Skip to content

Latest commit

 

History

History
58 lines (46 loc) · 5.65 KB

threat-modeling.md

File metadata and controls

58 lines (46 loc) · 5.65 KB

Threat Model Analysis for reactivex/rxswift

Threat: Uncontrolled Observable Lifetime (Memory Leak)

  • Threat: Uncontrolled Observable Lifetime (Memory Leak)

    • Description: An attacker could trigger actions (e.g., repeated user interactions, network requests) that cause the application to create numerous Observables and subscriptions without proper disposal. The attacker doesn't need direct access to the code; they just need to interact with the application in a way that exploits the vulnerability.
    • Impact: Gradual memory consumption increase, leading to application slowdown, eventual unresponsiveness (denial of service), and potential crashes. Long-term, this could lead to device instability.
    • Affected RxSwift Component: Observable creation (any method that creates an Observable), subscribe method, and lack of proper use of DisposeBag or other disposal mechanisms (takeUntil, take(n)).
    • Risk Severity: High
    • Mitigation Strategies:
      • Mandatory DisposeBag: Enforce the use of DisposeBag for every subscription. Use linting rules to detect missing DisposeBag usage.
      • takeUntil: Prefer takeUntil to tie Observable lifetimes to the lifecycle of UI components (e.g., ViewControllers) or other relevant events.
      • take(n): When appropriate, limit the number of emitted values using take(n).
      • Memory Profiling: Regularly profile the application's memory usage to detect leaks early.
      • Code Reviews: Mandatory code reviews focusing on proper Observable disposal.

Threat: Main Thread Blocking (UI Freeze)

  • Threat: Main Thread Blocking (UI Freeze)

    • Description: An attacker could trigger an action (e.g., submitting a large form, initiating a complex network request) that results in a long-running operation being executed within an Observable pipeline on the main thread. The attacker exploits a developer oversight in not offloading work to a background thread.
    • Impact: The application's UI becomes unresponsive (frozen) for the duration of the long-running operation. This degrades the user experience and can be considered a form of denial of service.
    • Affected RxSwift Component: subscribe method, any operator that performs work (e.g., map, flatMap), and incorrect or missing use of observeOn and subscribeOn.
    • Risk Severity: High
    • Mitigation Strategies:
      • observeOn (Background Scheduler): Use observeOn with a background scheduler (e.g., ConcurrentDispatchQueueScheduler) to offload computationally expensive operations from the main thread.
      • subscribeOn (Background Scheduler): Use subscribeOn to specify where the subscription work itself should happen, especially if the subscription process is heavy.
      • Code Reviews: Carefully review Observable pipelines to identify any potentially blocking operations.
      • Performance Profiling: Use profiling tools to identify long-running operations on the main thread.

Threat: Race Condition (Data Corruption)

  • Threat: Race Condition (Data Corruption)

    • Description: An attacker might trigger concurrent actions that interact with shared mutable state through multiple Observables or subscribers. Without proper synchronization, this can lead to race conditions.
    • Impact: Data corruption, inconsistent application state, unpredictable behavior, and potentially crashes.
    • Affected RxSwift Component: Multiple Observable instances interacting with shared mutable state, subscribe method, and lack of synchronization mechanisms.
    • Risk Severity: High
    • Mitigation Strategies:
      • Immutability: Prioritize immutable data structures to eliminate shared mutable state.
      • observeOn (Serial Scheduler): Use observeOn with a serial scheduler (e.g., SerialDispatchQueueScheduler) to ensure that all operations on shared state are performed sequentially.
      • Avoid Shared Mutable State: Redesign the architecture to minimize or eliminate shared mutable state within Observable pipelines.
      • Atomic Operations: If shared mutable state is unavoidable, use appropriate synchronization primitives (but be extremely cautious about deadlocks).

Threat: Retain Cycle with self (Memory Leak)

  • Threat: Retain Cycle with self (Memory Leak)
    • Description: An attacker triggers actions that cause the application to create Observables within a class, where the closures capture self strongly, leading to a retain cycle. The attacker doesn't need direct code access.
    • Impact: The class instance is never deallocated, leading to a memory leak. This can eventually cause performance degradation and crashes.
    • Affected RxSwift Component: Observable creation within a class, subscribe method, and closures used within the Observable pipeline.
    • Risk Severity: High
    • Mitigation Strategies:
      • [weak self]: Use [weak self] in closures to break the retain cycle.
      • [unowned self]: Use [unowned self] only when you are absolutely certain that the closure will always execute while self is still alive (use with caution).
      • Code Reviews: Carefully review closures within Observable pipelines for proper self capture.
      • Linting Rules: Use linting rules to detect potential retain cycles.