[metadata]
id = "FIO32-C"
type = "recommendation"
category = "FIO"
number = 32
title = "Do not perform operations on devices that are only appropriate for files"
description = """
File names on many operating systems, including Windows and UNIX, may be used to
accessspecial files, which are actually devices. Reserved Microsoft Windows
device names includeAUX,CON,PRN,COM1, andLPT1or paths using the\\.\device
namespace. Device files on UNIX systems are used to apply access rights and to
direct operations on the files to the appropriate device drivers. Performing
operations on device files that are intended for ordinary character or binary
files can result in crashes anddenial-of-service attacks. For example, when
Windows attempts to interpret the device name as a file resource, it performs an
invalid resource access that usually results in a crash [Howard 2002]. Device
files in UNIX can be a security risk when an attacker can access them in an
unauthorized way. For example, if attackers can read or write to
the/dev/kmemdevice, they may be able to alter the priority, UID, or other
attributes of their process or simply crash the system. Similarly, access to
disk devices, tape devices, network devices, and terminals being used by other
processes can lead to problems [Garfinkel 1996].
"""
severity = "Medium"
likelihood = "Unlikely"
priority = "P2"
level = "L3"
cert_version = "2016 Edition (Wiki)"
last_modified = "Jun 02, 2025"
[rules.cert_c.FIO32-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/FIO32-C.+Do+not+perform+operations+on+devices+that+are+only+appropriate+for+files"
cwe = ["CWE-67"]