- Update SessionID allocator to use freed session IDs #7835
Comments
|
This may not be well known. Until we implement this, a node can be DOSed with this pattern: CC @cecille , @kpschoedel |
|
I think this may have been closed inadvertently. |
|
Taking this as it's related to #12821 and we can have a pretty straight forward solution by addressing both together. If the session manager can assign session IDs itself, all of these problems go away. Session manager has complete visibility of occupied and available session IDs, so can easily assign new ones. With this approach, there need be no session ID exhaustion problem as we currently have. And this can fix #12821 as well, because then session manager can make sure there aren't session ID collisions between fabrics. |
msandstedt
added a commit
to msandstedt/connectedhomeip
that referenced
this issue
Mar 31, 2022
Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outsanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate sesion table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass
msandstedt
added a commit
to msandstedt/connectedhomeip
that referenced
this issue
Mar 31, 2022
Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outsanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate sesion table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass
msandstedt
added a commit
to msandstedt/connectedhomeip
that referenced
this issue
Mar 31, 2022
Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outsanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate sesion table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass
msandstedt
added a commit
to msandstedt/connectedhomeip
that referenced
this issue
Mar 31, 2022
Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass
msandstedt
added a commit
to msandstedt/connectedhomeip
that referenced
this issue
Mar 31, 2022
Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass
kghost
pushed a commit
that referenced
this issue
Apr 4, 2022
* Fix Session ID Allocation Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: #7835, #12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass * fix Werror=conversion * fix VerifyOrExit lint error * fix Werror=unused-but-set-variable with detail logging disabled * fix tv-casting-app build * pass SessionHolder by reference to reduce stack size * bypass -Wstack-usage= in TestPASESession to fix spurious stack warning * Update src/transport/SecureSession.h Co-authored-by: Boris Zbarsky <[email protected]> * Update src/transport/SecureSessionTable.h Co-authored-by: Boris Zbarsky <[email protected]> * per bzbarsky-apple, document that allocation of sessions to caller-specified IDs is for testing * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <[email protected]> * per mrjerryjohns, delegate allocation of secure sessions to base PairingSession object * remove use of Optional<uint16_t> session IDs Overloads make this superfluous. * init session ID randomly; add more checks for invalid 0 session ID * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <[email protected]> * per bzbarsky-apple, pass reference type to SessionHolderWithDelegate * restyle * per kghost, pass SessionHandle, not SessionHolder * make sure to grab the session in NewPairing * fixup doxy params * fix up comments * add a test case to verify the session ID allocator does not have collisions * reduce number of session ID allocator collision test iterations to fix CI timeout * fix loop sentinel in TestSessionManager * increase gcc_debug test phase timeout * increase gcc-debug total timeout to 65 minutes Co-authored-by: Boris Zbarsky <[email protected]>
chencheung
pushed a commit
to chencheung/connectedhomeip
that referenced
this issue
Apr 6, 2022
* Fix Session ID Allocation Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass * fix Werror=conversion * fix VerifyOrExit lint error * fix Werror=unused-but-set-variable with detail logging disabled * fix tv-casting-app build * pass SessionHolder by reference to reduce stack size * bypass -Wstack-usage= in TestPASESession to fix spurious stack warning * Update src/transport/SecureSession.h Co-authored-by: Boris Zbarsky <[email protected]> * Update src/transport/SecureSessionTable.h Co-authored-by: Boris Zbarsky <[email protected]> * per bzbarsky-apple, document that allocation of sessions to caller-specified IDs is for testing * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <[email protected]> * per mrjerryjohns, delegate allocation of secure sessions to base PairingSession object * remove use of Optional<uint16_t> session IDs Overloads make this superfluous. * init session ID randomly; add more checks for invalid 0 session ID * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <[email protected]> * per bzbarsky-apple, pass reference type to SessionHolderWithDelegate * restyle * per kghost, pass SessionHandle, not SessionHolder * make sure to grab the session in NewPairing * fixup doxy params * fix up comments * add a test case to verify the session ID allocator does not have collisions * reduce number of session ID allocator collision test iterations to fix CI timeout * fix loop sentinel in TestSessionManager * increase gcc_debug test phase timeout * increase gcc-debug total timeout to 65 minutes Co-authored-by: Boris Zbarsky <[email protected]>
chencheung
pushed a commit
to chencheung/connectedhomeip
that referenced
this issue
Apr 6, 2022
* Fix Session ID Allocation Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass * fix Werror=conversion * fix VerifyOrExit lint error * fix Werror=unused-but-set-variable with detail logging disabled * fix tv-casting-app build * pass SessionHolder by reference to reduce stack size * bypass -Wstack-usage= in TestPASESession to fix spurious stack warning * Update src/transport/SecureSession.h Co-authored-by: Boris Zbarsky <[email protected]> * Update src/transport/SecureSessionTable.h Co-authored-by: Boris Zbarsky <[email protected]> * per bzbarsky-apple, document that allocation of sessions to caller-specified IDs is for testing * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <[email protected]> * per mrjerryjohns, delegate allocation of secure sessions to base PairingSession object * remove use of Optional<uint16_t> session IDs Overloads make this superfluous. * init session ID randomly; add more checks for invalid 0 session ID * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <[email protected]> * per bzbarsky-apple, pass reference type to SessionHolderWithDelegate * restyle * per kghost, pass SessionHandle, not SessionHolder * make sure to grab the session in NewPairing * fixup doxy params * fix up comments * add a test case to verify the session ID allocator does not have collisions * reduce number of session ID allocator collision test iterations to fix CI timeout * fix loop sentinel in TestSessionManager * increase gcc_debug test phase timeout * increase gcc-debug total timeout to 65 minutes Co-authored-by: Boris Zbarsky <[email protected]>
andrei-menzopol
pushed a commit
to andrei-menzopol/connectedhomeip
that referenced
this issue
Apr 14, 2022
* Fix Session ID Allocation Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass * fix Werror=conversion * fix VerifyOrExit lint error * fix Werror=unused-but-set-variable with detail logging disabled * fix tv-casting-app build * pass SessionHolder by reference to reduce stack size * bypass -Wstack-usage= in TestPASESession to fix spurious stack warning * Update src/transport/SecureSession.h Co-authored-by: Boris Zbarsky <[email protected]> * Update src/transport/SecureSessionTable.h Co-authored-by: Boris Zbarsky <[email protected]> * per bzbarsky-apple, document that allocation of sessions to caller-specified IDs is for testing * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <[email protected]> * per mrjerryjohns, delegate allocation of secure sessions to base PairingSession object * remove use of Optional<uint16_t> session IDs Overloads make this superfluous. * init session ID randomly; add more checks for invalid 0 session ID * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <[email protected]> * per bzbarsky-apple, pass reference type to SessionHolderWithDelegate * restyle * per kghost, pass SessionHandle, not SessionHolder * make sure to grab the session in NewPairing * fixup doxy params * fix up comments * add a test case to verify the session ID allocator does not have collisions * reduce number of session ID allocator collision test iterations to fix CI timeout * fix loop sentinel in TestSessionManager * increase gcc_debug test phase timeout * increase gcc-debug total timeout to 65 minutes Co-authored-by: Boris Zbarsky <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
connectedhomeip/src/protocols/secure_channel/SessionIDAllocator.cpp
Lines 29 to 39 in 6c1f43a
This issue was generated by todo based on a
TODOcomment in 6c1f43a when #7666 was merged. cc @pan-apple.The text was updated successfully, but these errors were encountered: