Allocation of File Descriptors or Handles Without Limits or ThrottlingID: 774 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The software allocates file descriptors or handles on behalf of
an actor without imposing any restrictions on how many descriptors can be
allocated, in violation of the intended security policy for that
actor.
Extended DescriptionThis can cause the software to consume all available file descriptors or
handles, which can prevent other processes from performing critical file
processing operations.
Likelihood of Exploit: Medium to High
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
Availability | DoS: resource consumption
(other) | When allocating resources without limits, an attacker could prevent
all other processes from accessing the same type of resource. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
OperationArchitecture and Design | Limit Resource Consumption | Use resource-limiting settings provided by the operating system or
environment. For example, when managing system resources in POSIX,
setrlimit() can be used to set limits for certain types of resources,
and getrlimit() can determine how many resources are available. However,
these functions are not available on all operating systems.When the current levels get close to the maximum that is defined for
the application (see CWE-770), then limit the allocation of further
resources to privileged users; alternately, begin releasing resources
for less-privileged users. While this mitigation may protect the system
from attack, it will not necessarily stop attackers from adversely
impacting other users.Ensure that the application performs the appropriate error checks and
error handling in case resources become unavailable (CWE-703). | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-774 ChildOf CWE-892 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 10, "Resource Limits", Page 574.'. Published on 2006.