Skip to content

Latest commit

 

History

History
92 lines (61 loc) · 9.04 KB

mitigations.md

File metadata and controls

92 lines (61 loc) · 9.04 KB

Mitigation Strategies Analysis for facebook/zstd

Mitigation Strategy: Limit Compressed Data Size

  • Description:

    1. Analyze your application's use cases to determine a reasonable maximum size for compressed data inputs that will be processed by zstd.
    2. Implement a size check before passing the compressed data to the zstd decompression functions.
    3. Compare the size of the incoming compressed data against the defined maximum limit.
    4. If the compressed data size exceeds the limit, reject it and prevent zstd decompression from being initiated. Return an appropriate error or log the event.

  • Threats Mitigated:

    • Denial of Service (DoS) via Resource Exhaustion (High Severity): Prevents attacks where excessively large compressed inputs are sent to overwhelm the system during zstd decompression, consuming excessive memory or CPU.

  • Impact: High Reduction: Effectively limits the processing of overly large compressed data by zstd, directly mitigating resource exhaustion DoS attacks related to compressed data size.

  • Currently Implemented: Example: Implemented in the API file upload handler, where a maximum compressed file size is enforced before zstd decompression is attempted on the uploaded file.

  • Missing Implementation: Example: Not implemented in the message processing queue consumer, where compressed messages are received and decompressed by zstd without a size limit check on the compressed message itself.

Mitigation Strategy: Implement Decompression Timeouts

  • Description:

    1. Determine an acceptable maximum duration for zstd decompression operations in your application. This should be based on typical decompression times for legitimate data.
    2. Utilize timeout mechanisms available in your programming language or zstd library bindings to limit the execution time of zstd decompression functions.
    3. Initiate the zstd decompression process with the configured timeout.
    4. If the decompression operation exceeds the timeout, forcefully terminate the zstd decompression process.
    5. Implement error handling to catch timeout exceptions and gracefully manage decompression failures. Log the timeout event for monitoring and potential incident response.

  • Threats Mitigated:

    • Denial of Service (DoS) via Decompression Bombs (High Severity): Mitigates attacks using specially crafted compressed data (decompression bombs) that cause zstd to take an excessively long time to decompress, tying up CPU resources and leading to DoS.

  • Impact: High Reduction: Limits the maximum time spent in zstd decompression, effectively preventing DoS attacks that rely on prolonged decompression times caused by malicious compressed data.

  • Currently Implemented: Example: Implemented in the data processing service that uses zstd to decompress data from external sources. A timeout is set around the zstd decompression function call.

  • Missing Implementation: Example: Background tasks that periodically process compressed data using zstd are missing decompression timeouts. These tasks could be vulnerable to decompression bombs if they encounter malicious compressed data.

Mitigation Strategy: Regularly Update zstd Library

  • Description:

    1. Establish a process for regularly checking for updates and security advisories related to the zstd library from official sources (e.g., GitHub repository, security mailing lists).
    2. Use dependency management tools to track and manage the version of the zstd library used in your project.
    3. When updates are available, especially security updates, prioritize upgrading to the latest stable version of the zstd library.
    4. Thoroughly test your application after updating the zstd library to ensure compatibility and prevent regressions.

  • Threats Mitigated:

    • Exploitation of Known zstd Vulnerabilities (High to Critical Severity): Prevents exploitation of publicly disclosed security vulnerabilities within the zstd library itself. Outdated versions of zstd may contain known vulnerabilities that attackers can exploit.

  • Impact: High Reduction: Directly addresses known vulnerabilities in zstd by applying patches and updates, significantly reducing the risk of exploitation of these vulnerabilities.

  • Currently Implemented: Example: Automated dependency scanning is set up in the CI/CD pipeline to detect outdated libraries, including zstd. Notifications are sent to developers to update.

  • Missing Implementation: Example: The process of automatically deploying updated zstd libraries to production environments is not fully automated. Manual steps are still involved, potentially delaying the patching of vulnerabilities in live systems.

Mitigation Strategy: Monitor Decompression Ratio

  • Description:

    1. Implement monitoring of the decompression ratio during the zstd decompression process. Calculate the ratio as: (size of decompressed data) / (size of compressed data).
    2. Define a threshold for the maximum acceptable decompression ratio based on the expected compression characteristics of legitimate data processed by your application using zstd.
    3. During zstd decompression, track the size of the decompressed data being produced.
    4. Continuously or periodically calculate the decompression ratio.
    5. If the decompression ratio exceeds the predefined threshold, immediately terminate the zstd decompression operation.
    6. Log an alert indicating a potential decompression bomb attack.

  • Threats Mitigated:

    • Denial of Service (DoS) via Decompression Bombs (High Severity): Detects and mitigates decompression bombs that are designed to have an extremely high decompression ratio, aiming to exhaust disk space or memory during zstd decompression.

  • Impact: Medium Reduction: Effective at detecting decompression bombs with very high decompression ratios. May not be as effective against more sophisticated bombs with lower ratios or those exploiting other resource exhaustion methods.

  • Currently Implemented: Example: Decompression ratio monitoring is implemented in the service that processes user-uploaded compressed files using zstd. A ratio threshold is configured.

  • Missing Implementation: Example: Real-time data stream processing using zstd does not currently monitor decompression ratio. Implementing this in streaming scenarios requires careful consideration to avoid performance overhead.

Mitigation Strategy: Secure Coding Practices when Using zstd API

  • Description:

    1. Thoroughly review the zstd API documentation and understand the security implications of different API functions.
    2. Prioritize using safer zstd API functions that offer bounds checking and prevent buffer overflows, especially when handling untrusted or potentially malicious compressed data.
    3. Always check the return codes from zstd API functions for errors. Implement robust error handling to gracefully manage decompression failures and prevent application crashes or unexpected behavior. Never ignore error codes returned by zstd functions.
    4. Be mindful of memory management when using zstd API. Ensure proper allocation and deallocation of memory buffers used for compression and decompression to prevent memory leaks or other memory-related vulnerabilities.
    5. When possible, use higher-level zstd API abstractions that simplify usage and reduce the risk of manual memory management errors compared to lower-level, more complex API functions.

  • Threats Mitigated:

    • Buffer Overflows in zstd Library Usage (High to Critical Severity): Improper usage of zstd API functions, especially when dealing with untrusted input, can lead to buffer overflows if input sizes are not correctly validated or if API functions are used incorrectly.
    • Application Crashes and Unexpected Behavior (Medium to High Severity): Ignoring error codes from zstd API functions can lead to unexpected application behavior or crashes when zstd operations fail, potentially due to malformed or malicious input.

  • Impact: High Reduction: Reduces the risk of vulnerabilities introduced by incorrect or insecure usage of the zstd library API by developers. Promotes safer and more robust integration of zstd into the application.

  • Currently Implemented: Example: Coding guidelines include recommendations to use specific safer zstd API functions and to always check return codes. Code reviews are conducted to verify adherence to these guidelines.

  • Missing Implementation: Example: Automated static analysis tools are not yet configured to specifically check for common insecure zstd API usage patterns or potential buffer overflow vulnerabilities in code that uses zstd.