CWE-665

Mitigation ID: MIT-3

Phase: Requirements

Strategy: Language Selection

Description:

• Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
• For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.

Mitigation

Phase: Architecture and Design

Description:

• Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation

Phase: Implementation

Description:

• Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Mitigation

Phase: Implementation

Description:

• Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.

Mitigation

Phase: Implementation

Description:

• Avoid race conditions (CWE-362) during initialization routines.

Mitigation

Phase: Build and Compilation

Description:

• Run or compile your product with settings that generate warnings about uninitialized variables or data.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.