The Thread-Per-Message design is the simplest concurrency technique wherein a thread is created for each incoming request. The benefits of creating a new thread to handle each request should outweigh the corresponding thread creation overheads. This design is generally recommended over sequential executions for time consuming, I/O bound, session based or isolated tasks.
On the other hand, there can be several disadvantages of this design such as thread creation overhead in case of frequent or recurring requests, significant processing overhead, resource exhaustion of threads (leading to OutOfMemoryError
), thread scheduling and context switching overhead [[Lea 00]].
An attacker can cause a denial of service by overwhelming the system with too many requests, all at once. Instead of degrading gracefully, the system goes down abruptly, resulting in an availability issue. Thread pools allow the system to service as many requests as it can comfortably sustain, instead of stopping all services when faced with a deluge of requests. From the safety point of view, it is possible for one component to exhaust all resources because of some intermittent error, starving all others from using them.
Thread Pools overcome these issues as the maximum number of worker threads that can be initiated and executed simultaneously can be suitably controlled. Every worker accepts a Runnable
object from a request and stores it in a temporary Channel
like a buffer or a queue until resources become available. Because threads are reused and can be efficiently added to the Channel
, most of the thread creation overhead is also eliminated.
Noncompliant Code Example
This noncompliant code example demonstrates the Thread-Per-Message design that fails to provide graceful degradation of service. The class RequestHandler
provides a public static factory method so that callers can obtain an instance. Subsequently, the handleRequest()
method can be used to handle each request in its own thread.
class Helper { public void handle(Socket socket) { //... } } final class RequestHandler { private final Helper h = new Helper(); private final ServerSocket server; private RequestHandler(int port) throws IOException { server = new ServerSocket(port); } public static RequestHandler getInstance(int port) throws IOException { return new RequestHandler(port); } public void handleRequest() { new Thread(new Runnable() { public void run() { try { h.handle(server.accept()); } catch (IOException e) { // Forward to handler } } }).start(); } }
Compliant Solution
This compliant solution uses a Fixed Thread Pool that places an upper bound on the number of concurrently executing threads. Tasks submitted to the pool are stored in an internal queue. This prevents the system from being overwhelmed when trying to respond to all incoming requests and allows it to degrade gracefully by serving a fixed number of clients at a particular time. [[Tutorials 08]]
// class Helper remains unchanged final class RequestHandler { private final Helper h = new Helper(); private final ServerSocket server; private final ExecutorService exec; private RequestHandler(int port, int poolSize) throws IOException { server = new ServerSocket(port); exec = Executors.newFixedThreadPool(poolSize); } public static RequestHandler getInstance(int port, int poolSize) throws IOException { return new RequestHandler(port, poolSize); } public void handleRequest() { exec.submit(new Runnable() { public void run() { try { h.handle(server.accept()); } catch (IOException e) { // Forward to handler } } }); } }
According to the Java API [[API 06]] documentation for the Executor
interface:
[The Interface
Executor
is] An object that executes submittedRunnable
tasks. This interface provides a way of decoupling task submission from the mechanics of how each task will be run, including details of thread use, scheduling, etc. AnExecutor
is normally used instead of explicitly creating threads.
The interface ExecutorService
used in this compliant solution derives from the Executor
interface and allows callers to also obtain a "future" (result of an asynchronous computation). The caller can use the future to perform additional tasks such as task cancellation.
The choice of the unbounded newFixedThreadPool
may not always be the best. Refer to the API documentation for choosing between newFixedThreadPool
, newCachedThreadPool
, newSingleThreadExecutor
and newScheduledThreadPool
to meet the design requirements.
Risk Assessment
Using simplistic concurrency primitives to process an unbounded number of requests may result in severe performance degradation, deadlocks and starvation, or exhaustion of system resources (denial-of-service).
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
CON21- J |
low |
probable |
high |
P2 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
References
[[API 06]] Interface Executor
[[Lea 00]] Section 4.1.3 Thread-Per-Message and 4.1.4 Worker Threads
[[Tutorials 08]] Thread Pools
[[Goetz 06]] Chapter 8, Applying Thread Pools
[[MITRE 09]] CWE ID 405 "Asymmetric Resource Consumption (Amplification)", CWE ID 410 "Insufficient Resource Pool"
CON20-J. Do not perform operations that may block while holding a lock 11. Concurrency (CON) CON22-J. Do not use incorrect forms of the double-checked locking idiom