-V specification.
- 5
The code shows that the value of utval, among other signals, is used in updating the mie_d value within the sie update logic. While utval is a register accessible to users, it should not influence or compromise the integrity of sie. Through manipulation of the utval register, it becomes feasible to manipulate the sie register's value. This opens the door for potential attacks, as an adversary can gain control over or corrupt the sie value. Consequently, such manipulation empowers an attacker to enable or disable critical supervisor-level interrupts, resulting in various security risks such as privilege escalation or denial-of-service attacks.
Exemple de code vulnérable
Vulnerable Verilog
The sie register value is computed based on the current value of mie register, i.e., mie_q, and the mideleg register.
module csr_regfile #(...)(...);
...
// ---------------------------
// CSR Write and update logic
// ---------------------------
...
```
if (csr_we) begin
unique case (csr_addr.address)
...
riscv::CSR_SIE: begin
// the mideleg makes sure only delegate-able register
//(and therefore also only implemented registers) are written
```
mie_d = (mie_q & ~mideleg_q) | (csr_wdata & mideleg_q) | utval_q;**
end
...
endcase
end
endmodule Exemple de code sécurisé
Secure Verilog
A fix to this issue is to remove the utval from the right-hand side of the assignment. That is the value of the mie_d should be updated as shown in the good code example [REF-1386].
module csr_regfile #(...)(...);
...
// ---------------------------
// CSR Write and update logic
// ---------------------------
...
```
if (csr_we) begin
unique case (csr_addr.address)
...
riscv::CSR_SIE: begin
// the mideleg makes sure only delegate-able register
//(and therefore also only implemented registers) are written
```
mie_d = (mie_q & ~mideleg_q) | (csr_wdata & mideleg_q);**
end
...
endcase
end
endmodule What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-440
- Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
- Implementation Validate input at trust boundaries; use allowlists, not denylists.
- Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
- Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
- Operation Monitor logs for the runtime signals listed in the next section.
Signaux de détection
How to detect CWE-440
Exécuter des tests de sécurité applicative dynamique (DAST) contre le point de terminaison en ligne.
Surveiller les journaux runtime pour détecter des traces d'exception inhabituelles, des entrées malformées ou des tentatives de contournement d'autorisation.
Revue de code : signaler tout nouveau code qui traite les entrées de cette surface sans utiliser les helpers du framework validés.
Plexicus détecte automatiquement CWE-440 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-440 ?
Quelle est la gravité de CWE-440 ?
Quels langages ou plateformes sont affectés par CWE-440 ?
Comment puis-je prévenir CWE-440 ?
Comment Plexicus détecte et corrige CWE-440 ?
Où puis-je en savoir plus sur CWE-440 ?
Frequently asked questions
Qu'est-ce que CWE-440 ?
This weakness occurs when a software component, such as a function, API, or feature, fails to act as documented or intended. The system's actual behavior deviates from its promised specification, leading to unpredictable results.
Quelle est la gravité de CWE-440 ?
MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.
Quels langages ou plateformes sont affectés par CWE-440 ?
MITRE lists the following affected platforms: ICS/OT.
Comment puis-je prévenir CWE-440 ?
Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.
Comment Plexicus détecte et corrige CWE-440 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-440 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-440 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/440.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-440
CWE-684 Parent
Incorrect Provision of Specified Functionality
This weakness occurs when software behaves differently than its documented specifications, which can mislead users and create security…
CWE-1245 Frère
Improper Finite State Machines (FSMs) in Hardware Logic
This vulnerability occurs when hardware logic contains flawed Finite State Machines (FSMs). Attackers can exploit these design errors to…
CWE-392 Frère
Missing Report of Error Condition
This vulnerability occurs when a system fails to properly signal that an error has happened. Instead of returning a clear error code,…
CWE-393 Frère
Return of Wrong Status Code
This vulnerability occurs when a function returns an inaccurate status code or value that misrepresents the actual outcome of an…
CWE-446 Frère
UI Discrepancy for Security Feature
This vulnerability occurs when a user interface incorrectly displays a security feature as active or properly configured, misleading users…
CWE-451 Frère
User Interface (UI) Misrepresentation of Critical Information
This vulnerability occurs when a user interface fails to accurately display or highlight crucial information, potentially misleading users…
CWE-912 Frère
Hidden Functionality
Hidden functionality refers to undocumented features, commands, or code within a product that are not part of its official specification…
CWE-1434 Enfant
Insecure Setting of Generative AI/ML Model Inference Parameters
This vulnerability occurs when a generative AI or ML model is deployed with inference parameters that are too permissive, causing it to…
Ressources
Further reading
- MITRE — CWE-440 officiel https://cwe.mitre.org/data/definitions/440.html
- The RISC-V Instruction Set Manual Volume II: Privileged Architecture page 28 https://riscv.org/wp-content/uploads/2017/05/riscv-privileged-v1.10.pdf
- csr_regfile.sv https://github.com/HACK-EVENT/hackatdac21/blob/b9ecdf6068445d76d6bee692d163fededf7a9d9b/piton/design/chip/tile/ariane/src/csr_regfile.sv
- Fix for csr_regfile.sv https://github.com/HACK-EVENT/hackatdac21/blob/2341c625a28d2fb87d370e32c45b68bd711cc43b/piton/design/chip/tile/ariane/src/csr_regfile.sv#L519C4-L522C20
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.