Fuzion Logo
fuzion-lang.dev — The Fuzion Language Portal
JavaScript seems to be disabled. Functionality is limited.

Safety and Security

The Fuzion programming language will provide specific features that mitigate important safety and security vulnerabilities.

Fuzion and the CWE Top 25

Nine out of the top ten weaknesses in Mitre's 25 most dangerous weaknesses published in July 2021 are addressed or solved directly by Fuzion.

It turns out that there are three main aspects of Fuzion that mitigate security vulnerabilities:

  1. pre-conditions forbid unsafe operations
  2. static analysis finds dangerous data-flow
  3. Automatic memory management, no pointer arithmetic or null pointers.

The remaining weaknesses affect areas that can only be addressed outside of the programming languages during architecture and design or operation.

Rank ID Name Fuzion Solution
1 CWE-787 Out-of-bounds Write Safety pre-conditions in buffers catch out-of-bounds accesses.
2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Static (taint) analysis will find data flow from input to generated page.
3 CWE-125 Out-of-bounds Read Safety pre-conditions in buffers catch out-of-bounds accesses.
4 CWE-20 Improper Input Validation Static (taint) analysis will find data flow from input to generated page.
5 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Static (taint) analysis will find data flow from input to generated page.
6 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Static (taint) analysis will find data flow from input to generated page.
7 CWE-416 Use After Free Memory is freed automatically when static analysis or GC determined that it is inaccessible.
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Static (taint) analysis will find data flow from input to generated page.
9 CWE-352 Cross-Site Request Forgery (CSRF) Static (taint) analysis will find data flow from input to generated page.
10 CWE-434 Unrestricted Upload of File with Dangerous Type Language independent, must be addressed during design and implementation phases.
11 CWE-306 Missing Authentication for Critical Function Fuzion can help if pre-conditions are used in critical features to ensure authentication.
12 CWE-190 Integer Overflow or Wraparound Safety pre-conditions check for integer overflows. Also, numeric operations can produce optional results for explicit error handling.
13 CWE-502 Deserialization of Untrusted Data No automatic deserialization supported in Fuzion.
14 CWE-287 Improper Authentication Must be handled in application code.
15 CWE-476 NULL Pointer Dereference There are no null pointers in Fuzion, Fuzion standard library feature option that requires explicit code to unwrap a pointer is used instead.
16 CWE-798 Use of Hard-coded Credentials Must be handled in application code.
17 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Safety pre-conditions in buffers catch out-of-bounds accesses.
18 CWE-862 Missing Authorization Must be handled in application design phase, Fuzion can help during implementation through pre-conditions that verify proper authorization.
19 CWE-276 Incorrect Default Permissions Must be handled in architecture and design phase, a programming language can not provide any mitigation here.
20 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Must be handled in architecture and design phase, a programming language can not provide a mitigation here.
21 CWE-522 Insufficiently Protected Credentials Must be handled in architecture and design phase, a programming language can not provide a mitigation here.
22 CWE-732 Incorrect Permission Assignment for Critical Resource Must be handled in architecture and design or operation phase, a programming language can not provide a mitigation here.
23 CWE-611 Improper Restriction of XML External Entity Reference Unrelated to programming language, requires proper configuration of XML parser.
24 CWE-918 Server-Side Request Forgery (SSRF) Language independent.
25 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Static (taint) analysis will find data flow from input to generated command.