[EXT] CWE Proposal : Blocking event-loops

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[EXT] CWE Proposal : Blocking event-loops

J Harvey
Hello CWE Team,

I would like to propose a new CWE which is related to non-blocking
threading models. I have looked through the existing CWE and think there
is space for the proposal (hopefully I have not missed an existing CWE
that covers it). I noticed there are some CWE that highlight threading
and synchronisation issues but nothing that explicitly helps with single
threaded models. I look forward to your feedback….

Name : Use of blocking code within single threaded non-blocking models
(or maybe “Blocking event-loops”)

Description : Non-blocking models that rely on a single threaded process
to achieve scalability are prone to blocking code being called which
could have varying degrees of impact on system availability.  Such
models are used in Python asyncio, Vert.x and Node.js (or indeed any
custom event loop code)

Detail : Due to limitations in multi-thread models, single-threaded
models are used to overcome the resource constraints caused by having
many threads. In such a model, all code should generally be
non-blocking. If blocking code is called then the event loop will
effectively be stopped, which is of course undesirable/dangerous.
Examples of blocking code might be an expensive computation or calling
blocking library calls. Generally speaking, blocking calls should be
replaced with non-blocking alternatives that can be used asynchronously.
Expensive computations should be passed off to worker threads although
the correct approach depends on the framework being used. Another
approach for expensive computations might be to break them up into
multiple smaller computations. Refer to the documentation of the
framework being used for guidance.

Such a weakness might not be apparent during testing and only arise
under certain conditions.

Mode of Introduction : Implementation

Applicable Platforms : Any non-blocking/single threaded architectures

Likelihood of Exploit : TBD

Relationships : TBD