Severity: Medium
Component: DBus Service
Simulation: SIM-L1-002
Sprint: 4
Description
No rate limiting on DBus calls allows denial of service by flooding the service with requests.
Proposed Fix
Per-caller rate limiting with token bucket algorithm.
Source
Imported from .straymark/02-design/risk-analysis/BACKLOG-simulation-issues.md on 2026-05-29.
Cross-referenced analysis: RISK-002-3
Risk ID: RISK-002 / VULN-003
Severity: MEDIUM (CVSS 5.3)
Component: DBus Service
Attack Vector: Local
Privileges Required: Low
Impact: Service Degradation
Description
The DBus service does not implement rate limiting. A malicious process can flood the service with requests, causing CPU exhaustion and making the daemon unresponsive to legitimate clients.
Attack Vector
# Flood the service with 10,000 requests/second
while true; do
dbus-send --session --dest=com.strangedaystech.LNXDrive \
/org/strangedaystech/LNXDrive/Sync \
com.strangedaystech.LNXDrive.Sync.GetStatus &
done
Impact
- Daemon CPU at 100%
- Legitimate UI clients timeout
- Sync operations delayed
- System-wide responsiveness degradation
Remediation (Short-term P1)
- Implement per-caller rate limiting
- Add request prioritization (UI clients > unknown callers)
- Implement circuit breaker for abusive callers
Simulation Scenario
SIM-L1-002
Source
Imported from .straymark/02-design/risk-analysis/RISK-002-security-vulns.md on 2026-05-29.
Severity: Medium
Component: DBus Service
Simulation: SIM-L1-002
Sprint: 4
Description
No rate limiting on DBus calls allows denial of service by flooding the service with requests.
Proposed Fix
Per-caller rate limiting with token bucket algorithm.
Source
Imported from
.straymark/02-design/risk-analysis/BACKLOG-simulation-issues.mdon 2026-05-29.Cross-referenced analysis: RISK-002-3
Risk ID: RISK-002 / VULN-003
Severity: MEDIUM (CVSS 5.3)
Component: DBus Service
Attack Vector: Local
Privileges Required: Low
Impact: Service Degradation
Description
The DBus service does not implement rate limiting. A malicious process can flood the service with requests, causing CPU exhaustion and making the daemon unresponsive to legitimate clients.
Attack Vector
Impact
Remediation (Short-term P1)
Simulation Scenario
SIM-L1-002
Source
Imported from
.straymark/02-design/risk-analysis/RISK-002-security-vulns.mdon 2026-05-29.