threat-modeling.md

Threat Model Analysis for crossbeam-rs/crossbeam

Threat: Channel Exhaustion Denial of Service (via Unbounded Channels)

• Description: An attacker exploits the property of crossbeam::channel::unbounded channels being unbounded in memory. By flooding the application with messages sent to such a channel, the attacker can cause excessive memory consumption, potentially leading to application slowdown, crashes, or system-wide resource exhaustion. The attacker achieves this by sending a high volume of requests that trigger message sending to the unbounded channel, or by compromising a message producer to send excessive messages.
• Impact: Application becomes unresponsive or crashes due to excessive memory consumption or resource starvation, resulting in unavailability of the service for legitimate users.
• Affected Crossbeam Component: crossbeam::channel::unbounded (inherent property of unbounded channels).
• Risk Severity: High (when unbounded channels are used to handle external or untrusted input, or in performance-critical paths without proper backpressure).
• Mitigation Strategies:
  • Avoid using crossbeam::channel::unbounded channels when handling external or untrusted input.
  • Prefer crossbeam::channel::bounded channels with enforced limits based on expected load and resource capacity.
  • Implement backpressure mechanisms to control message producers, even when using bounded channels, to prevent them from filling up too quickly.
  • Monitor channel usage and resource consumption to detect and respond to potential exhaustion attacks.

Threat: Queue Overflow Denial of Service (via Unbounded or Large Queues)

• Description: Similar to channel exhaustion, an attacker exploits the property of crossbeam::queue::SegQueue being unbounded or crossbeam::queue::ArrayQueue being used with a very large capacity. By flooding the application with data enqueued into these queues, the attacker can cause excessive memory consumption, leading to application instability, crashes, or system-wide resource exhaustion. This is achieved by overwhelming the application with requests that enqueue data, or by compromising a data producer to enqueue excessively.
• Impact: Application becomes unresponsive or crashes due to excessive memory consumption or resource starvation, resulting in unavailability of the service.
• Affected Crossbeam Component: crossbeam::queue::SegQueue (inherently unbounded), crossbeam::queue::ArrayQueue (when used with excessively large capacity).
• Risk Severity: High (when unbounded or very large queues are used to handle external or untrusted input, or in performance-critical paths without proper backpressure).
• Mitigation Strategies:
  • Avoid using crossbeam::queue::SegQueue or excessively large crossbeam::queue::ArrayQueue when handling external or untrusted input.
  • Prefer crossbeam::queue::ArrayQueue with appropriately sized, enforced limits.
  • Implement backpressure mechanisms to control data producers, even when using bounded queues, to prevent them from filling up too quickly.
  • Monitor queue usage and resource consumption to detect and respond to potential overflow attacks.