Allocation of Resources Without Limits or Throttling| ID: 770 | Date: (C)2012-05-14 (M)2022-10-10 | | Type: weakness | Status: INCOMPLETE | | Abstraction Type: Base |
Description The software allocates a reusable resource or group of
resources on behalf of an actor without imposing any restrictions on how many
resources can be allocated, in violation of the intended security policy for
that actor. Likelihood of Exploit: Medium to High Applicable PlatformsLanguage Class: Language-Independent Time Of Introduction - Architecture and Design
- Implementation
- Operation
- System Configuration
Related Attack Patterns Common Consequences | Scope | Technical Impact | Notes |
|---|
| Availability | DoS: resource consumption
(CPU)DoS: resource consumption
(memory)DoS: resource consumption
(other) | When allocating resources without limits, an attacker could prevent
other systems, applications, or processes from accessing the same type
of resource. |
Detection Methods | Name | Description | Effectiveness | Notes |
|---|
| Manual Static Analysis | Manual static analysis can be useful for finding this weakness, but it
might not achieve desired code coverage within limited time constraints.
If denial-of-service is not considered a significant risk, or if there
is strong emphasis on consequences such as code execution, then manual
analysis may not focus on this weakness at all. | | | | Fuzzing | While fuzzing is typically geared toward finding low-level
implementation bugs, it can inadvertently find uncontrolled resource
allocation problems. This can occur when the fuzzer generates a large
number of test cases but does not restart the targeted software in
between test cases. If an individual test case produces a crash, but it
does not do so reliably, then an inability to limit resource allocation
may be the cause.When the allocation is directly affected by numeric inputs, then
fuzzing may produce indications of this weakness. | Opportunistic | | | Automated Dynamic Analysis | Certain automated dynamic analysis techniques may be effective in
producing side effects of uncontrolled resource allocation problems,
especially with resources such as processes, memory, and connections.
The technique may involve generating a large number of requests to the
software within a short time frame. Manual analysis is likely required
to interpret the results. | | | | Automated Static Analysis | Specialized configuration or tuning may be required to train automated
tools to recognize this weakness.Automated static analysis typically has limited utility in recognizing
unlimited allocation problems, except for the missing release of
program-independent system resources such as files, sockets, and
processes, or unchecked arguments to memory. For system resources,
automated static analysis may be able to detect circumstances in which
resources are not released after they have expired, or if too much of a
resource is requested at once, as can occur with memory. Automated
analysis of configuration files may be able to detect settings that do
not specify a maximum value.Automated static analysis tools will not be appropriate for detecting
exhaustion of custom resources, such as an intended security policy in
which a bulletin board user is only allowed to make a limited number of
posts per day. | | |
Potential Mitigations | Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Requirements | | Clearly specify the minimum and maximum expectations for capabilities,
and dictate which behaviors are acceptable when resource allocation
reaches limits. | | | | Architecture and Design | | Limit the amount of resources that are accessible to unprivileged
users. Set per-user limits for resources. Allow the system administrator
to define these limits. Be careful to avoid CWE-410. | | | | Architecture and Design | | Design throttling mechanisms into the system architecture. The best
protection is to limit the amount of resources that an unauthorized user
can cause to be expended. A strong authentication and access control
model will help prevent such attacks from occurring in the first place,
and it will help the administrator to identify who is committing the
abuse. The login application should be protected against DoS attacks as
much as possible. Limiting the database access, perhaps by caching
result sets, can help minimize the resources expended. To further limit
the potential for a DoS attack, consider tracking the rate of requests
received from users and blocking requests that exceed a defined rate
threshold. | | | | Implementation | Input Validation | Assume all input is malicious. Use an "accept known good" input
validation strategy, i.e., use a whitelist of acceptable inputs that
strictly conform to specifications. Reject any input that does not
strictly conform to specifications, or transform it into something that
does.When performing input validation, consider all potentially relevant
properties, including length, type of input, the full range of
acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of
business rule logic, "boat" may be syntactically valid because it only
contains alphanumeric characters, but it is not valid if the input is
only expected to contain colors such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs
(i.e., do not rely on a blacklist). A blacklist is likely to miss at
least one undesirable input, especially if the code's environment
changes. This can give attackers enough room to bypass the intended
validation. However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be
rejected outright. | | This will only be applicable to cases where user input can influence
the size or frequency of resource allocations. | | Architecture and Design | | For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side, in order to avoid
CWE-602. Attackers can bypass the client-side checks by modifying values
after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values
would be submitted to the server. | | | | Architecture and Design | | Mitigation of resource exhaustion attacks requires that the target
system either:The first of these solutions is an issue in itself though, since it
may allow attackers to prevent the use of the system by a particular
valid user. If the attacker impersonates the valid user, he may be able
