CWE-770 不加限制或调节的资源分配
Allocation of Resources Without Limits or Throttling
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: High
基本描述
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 400 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 665 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 400 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 400 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Availability | ['DoS: Resource Consumption (CPU)', 'DoS: Resource Consumption (Memory)', 'DoS: Resource Consumption (Other)'] | When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource. |
检测方法
DM-8 Manual Static Analysis
Fuzzing
While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted software in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause.
When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.
Automated Dynamic Analysis
Automated Static Analysis
Specialized configuration or tuning may be required to train automated tools to recognize this weakness.
Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value.
Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.
可能的缓解方案
Requirements
策略:
Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
Architecture and Design
策略:
Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Architecture and Design
策略:
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
MIT-5 Implementation
策略: Input Validation
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
MIT-15 Architecture and Design
策略:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Architecture and Design
策略:
Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution can be difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker.
Architecture and Design
策略:
Ensure that protocols have specific limits of scale placed on them.
MIT-38.1 ['Architecture and Design', 'Implementation']
策略:
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery. Ensure that all failures in resource allocation place the system into a safe posture.
MIT-47 ['Operation', 'Architecture and Design']
策略: Resource Limitation
Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
示例代码
例
This code allocates a socket and forks each time it receives a new connection.
bad C
while (1) {
printf("A connection has been accepted\n");
pid = fork();
The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely.
例
In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket.
bad C
{
char filename[FILENAME_SIZE];
char buffer[BUFFER_SIZE];
int socket = openSocketConnection(host, port);
if (socket < 0) {
return(FAIL);
if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) {
closeFile();
closeSocket(socket);
This example creates a situation where data can be dumped to a file on the local file system without any limits on the size of the file. This could potentially exhaust file or disk resources and/or limit other clients' ability to access the service.
例
In the following example, the processMessage method receives a two dimensional character array containing the message to be processed. The two-dimensional character array contains the length of the message in the first character array and the message body in the second character array. The getMessageLength method retrieves the integer value of the length from the first character array. After validating that the message length is greater than zero, the body character array pointer points to the start of the second character array of the two-dimensional character array and memory is allocated for the new body character array.
bad C
/ process message accepts a two-dimensional character array of the form [length][body] containing the message to be processed /
int processMessage(char *message)
{
int length = getMessageLength(message[0]);
if (length > 0) {
processMessageBody(body);
return(SUCCESS);
else {
return(FAIL);
This example creates a situation where the length of the body character array can be very large and will consume excessive memory, exhausting system resources. This can be avoided by restricting the length of the second character array with a maximum length check
Also, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code.
good C
if ((length > 0) && (length < MAX_LENGTH)) {...}
例
In the following example, a server object creates a server socket and accepts client connections to the socket. For every client connection to the socket a separate thread object is generated using the ClientSocketThread class that handles request made by the client through the socket.
bad Java
int counter = 0;
boolean hasConnections = true;
while (hasConnections) {
Thread t = new Thread(new ClientSocketThread(client));
t.setName(client.getInetAddress().getHostName() + ":" + counter++);
t.start();
serverSocket.close();
} catch (IOException ex) {...}
In this example there is no limit to the number of client connections and client threads that are created. Allowing an unlimited number of client connections and threads could potentially overwhelm the system and system resources.
The server should limit the number of client connections and the client threads that are created. This can be easily done by creating a thread pool object that limits the number of threads that are generated.
good Java
public static final int MAX_CONNECTIONS = 10;
...
public void acceptConnections() {
int counter = 0;
boolean hasConnections = true;
while (hasConnections) {
Socket client = serverSocket.accept();
Thread t = new Thread(new ClientSocketThread(client));
t.setName(client.getInetAddress().getHostName() + ":" + counter++);
ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS);
pool.execute(t);
serverSocket.close();
} catch (IOException ex) {...}
例
An unnamed web site allowed a user to purchase tickets for an event. A menu option allowed the user to purchase up to 10 tickets, but the back end did not restrict the actual number of tickets that could be purchased.
例
Here the problem is that every time a connection is made, more memory is allocated. So if one just opened up more and more connections, eventually the machine would run out of memory.
bad C
return foo;
endConnection(bar foo) {
int main() {
endConnection(foo)
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2009-4017 | Language interpreter does not restrict the number of temporary files being created when handling a MIME request with a large number of parts.. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017 |
| CVE-2009-2726 | Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726 |
| CVE-2009-2540 | Large integer value for a length property in an object causes a large amount of memory allocation. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2540 |
| CVE-2009-2054 | Product allows exhaustion of file descriptors when processing a large number of TCP packets. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2054 |
| CVE-2008-5180 | Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5180 |
| CVE-2008-1700 | Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1700 |
| CVE-2005-4650 | CMS does not restrict the number of searches that can occur simultaneously, leading to resource exhaustion. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4650 |
Notes
Maintenance "Resource exhaustion" (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain. Theoretical Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| The CERT Oracle Secure Coding Standard for Java (2011) | FIO04-J | Close resources when they are no longer needed | |
| The CERT Oracle Secure Coding Standard for Java (2011) | SER12-J | Avoid memory and resource leaks during serialization | |
| The CERT Oracle Secure Coding Standard for Java (2011) | MSC05-J | Do not exhaust heap space |
相关攻击模式
- CAPEC-125
- CAPEC-130
- CAPEC-147
- CAPEC-197
- CAPEC-229
- CAPEC-230
- CAPEC-231
- CAPEC-469
- CAPEC-482
- CAPEC-486
- CAPEC-487
- CAPEC-488
- CAPEC-489
- CAPEC-490
- CAPEC-491
- CAPEC-493
- CAPEC-494
- CAPEC-495
- CAPEC-496
- CAPEC-528
- CAPEC-82
- CAPEC-99