CWE - CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (2.4)

Home > CWE List > CWE- Individual Dictionary Definition (2.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
SwA On-Ramp
T-Shirt
Discussion List
Discussion Archives
Contact Us

Scoring
CWSS
CWRAF
CWE/SANS Top 25

Compatibility
Requirements
Coverage Claims Representation
Compatible Products
Make a Declaration

News
Calendar
Free Newsletter

Search the Site

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Uncontrolled Resource Consumption ('Resource Exhaustion')

Weakness ID: 400 (Weakness Base)

Status: Incomplete

Description

Description Summary

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

Extended Description

Limited resources include memory, file system storage, database connection pool entries, or CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the software, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.

Resource exhaustion problems have at least two common causes:

Error conditions and other exceptional circumstances
Confusion over which part of the program is responsible for releasing the resource

Time of Introduction

Operation
Architecture and Design
Implementation

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Availability	Technical Impact: DoS: crash / exit / restart; DoS: resource consumption (CPU); DoS: resource consumption (memory); DoS: resource consumption (other) The most common result of resource exhaustion is denial of service. The software may slow down, crash due to unhandled errors, or lock out legitimate users.
Access Control Other	Technical Impact: Bypass protection mechanism; Other In some cases it may be possible to force the software to "fail open" in the event of resource exhaustion. The state of the software -- and possibly the security functionality - may then be compromised.

Likelihood of Exploit

Medium to High

Detection Methods

Automated Static Analysis

Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value.

Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.

Effectiveness: Limited

Automated Dynamic Analysis

Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the software within a short time frame.

Effectiveness: Moderate

Fuzzing

While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted software in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.

Effectiveness: Opportunistic

Demonstrative Examples

Example 1

(Bad Code)

Example Language: Java

class Worker implements Executor {

...

public void execute(Runnable r) {

try {

...

}

catch (InterruptedException ie) {

// postpone response

Thread.currentThread().interrupt();

}

public Worker(Channel ch, int nworkers) {

...

}

protected void activate() {

Runnable loop = new Runnable() {

public void run() {

try {

for (;;) {

Runnable r = ...;

r.run();

}

catch (InterruptedException ie) {

...

}

};

new Thread(loop).start();

}

There are no limits to runnables. Potentially an attacker could cause resource problems very quickly.

Example 2

This code allocates a socket and forks each time it receives a new connection.

(Bad Code)

Example Languages: C and C++

sock=socket(AF_INET, SOCK_STREAM, 0);

while (1) {

newsock=accept(sock, ...);

printf("A connection has been accepted\n");

pid = fork();

}

The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely.

Example 3

In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket.

(Bad Code)

Example Languages: C and C++

int writeDataFromSocketToFile(char *host, int port)

{

char filename[FILENAME_SIZE];

char buffer[BUFFER_SIZE];

int socket = openSocketConnection(host, port);

if (socket < 0) {

printf("Unable to open socket connection");

return(FAIL);

}

if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) {

if (openFileToWrite(filename) > 0) {

while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){

if (!(writeToFile(buffer) > 0))

break;

}

closeFile();

}

closeSocket(socket);

}

This example creates a situation where data can be dumped to a file on the local file system without any limits on the size of the file. This could potentially exhaust file or disk resources and/or limit other clients' ability to access the service.

Example 4

In the following example, the processMessage method receives a two dimensional character array containing the message to be processed. The two-dimensional character array contains the length of the message in the first character array and the message body in the second character array. The getMessageLength method retrieves the integer value of the length from the first character array. After validating that the message length is greater than zero, the body character array pointer points to the start of the second character array of the two-dimensional character array and memory is allocated for the new body character array.

(Bad Code)

Example Languages: C and C++

/* process message accepts a two-dimensional character array of the form [length][body] containing the message to be processed */

int processMessage(char **message)

{

char *body;

int length = getMessageLength(message[0]);

if (length > 0) {

body = &message[1][0];

processMessageBody(body);

return(SUCCESS);

}

else {

printf("Unable to process message; invalid message length");

return(FAIL);

}

This example creates a situation where the length of the body character array can be very large and will consume excessive memory, exhausting system resources. This can be avoided by restricting the length of the second character array with a maximum length check

Also, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code.

(Good Code)

Example Languages: C and C++

unsigned int length = getMessageLength(message[0]);

if ((length > 0) && (length < MAX_LENGTH)) {...}

Example 5

In the following example, a server object creates a server socket and accepts client connections to the socket. For every client connection to the socket a separate thread object is generated using the ClientSocketThread class that handles request made by the client through the socket.

(Bad Code)

Example Language: Java

public void acceptConnections() {

try {

ServerSocket serverSocket = new ServerSocket(SERVER_PORT);

int counter = 0;

boolean hasConnections = true;

while (hasConnections) {

Socket client = serverSocket.accept();

Thread t = new Thread(new ClientSocketThread(client));

t.setName(client.getInetAddress().getHostName() + ":" + counter++);

t.start();

}

serverSocket.close();

} catch (IOException ex) {...}

}

In this example there is no limit to the number of client connections and client threads that are created. Allowing an unlimited number of client connections and threads could potentially overwhelm the system and system resources.

The server should limit the number of client connections and the client threads that are created. This can be easily done by creating a thread pool object that limits the number of threads that are generated.

