Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-1038:Insecure Automated Optimizations
Weakness ID:1038
Version:v4.17
Weakness Name:Insecure Automated Optimizations
Vulnerability Mapping:Allowed-with-Review
Abstraction:Class
Structure:Simple
Status:Draft
Likelihood of Exploit:Low
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedP435Improper Interaction Between Multiple Correctly-Behaving Entities
ChildOfAllowed-with-ReviewC758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
ParentOfAllowedB1037Processor Optimization Removal or Modification of Security-critical Code
ParentOfAllowedB733Compiler Optimization Removal or Modification of Security-critical Code
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 435
Name: Improper Interaction Between Multiple Correctly-Behaving Entities
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 758
Name: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 1037
Name: Processor Optimization Removal or Modification of Security-critical Code
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 733
Name: Compiler Optimization Removal or Modification of Security-critical Code
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC1398Comprehensive Categorization: Component Interaction
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1398
Name: Comprehensive Categorization: Component Interaction
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-275Low likelihood of exploit
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-330Alter Execution Logic (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-275
Name: Low likelihood of exploit
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-330
Name: Alter Execution Logic (impact)
▼Relevant To View
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
IntegrityN/AAlter Execution Logic

The optimizations alter the order of execution resulting in side effects that were not intended by the original developer.

Scope: Integrity
Likelihood: N/A
Impact: Alter Execution Logic
Note:

The optimizations alter the order of execution resulting in side effects that were not intended by the original developer.

▼Potential Mitigations
▼Modes Of Introduction
Phase: Architecture and Design
Note:

Optimizations built into the design of a product can have unintended consequences during execution.

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
CVE-2017-5715
Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre".
CVE-2008-1685
C compiler optimization, as allowed by specifications, removes code that is used to perform checks to detect integer overflows.
Reference: CVE-2017-5715
Description:
Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre".
Reference: CVE-2008-1685
Description:
C compiler optimization, as allowed by specifications, removes code that is used to perform checks to detect integer overflows.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      Primary
      This weakness does not depend on other weaknesses and is the result of choices made during optimization.
      Ordinality: Primary
      Description:
      This weakness does not depend on other weaknesses and is the result of choices made during optimization.
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed-with-Review
      Reason:Abstraction
      Rationale:

      This CWE entry is a Class and might have Base-level children that would be more appropriate

      Comments:

      Examine children of this entry to see if there is a better fit

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found