Skip to content

DBus API rate limiting missing #22

Description

@montfort

Severity: Medium
Component: DBus Service
Simulation: SIM-L1-002
Sprint: 4

Description

No rate limiting on DBus calls allows denial of service by flooding the service with requests.

Proposed Fix

Per-caller rate limiting with token bucket algorithm.

Source

Imported from .straymark/02-design/risk-analysis/BACKLOG-simulation-issues.md on 2026-05-29.


Cross-referenced analysis: RISK-002-3

Risk ID: RISK-002 / VULN-003
Severity: MEDIUM (CVSS 5.3)
Component: DBus Service
Attack Vector: Local
Privileges Required: Low
Impact: Service Degradation

Description

The DBus service does not implement rate limiting. A malicious process can flood the service with requests, causing CPU exhaustion and making the daemon unresponsive to legitimate clients.

Attack Vector

# Flood the service with 10,000 requests/second
while true; do
  dbus-send --session --dest=com.strangedaystech.LNXDrive \
    /org/strangedaystech/LNXDrive/Sync \
    com.strangedaystech.LNXDrive.Sync.GetStatus &
done

Impact

  • Daemon CPU at 100%
  • Legitimate UI clients timeout
  • Sync operations delayed
  • System-wide responsiveness degradation

Remediation (Short-term P1)

  1. Implement per-caller rate limiting
  2. Add request prioritization (UI clients > unknown callers)
  3. Implement circuit breaker for abusive callers

Simulation Scenario

SIM-L1-002

Source

Imported from .straymark/02-design/risk-analysis/RISK-002-security-vulns.md on 2026-05-29.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dbusD-Bus IPC layerdosDenial-of-service surfacefrom-risk-analysisImported from .straymark/02-design/risk-analysis/priority/P2Medium: planned, but not blockingsecuritySecurity vulnerability or hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions