When an attacker can directly invoke the blocking code, or the blocking code can be affected by environmental conditions that can be influenced by an attacker, then this can lead to a denial of service by causing unexpected hang or freeze of the code. Examples of blocking code might be an expensive computation or calling blocking library calls, such as those that perform exclusive file operations or require a successful network operation.
Due to limitations in multi-thread models, single-threaded models are used to overcome the resource constraints that are caused by using many threads. In such a model, all code should generally be non-blocking. If blocking code is called, then the event loop will effectively be stopped, which can be undesirable or dangerous. Such models are used in Python asyncio, Vert.x, and Node.js, or other custom event loop code.
Scope | Impact | Likelihood |
---|---|---|
Availability | DoS: Resource Consumption (CPU) Note: An unexpected call to blocking code can trigger an infinite loop, or a large loop that causes the software to pause and wait indefinitely. |
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-25 | Forced Deadlock The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect. |
Name | Organization | Date | Date Release | Version |
---|---|---|---|---|
Joe Harvey | 4.3 |
Name | Organization | Date | Comment |
---|---|---|---|
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes |