Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-25:Forced Deadlock
Attack Pattern ID:25
Version:v3.9
Attack Pattern Name:Forced Deadlock
Abstraction:Meta
Status:Stable
Likelihood of Attack:Low
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
▼Description
The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
▼Execution Flow
Explore
1.

The adversary initiates an exploratory phase to get familiar with the system.

The adversary initiates an exploratory phase to get familiar with the system.

Technique
2.

The adversary triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish.

The adversary triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish.

Technique
3.

If the target program has a deadlock condition, the program waits indefinitely resulting in a denial of service.

If the target program has a deadlock condition, the program waits indefinitely resulting in a denial of service.

Technique
▼Prerequisites
The target host has a deadlock condition. There are four conditions for a deadlock to occur, known as the Coffman conditions. [REF-101]
The target host exposes an API to the user.
▼Skills Required
Medium

This type of attack may be sophisticated and require knowledge about the system's resources and APIs.

▼Resources Required
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
AvailabilityN/AResource ConsumptionA successful forced deadlock attack compromises the availability of the system by exhausting its available resources.
Scope: Availability
Likelihood: N/A
Impact: Resource Consumption
Note: A successful forced deadlock attack compromises the availability of the system by exhausting its available resources.
▼Mitigations
Use known algorithm to avoid deadlock condition (for instance non-blocking synchronization algorithms).
For competing actions, use well-known libraries which implement synchronization.
▼Example Instances
▼Related Weaknesses
IDName
CWE-1322Use of Blocking Code in Single-threaded, Non-blocking Context
CWE-412Unrestricted Externally Accessible Lock
CWE-567Unsynchronized Access to Shared Data in a Multithreaded Context
CWE-662Improper Synchronization
CWE-667Improper Locking
CWE-833Deadlock
ID: CWE-1322
Name: Use of Blocking Code in Single-threaded, Non-blocking Context
ID: CWE-412
Name: Unrestricted Externally Accessible Lock
ID: CWE-567
Name: Unsynchronized Access to Shared Data in a Multithreaded Context
ID: CWE-662
Name: Improper Synchronization
ID: CWE-667
Name: Improper Locking
ID: CWE-833
Name: Deadlock
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
ATTACK1499.004Endpoint Denial of Service: Application or System Exploitation
Taxonomy Name: ATTACK
Entry ID: 1499.004
Entry Name: Endpoint Denial of Service: Application or System Exploitation
▼Notes
▼References
Reference ID: REF-1
Title: Exploiting Software: How to Break Code
Author: G. Hoglund, G. McGraw
Publication:
Publisher:Addison-Wesley
Edition:
URL:
URL Date:
Day:N/A
Month:02
Year:2004
Reference ID: REF-101
Title: Wikipedia
Author:
Publication:
Publisher:The Wikimedia Foundation, Inc
Edition:
URL:http://en.wikipedia.org/wiki/Deadlock
URL Date:
Day:N/A
Month:N/A
Year:N/A
Reference ID: REF-609
Title: OWASP Web Security Testing Guide
Author:
Publication:
Publisher:The Open Web Application Security Project (OWASP)
Edition:
URL:https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html
URL Date:
Day:N/A
Month:N/A
Year:N/A
Details not found