[Issue Transfer from FETT-Target] CWE-PPAC-2 Clarification

[andrew-bivin]

Original issue text:

@njshanahan commented on Apr 29 I spoke with @Abivin12 who indicated issues should still be submitted to this repository.

Could someone clarify the description of CWE-PPAC-2? After reading the descriptions of CWE-284, CWE-287, and CWE-288, it isn't clear why sole reliance on the OS for authentication is an issue. Rather, the weaknesses seem to describe poor implementation of an authentication mechanism within the OS that could either be bypassed or is generally insufficient (e.g. bypassing authentication by setting a cookie).

The SSH example implemented by PPAC-2 seems to more closely align with CWE-308 and CWE-309 which describe the use of single-factor authentication.

@LM-BrianUhlhorn @austinhroach For your awareness.

[andrew-bivin]

rtadros125 commented on Apr 29 One can argue that relying on the OS only, from the point of view of the SSITH program motivation, for authentication represents the following:

Improper Authentication Authentication Bypass Improper Access Control

[rtadros125]

We have discussed this in person, and we decided that there is nothing to be done regarding these philosophical disagreements. LMCO will append their report to DARPA with their arguments and analysis of the problem.