Declaration of Throws for Generic Exception

Draft Base

Structure: Simple

Description

The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.

Extended Description

Declaring a method to throw Exception or Throwable promotes generic error handling procedures that make it difficult for callers to perform proper error handling and error recovery. For example, Java's exception mechanism makes it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.

Common Consequences 1

Scope: Non-RepudiationOther

Impact: Hide ActivitiesAlter Execution Logic

Throwing a generic exception can hide details about unexpected adversary activities by making it difficult to properly troubleshoot error conditions during execution.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Demonstrative Examples 2

ID : DX-198

The following method throws three types of exceptions.

Code Example:Good
Java
java

While it might seem tidier to write

Code Example:Bad
Java
java

doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement.

Early versions of C++ (C++98, C++03, C++11) included a feature known as Dynamic Exception Specification. This allowed functions to declare what type of exceptions it may throw. It is possible to declare a general class of exception to cover any derived exceptions that may be thrown.

Code Example:Bad
C++
c++

In the example above, the code declares that myfunction() can throw an exception of type "std::exception" thus hiding details about the possible derived exceptions that could potentially be thrown.

References 3

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Automated Source Code Reliability Measure (ASCRM)

Object Management Group (OMG)

01-2016

http://www.omg.org/spec/ASCRM/1.0/

ID: REF-961

Automated Source Code Security Measure (ASCSM)

Object Management Group (OMG)

01-2016

http://www.omg.org/spec/ASCSM/1.0/

ID: REF-962

Applicable Platforms

Languages:

C++ : UndeterminedC# : UndeterminedJava : UndeterminedPython : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Incorrect Control Flow Scoping (CWE-705)

ChildOf:

Information Loss or Omission (CWE-221)

ChildOf:

Improper Check or Handling of Exceptional Conditions (CWE-703)

Taxonomy Mapping

7 Pernicious Kingdoms
The CERT Oracle Secure Coding Standard for Java (2011)
Software Fault Patterns
OMG ASCSM
OMG ASCRM

Notes

Applicable PlatformFor C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.