to prevent the user from accessing the server in question.The second solution can be difficult to effectively institute -- and
even when properly done, it does not provide a full solution. It simply
requires more resources on the part of the attacker. | | | | Architecture and Design | | Ensure that protocols have specific limits of scale placed on
them. | | | | Architecture and DesignImplementation | | If the program must fail, ensure that it fails gracefully (fails
closed). There may be a temptation to simply let the program fail poorly
in cases such as low memory conditions, but an attacker may be able to
assert control before the software has fully exited. Alternately, an
uncontrolled failure could cause cascading problems with other
downstream components; for example, the program could send a signal to a
downstream process so the process immediately knows that a problem has
occurred and has a better chance of recovery.Ensure that all failures in resource allocation place the system into
a safe posture. | | | | OperationArchitecture and Design | Limit Resource Consumption | Use resource-limiting settings provided by the operating system or
environment. For example, when managing system resources in POSIX,
setrlimit() can be used to set limits for certain types of resources,
and getrlimit() can determine how many resources are available. However,
these functions are not available on all operating systems.When the current levels get close to the maximum that is defined for
the application (see CWE-770), then limit the allocation of further
resources to privileged users; alternately, begin releasing resources
for less-privileged users. While this mitigation may protect the system
from attack, it will not necessarily stop attackers from adversely
impacting other users.Ensure that the application performs the appropriate error checks and
error handling in case resources become unavailable (CWE-703). | | |
Relationships | Related CWE | Type | View | Chain |
|---|
| CWE-770 ChildOf CWE-892 | Category | CWE-888 | |
Demonstrative Examples (Details) - An unnamed web site allowed a user to purchase tickets for an event.
A menu option allowed the user to purchase up to 10 tickets, but the back
end did not restrict the actual number of tickets that could be
purchased.
- In the following example a server socket connection is used to
accept a request to store data on the local file system using a specified
filename. The method openSocketConnection establishes a server socket to
accept requests from a client. When a client establishes a connection to
this service the getNextMessage method is first used to retrieve from the
socket the name of the file to store the data, the openFileToWrite method
will validate the filename and open a file to write to on the local file
system. The getNextMessage is then used within a while loop to continuously
read data from the socket and output the data to the file until there is no
longer any data from the socket. (Demonstrative Example Id DX-50)
- In the following example, a server object creates a server socket
and accepts client connections to the socket. For every client connection to
the socket a separate thread object is generated using the
ClientSocketThread class that handles request made by the client through the
socket. (Demonstrative Example Id DX-52)
- In the following example, the processMessage method receives a two
dimensional character array containing the message to be processed. The
two-dimensional character array contains the length of the message in the
first character array and the message body in the second character array.
The getMessageLength method retrieves the integer value of the length from
the first character array. After validating that the message length is
greater than zero, the body character array pointer points to the start of
the second character array of the two-dimensional character array and memory
is allocated for the new body character array. (Demonstrative Example Id DX-51)
- This code allocates a socket and forks each time it receives a new
connection. (Demonstrative Example Id DX-25)
Observed Examples - CVE-2009-4017 : Language interpreter does not restrict the number of temporary files being created when handling a MIME request with a large number of parts..
- CVE-2009-2726 : Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
- CVE-2009-2540 : Large integer value for a length property in an object causes a large amount of memory allocation.
- CVE-2009-2054 : Product allows exhaustion of file descriptors when processing a large number of TCP packets.
- CVE-2008-5180 : Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.
- CVE-2008-1700 : Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.
- CVE-2005-4650 : CMS does not restrict the number of searches that can occur simultaneously, leading to resource exhaustion.
For more examples, refer to CVE relations in the bottom box. White Box Definitions None Black Box Definitions None Taxynomy Mappings | Taxynomy | Id | Name | Fit |
|---|
| CERT Java Secure Coding | FIO04-J | Close resources when they are no longer
needed | | | CERT Java Secure Coding | SER12-J | Avoid memory and resource leaks during
serialization | | | CERT Java Secure Coding | MSC05-J | Do not exhaust heap space | | | CERT C++ Secure Coding | MEM12-CPP | Do not assume infinite heap space | | | CERT C++ Secure Coding | FIO42-CPP | Ensure files are properly closed when they are no longer
needed | |
References: - Joao Antunes Nuno Ferreira Neves Paulo Verissimo .Detection and Prediction of Resource-Exhaustion
Vulnerabilities. Proceedings of the IEEE International Symposium on
Software Reliability Engineering (ISSRE). Published on November 2008.
- D.J. Bernstein .Resource exhaustion.
- Pascal Meunier .Resource exhaustion. Secure Programming Educational
Material. Published on 2004.
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 17, "Protecting Against Denial of Service Attacks"
Page 517'. Published on 2002.
- Frank Kim .Top 25 Series - Rank 22 - Allocation of Resources Without
Limits or Throttling. SANS Software Security Institute. 2010-03-23.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 10, "Resource Limits", Page 574.'. Published on 2006.
|