(Good Code)

Example Language: Java

public static final int SERVER_PORT = 4444;

public static final int MAX_CONNECTIONS = 10;

...

public void acceptConnections() {

try {

ServerSocket serverSocket = new ServerSocket(SERVER_PORT);

int counter = 0;

boolean hasConnections = true;

while (hasConnections) {

hasConnections = checkForMoreConnections();

Socket client = serverSocket.accept();

Thread t = new Thread(new ClientSocketThread(client));

t.setName(client.getInetAddress().getHostName() + ":" + counter++);

ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS);

pool.execute(t);

}

serverSocket.close();

} catch (IOException ex) {...}

}

Observed Examples

Reference	Description
CVE-2009-2874	Product allows attackers to cause a crash via a large number of connections.
CVE-2009-1928	Malformed request triggers uncontrolled recursion, leading to stack exhaustion.
CVE-2009-2858	Chain: memory leak (CWE-404) leads to resource exhaustion.
CVE-2009-2726	Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
CVE-2009-2540	Large integer value for a length property in an object causes a large amount of memory allocation.
CVE-2009-2299	Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.
CVE-2009-2054	Product allows exhaustion of file descriptors when processing a large number of TCP packets.
CVE-2008-5180	Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.
CVE-2008-2121	TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack.
CVE-2008-2122	Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.
CVE-2008-1700	Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.
CVE-2007-4103	Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.
CVE-2006-1173	Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion.
CVE-2007-0897	Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.

Potential Mitigations

Phase: Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Phase: Architecture and Design

Mitigation of resource exhaustion attacks requires that the target system either:

recognizes the attack and denies that user further access for a given amount of time, or
uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.

The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, he may be able to prevent the user from accessing the server in question.

The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

Phase: Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Phase: Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

Other Notes

Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request.

A prime example of this can be found in old switches that were vulnerable to "macof" attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	399	Resource Management Errors	Development Concepts (primary)699
ChildOf	Weakness Class	664	Improper Control of a Resource Through its Lifetime	Research Concepts (primary)1000
ChildOf	Category	730	OWASP Top Ten 2004 Category A9 - Denial of Service	Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf	Category	858	CERT Java Secure Coding Section 13 - Serialization (SER)	Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOf	Category	861	CERT Java Secure Coding Section 49 - Miscellaneous (MSC)	Weaknesses Addressed by the CERT Java Secure Coding Standard844
ChildOf	Category	892	SFP Cluster: Resource Management	Software Fault Pattern (SFP) Clusters (primary)888
ParentOf	Category	769	File Descriptor Exhaustion	Development Concepts (primary)699
ParentOf	Weakness Base	770	Allocation of Resources Without Limits or Throttling	Development Concepts (primary)699 Research Concepts1000
ParentOf	Weakness Base	771	Missing Reference to Active Allocated Resource	Research Concepts (primary)1000
ParentOf	Weakness Base	772	Missing Release of Resource after Effective Lifetime	Research Concepts1000
ParentOf	Weakness Base	779	Logging of Excessive Data	Development Concepts (primary)699 Research Concepts (primary)1000
MemberOf	View	884	CWE Cross-section	CWE Cross-section (primary)884
CanFollow	Weakness Base	410	Insufficient Resource Pool	Development Concepts699 Research Concepts1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Resource exhaustion (file descriptor, disk space, sockets, ...)
OWASP Top Ten 2004	A9	CWE_More_Specific	Denial of Service
WASC	10		Denial of Service
WASC	41		XML Attribute Blowup
CERT Java Secure Coding	SER12-J		Avoid memory and resource leaks during serialization
CERT Java Secure Coding	MSC05-J		Do not exhaust heap space

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.7.1)
147	XML Ping of the Death
197	XEE (XML Entity Expansion)
2	Inducing Account Lockout
228	Resource Depletion through DTD Injection in a SOAP Message
82	Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))

References

Joao Antunes, Nuno Ferreira Neves and Paulo Verissimo. "Detection and Prediction of Resource-Exhaustion Vulnerabilities". Proceedings of the IEEE International Symposium on Software Reliability Engineering (ISSRE). November 2008. <http://homepages.di.fc.ul.pt/~nuno/PAPERS/ISSRE08.pdf>.

D.J. Bernstein. "Resource exhaustion". <http://cr.yp.to/docs/resources.html>.

Pascal Meunier. "Resource exhaustion". Secure Programming Educational Material. 2004. <http://homes.cerias.purdue.edu/~pmeunier/secprog/sanitized/class1/6.resource%20exhaustion.ppt>.

[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 17, "Protecting Against Denial of Service Attacks" Page 517. 2nd Edition. Microsoft. 2002.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	CLASP		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-08-15		Veracode	External
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Description, Name, Relationships
2009-01-12	CWE Content Team	MITRE	Internal
2009-01-12	updated Description
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Name, Relationships
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Description, Relationships
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Relationships
2009-12-28	CWE Content Team	MITRE	Internal
2009-12-28	updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References
2010-02-16	CWE Content Team	MITRE	Internal
2010-02-16	updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings
2010-04-05	CWE Content Team	MITRE	Internal
2010-04-05	updated Related_Attack_Patterns
2010-06-21	CWE Content Team	MITRE	Internal
2010-06-21	updated Description
2010-09-27	CWE Content Team	MITRE	Internal
2010-09-27	updated Demonstrative_Examples
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2008-10-14	Resource Exhaustion

2009-05-27	Uncontrolled Resource Consumption (aka 'Resource Exhaustion')

Page Last Updated: February 20, 2013


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us