Software Fault Patterns (SFP)

The Software Fault Patterns (SFP) [1] are a clustering of CWEs into related weakness categories. Each cluster is factored into formally defined attributes, with sites ("footholds"), conditions, properties, sources, sinks, etc. This work overcomes the problem of combinations of attributes in CWE. For instance, the SFP factored attributes are more clear than the irregular coverage of CWEs.

"Software Fault Patterns (SFP) is a generalized description of an identifiable family of computations that are:

Described as patterns with an invariant core and variant parts.
Aligned with injury.
Aligned with operational views and risk through events.
Fully identifiable in code (discernable).
Aligned with CWE.
With formally defined characteristics." [2]

SFP categorizes 632 CWEs plus there are 8 deprecated CWEs, so the CWEs defined as weaknesses total 640. In addition, there are: 21 primary clusters, 62 secondary clusters, 310 discernible CWEs, 36 unique SFPs. [3]

Clusters and SFPs

Primary Clusters	Secondary Cluster	SFP
1. Risky Values	1. Glitch in Computation	SFP1
2. Unused Entities	1. Unused Entities	SFP2
3. API	1. Use of an Improper API	SFP3
4. Exception Management	1. Unchecked Status Condition 2. Ambiguous Exception Type 3. Incorrect exception Behavior	SFP4 SFP5 SFP6
5. Memory Access	1. Faulty Pointer Use 2. Faulty Buffer Access 3. Faulty String Expansion 4. Incorrect Buffer Length Computation 5. Improper NULL Termination	SFP7 SFP8 SFP9 SFP10 SFP11
6. Memory Management	1. Faulty Memory Release	SFP12
7. Resource Management	1. Unrestricted Consumption 2. Failure to release resource 3. Faulty Resource Use 4. Life Cycle	SFP13 SFP14 SFP15
8. Path Resolution	1. Path Traversal 2. Failed Chroot Jail 3. Link in Resource Name Resolution	SFP16 SFP17 SFP18
9. Synchronization	1. Missing Lock 2. Race Condition Window 3. Multiple Locks/Unlocks 4. Unrestricted Lock	SFP19 SFP20 SFP21 SFP22
10. Information Leak	1. Exposed Data 2. State Disclosure 3. Exposure Through Temporary files 4. Other Exposures 5. Insecure Session Management	SFP23
11. Tainted Input	1. Tainted Input to Command 2. Tainted Input to Variable 3. Composite Tainted Input 4. Faulty input Transformation 5. Incorrect Input Handling 6. Tainted Input to Environment	SFP24 SFP25 SFP26 SFP27
12. Entry Points	1. Unexpected Access Points	SFP28
13. Authentication	1. Authentication Bypass 2. Faulty Endpoint Authentication 3. Missing Endpoint Authentication 4. Digital Certificate 5. Missing Authentication 6. Insecure Authentication Policy 7. Multiple binds to the Same Port 8. Hardcoded Sensitive Data 9. Unrestricted Authentication	SFP29 SFP30 SFP31 SFP32 SFP33 SFP34
14. Access Control	1. Insecure Resource Access 2. Insecure Resource Permissions 3. Access Management	SFP35
15. Privilege	1. Privilege	SFP36
16. Channel	1. Channel Attack 2. Protocol Error
17. Cryptography	1. Broken Cryptography 2. Weak Cryptography
18. Malware	1. Malicious Code 2. Covert Channel
19. Predictability	1. Predictability
20. UI	1. Feature 2. Information Loss 3. Security
21. Other	1. Architecture 2. Design 3. Implementation 4. Compiler

Example

SFP 8 Faulty Buffer Access

"Primary Cluster: Memory Access; Secondary Cluster: Faulty Buffer Access

A weakness where the code path has all of the following:

an end statement that performs a Buffer Access Operation and where exactly one of the following is true:

the access position of the Buffer Access Operation is outside of the buffer
the access position of the Buffer access Operation is inside the buffer and the size of the data being accessed is greater than the remaining size of the buffer at the access position.

This is where the Buffer Access Operation is a statement that performs access to a data item of a certain size at access position. The access position of a Buffer access Operation is related to a certain buffer and can be either inside the buffer or outside of the buffer.

Parameters:

Access: Reads, Writes
Buffer: Stack, Heap
Access Position: Array with index, Pointer." [3]

Notes

SFP is an excellent advance. However, SFP does not tie fault clusters to causes or chains of fault patterns nor to consequences of a particular vulnerability. In addition, since they were derived from CWEs, more work is needed for embedded or mobile concerns, such as, battery drain, physical sensors (e.g. Global Positioning System (GPS) location, gyroscope, microphone, camera) and wireless communications.

References

System Assurance: Beyond Detecting Vulnerabilities

DoD Software Fault Patterns

[3] B. A. Calloni, D. Campara, and N. Mansourov. White Box Definitions of Software Fault Patterns. Final Report. Lockheed Martin Corporation and KDM Analytics, Inc. 2011.