Discover how software vulnerabilities can arise due to improper API use violating the caller-callee contract. From neglecting system calls to assumptions on functionality, explore the risks.
This particular group falls under the classification of vulnerabilities known as the Seven Pernicious Kingdoms. It encompasses weaknesses that occur when software utilizes an API in a way that goes against its intended purpose. The authors of the Seven Pernicious Kingdoms describe an API as a set of rules or expectations agreed upon by the caller and the callee. The most common type of API misuse is when the caller fails to uphold their part of this agreement. For instance, if a program neglects to call the chdir() function after using chroot(), it violates the guidelines for securely changing the active root directory. Another example of misusing a library is when the caller assumes that the callee will provide reliable DNS information that can be used for authentication. This assumption about the behavior of the API can lead to abuse. On the other hand, the caller-callee contract can also be breached from the perspective of the callee. If a coder creates a subclass of SecureRandom and returns a non-random value, they have violated the agreed-upon contract.