Logic/Time Bomb

Incomplete Base

Structure: Simple

Description

The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.

Extended Description

When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system, deleting critical data, or degrading system response time. This bomb might be placed within either a replicating or non-replicating Trojan horse.

Common Consequences 1

Scope: OtherIntegrity

Impact: Varies by ContextAlter Execution Logic

Potential Mitigations 2

Phase: Installation

Always verify the integrity of the product that is being installed.

Phase: Testing

Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.

Demonstrative Examples 1

Typical examples of triggers include system date or time mechanisms, random number generators, and counters that wait for an opportunity to launch their payload. When triggered, a time-bomb may deny service by crashing the system, deleting files, or degrading system response-time.

References 2

Mobile App Top 10 List

Chris Wysopal

13-12-2010

https://www.veracode.com/blog/2010/12/mobile-app-top-10-list(2023-04-07)

ID: REF-172

A Taxonomy of Computer Program Security Flaws, with Examples

Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi

19-11-1993

https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf(2024-11-17)

ID: REF-1431

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Mobile : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

ChildOf:

Embedded Malicious Code (CWE-506)

Taxonomy Mapping

Landwehr