Skip to content

Latest commit

 

History

History
55 lines (46 loc) · 5.15 KB

threat-modeling.md

File metadata and controls

55 lines (46 loc) · 5.15 KB

Threat Model Analysis for lmax-exchange/disruptor

Threat: Event Data Corruption via Race Conditions in Handlers

  • Description: An attacker could exploit race conditions in poorly designed event handlers. By sending a carefully timed sequence of events, the attacker could trigger concurrent access to shared mutable state outside the Disruptor's event object within handlers, leading to data corruption. This could involve manipulating application logic, financial transactions, or critical data.
  • Impact: Data integrity compromise, application malfunction, incorrect processing results, potential financial loss or reputational damage depending on the application's purpose.
  • Disruptor Component Affected: Event Handlers (Application Code using Disruptor)
  • Risk Severity: High
  • Mitigation Strategies:
    • Design event handlers to be stateless or use thread-safe mechanisms for shared resources.
    • Implement thorough unit and integration tests focusing on concurrency and race conditions in handlers.
    • Utilize immutable data structures or message passing within handlers to minimize shared mutable state.
    • Conduct code reviews to identify potential concurrency issues in handler implementations.

Threat: Consumer Starvation leading to System Slowdown/Hang

  • Description: An attacker could flood the producer with events faster than consumers can process them, especially if consumers are intentionally slowed down (e.g., via resource exhaustion attacks on consumer instances). This backpressure can fill the ring buffer, blocking producers and potentially causing a system-wide slowdown or hang, effectively a denial of service.
  • Impact: Denial of service, performance degradation, application unresponsiveness, potential system outage if producers are critical path components.
  • Disruptor Component Affected: Ring Buffer, Consumers, Producers, Wait Strategy (Disruptor Core Components and Application Interaction)
  • Risk Severity: High
  • Mitigation Strategies:
    • Properly size the ring buffer based on expected load and consumer capacity.
    • Implement monitoring of consumer lag and ring buffer utilization.
    • Implement backpressure handling mechanisms at the producer level (e.g., rate limiting).
    • Scale consumers horizontally to increase processing capacity.
    • Use appropriate WaitStrategy (e.g., BlockingWaitStrategy) to exert backpressure on producers.
    • Implement health checks and auto-scaling for consumer instances.

Threat: Resource Exhaustion (Memory) via Unbounded Event Accumulation

  • Description: An attacker could exploit a scenario where consumers are unable to keep up with producers for an extended period, or by causing consumer failures. This leads to event accumulation in the ring buffer, potentially exhausting memory resources and causing application crashes.
  • Impact: Denial of service (application crash), system instability, potential data loss if the application cannot recover gracefully from memory exhaustion.
  • Disruptor Component Affected: Ring Buffer, Consumers, Producers (Disruptor Core Components and Application Interaction)
  • Risk Severity: High
  • Mitigation Strategies:
    • Implement monitoring of ring buffer usage and event backlog.
    • Set reasonable limits on ring buffer size based on available memory.
    • Implement alerting for high ring buffer utilization.
    • Implement mechanisms to detect and recover from consumer failures.
    • Investigate and resolve root causes of slow consumer processing or event accumulation promptly.
    • Consider using a bounded ring buffer with overflow handling strategies if appropriate for the application.

Threat: Denial of Service (DoS) through Producer Event Flooding

  • Description: A malicious or compromised producer could intentionally flood the Disruptor with a massive volume of events. This can overwhelm consumers, exhaust resources (CPU, network, memory), and lead to a denial of service. This is especially relevant if producers are exposed to external, untrusted sources.
  • Impact: Denial of service, application unresponsiveness, system outage, resource exhaustion, potential impact on other services sharing infrastructure.
  • Disruptor Component Affected: Producers, Ring Buffer, Consumers (Disruptor Interaction and overall system)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Implement input validation and rate limiting at the producer level.
    • Authenticate and authorize producers to restrict event injection to legitimate sources.
    • Monitor event production rates and identify anomalous spikes.
    • Implement network-level security controls (firewalls, intrusion detection) to protect producer endpoints.
    • Consider using a WaitStrategy that applies backpressure to producers to limit event injection rate.