The Thread-Per-Message design pattern is the simplest concurrency strategy wherein a thread is created for each incoming request. This design pattern is only productive when the benefits of creating a new thread outweigh the corresponding thread creation overheads. This design strategy is generally recommended over sequential executions of time consuming, I/O bound, session based or isolated tasks.
At the same time, this design pattern has several pitfalls, including overheads of thread-creation and scheduling, task processing, resource allocation and deallocation, and frequent context switching [[Lea 00]]. Furthermore, an attacker can cause a denial of service by overwhelming the system with too many requests, all at once. Instead of degrading gracefully, the system becomes unresponsive, resulting in an availability issue. From the safety point of view, one component can potentially exhaust all resources because of some intermittent error, starving all other components.
Thread pools allow the system to service as many requests as it can comfortably sustain, instead of terminating all services when faced with a deluge of requests. They overcome these issues because the maximum number of worker threads that can be initiated and executed concurrently can be suitably controlled. Every worker accepts a Runnable
or Callable<T>
task and stores it in a temporary Channel
such as a buffer or a queue until resources become available. Because threads in a thread pool can be reused, and efficiently added and removed from the Channel
, there is minimal thread life-cycle management related overhead.
Noncompliant Code Example
This noncompliant code example demonstrates the Thread-Per-Message design pattern which fails to provide graceful degradation of service. The class RequestHandler
provides a public static factory method so that callers can obtain its instance. Subsequently, the handleRequest()
method is used to handle each request in its own thread.
class Helper { public void handle(Socket socket) { //... } } final class RequestHandler { private final Helper helper = new Helper(); private final ServerSocket server; private RequestHandler(int port) throws IOException { server = new ServerSocket(port); } public static RequestHandler newInstance() throws IOException { return new RequestHandler(0); // Selects next available port } public void handleRequest() { new Thread(new Runnable() { public void run() { try { helper.handle(server.accept()); } catch (IOException e) { // Forward to handler } } }).start(); } // Other methods such as for shutting down the thread pool and task cancellation ... }
Compliant Solution
This compliant solution uses a Fixed Thread Pool that places an upper bound on the number of concurrently executing threads. Tasks submitted to the pool are stored in an internal queue. This prevents the system from being overwhelmed when trying to respond to all incoming requests and allows it to degrade gracefully by serving a fixed number of clients at a particular time. [[Tutorials 08]]
// class Helper remains unchanged final class RequestHandler { private final Helper helper = new Helper(); private final ServerSocket server; private final ExecutorService exec; private RequestHandler(int port, int poolSize) throws IOException { server = new ServerSocket(port); exec = Executors.newFixedThreadPool(poolSize); } public static RequestHandler newInstance(int poolSize) throws IOException { return new RequestHandler(0, poolSize); } public void handleRequest() { Future<?> future = exec.submit(new Runnable() { @Override public void run() { try { helper.handle(server.accept()); } catch (IOException e) { // Forward to handler } } }); } }
According to the Java API documentation for the Executor
interface [[API 06]]:
[The Interface
Executor
is] An object that executes submittedRunnable
tasks. This interface provides a way of decoupling task submission from the mechanics of how each task will be run, including details of thread use, scheduling, etc. AnExecutor
is normally used instead of explicitly creating threads.
The interface ExecutorService
used in this compliant solution derives from the Executor
interface and allows callers to also obtain a "future" (result of an asynchronous computation). The caller can use the future to perform additional tasks such as task cancellation.
The choice of the unbounded newFixedThreadPool
may not always be the best. Refer to the API documentation for choosing between newFixedThreadPool
, newCachedThreadPool
, newSingleThreadExecutor
and newScheduledThreadPool
to meet specific design requirements.
Risk Assessment
Using simplistic concurrency primitives to process an unbounded number of requests may result in severe performance degradation, deadlocks and starvation, or exhaustion of system resources (denial-of-service).
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
CON21- J |
low |
probable |
high |
P2 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
References
[[API 06]] Interface Executor
[[Lea 00]] Section 4.1.3 Thread-Per-Message and 4.1.4 Worker Threads
[[Tutorials 08]] Thread Pools
[[Goetz 06]] Chapter 8, Applying Thread Pools
[[MITRE 09]] CWE ID 405 "Asymmetric Resource Consumption (Amplification)", CWE ID 410 "Insufficient Resource Pool"
CON20-J. Do not perform operations that may block while holding a lock 11. Concurrency (CON) CON22-J. Do not use incorrect forms of the double-checked locking idiom