Allocation of Resources Without Limits or Throttling |
| Weakness ID: 770 (Weakness Base) | Status: Incomplete |
DescriptionDescription Summary
Time of Introduction- Architecture and Design
- Implementation
- Operation
- System Configuration
Applicable PlatformsLanguages
Language-Independent
Common Consequences| Scope | Effect |
|---|---|
Availability | Technical Impact: DoS: resource exhaustion (CPU/memory) When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource. |
Likelihood of ExploitMedium to High
Detection MethodsManual Static Analysis Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all. |
Fuzzing While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted software in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness. Effectiveness: Opportunistic |
Automated Dynamic Analysis Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the software within a short time frame. Manual analysis is likely required to interpret the results. |
Automated Static Analysis Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the failure to release program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day. |
Demonstrative ExamplesExample 1
This code allocates a socket and forks each time it receives a new connection.
The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections.
Observed Examples| Reference | Description |
|---|---|
| CVE-2009-4017 | Language interpreter does not restrict the number of temporary files being created when handling a MIME request with a large number of parts.. |
| CVE-2009-2726 | Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption. |
| CVE-2009-2540 | Large integer value for a length property in an object causes a large amount of memory allocation. |
| CVE-2009-2054 | Product allows exhaustion of file descriptors when processing a large number of TCP packets. |
| CVE-2008-5180 | Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created. |
| CVE-2008-1700 | Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window. |
| CVE-2005-4650 | CMS does not restrict the number of searches that can occur simultaneously, leading to resource exhaustion. |
Potential MitigationsPhase: Requirements Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits. |
Phase: Architecture and Design Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410. |
Phase: Architecture and Design Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold. |
Phase: Architecture and Design Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, he may be able to prevent the user from accessing the server in question. The second solution can be difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker. |
Phase: Architecture and Design Ensure that protocols have specific limits of scale placed on them. |
Phase: Implementation Ensure that all failures in resource allocation place the system into a safe posture. |
Phase: Implementation For system resources when using C, consider using the getrlimit() function included in the sys/resources library in order to determine how many files are currently allowed to be opened for the process. |
Phase: Operation Use resource-limiting settings provided by the operating system or environment. For example, setrlimit() can be used to set limits for certain types of resources. However, this is not available on all operating systems. Ensure that your application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703). |
Relationships| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf |  Weakness Base | 400 | Uncontrolled Resource Consumption ('Resource Exhaustion') | Development Concepts (primary)699 Research Concepts1000 |
| ChildOf | Weakness Base | 665 | Improper Initialization | Research Concepts (primary)1000 |
| ChildOf |  Category | 802 | 2010 Top 25 - Risky Resource Management | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800 |
| ParentOf |  Weakness Variant | 774 | Allocation of File Descriptors or Handles Without Limits or Throttling | Research Concepts (primary)1000 |
| ParentOf | Weakness Variant | 789 | Uncontrolled Memory Allocation | Development Concepts (primary)699 Research Concepts (primary)1000 |
Theoretical Notes| Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place. |
Related Attack Patterns References| Joao Antunes, Nuno Ferreira Neves and Paulo Verissimo. "Detection and Prediction of Resource-Exhaustion Vulnerabilities". Proceedings of the IEEE International Symposium on Software Reliability Engineering (ISSRE). November 2008. <http://homepages.di.fc.ul.pt/~nuno/PAPERS/ISSRE08.pdf>. |
| D.J. Bernstein. "Resource exhaustion". <http://cr.yp.to/docs/resources.html>. |
| Pascal Meunier. "Resource exhaustion". Secure Programming Educational Material. 2004. <http://homes.cerias.purdue.edu/~pmeunier/secprog/sanitized/class1/6.resource%20exhaustion.ppt>. |
| [REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 17, "Protecting Against Denial of Service Attacks" Page 517. 2nd Edition. Microsoft. 2002. |
Maintenance Notes| "Resource exhaustion" (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain. |
Content History| Submissions | ||||
|---|---|---|---|---|
| Submission Date | Submitter | Organization | Source | |
| 2009-05-13 | Internal CWE Team | |||
| Modifications | ||||
| Modification Date | Modifier | Organization | Source | |
| 2009-07-27 | CWE Content Team | MITRE | Internal | |
| updated Related Attack Patterns | ||||
| 2009-10-29 | CWE Content Team | MITRE | Internal | |
| updated Relationships | ||||
| 2009-12-28 | CWE Content Team | MITRE | Internal | |
| updated Applicable Platforms, Demonstrative Examples, Detection Factors, Observed Examples, References, Time of Introduction | ||||
