[Python-Dev] Python possible vulnerabilities in concurrency

Wes Turner wes.turner at gmail.com
Thu Nov 16 01:05:12 EST 2017

CWE (Common Weakness Enumeration) has numbers (and URLs) and a graph model,
and code examples, and mitigations for bugs, vulnerabilities, faults,
design flaws, weaknesses.

Research Concepts

Development Concepts

CWE CATEGORY: Time and State

  CWE CATEGORY: Concurrency Issues

17. Concurrent Execution

> 1. activating threads, tasks or pico-threads


> 2. Directed termination of threads, tasks or pico-threads

So, I looked this up:

Do asynchronous programming patterns actually make this basically never
necessary? (asyncio coroutines, greenlet (eventlet, gevent, ), twisted)



If you really feel like you need the overhead of threads instead of or in
addition to coroutines (they won't use multiple cores without going to IPC,
anyway), you can.

> 3. Premature termination of threads, tasks or pico-threads

What is this referring to?
Does it release handles and locks on exception? (try/finally?)

> 4. Concurrent access to data shared between threads, tasks or
pico-threads,   and

CWE-362: Concurrent Execution using Shared Resource with Improper
Synchronization ('Race Condition')

CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context

> 5. Lock protocol errors for concurrent entities

CWE-667: Improper Locking

CWE-366: Race Condition within a Thread

The ``mutex`` module is removed in Python 3:

17.1. threading — Thread-based parallelism

... Are there other good resources (in addition to Chapter 17) for
concurrency in CPython and/or PyPy and/or Stackless Python, MicroPython,
IronPython, Jython?

- [ ] How do we add Python to the excellent CWE reference?

- How can/could/should one add the things with labels (*) from the ISO PDF
you speak of to thr CWE graph? (* schema:name, rdfs:label)

On Wednesday, November 15, 2017, Guido van Rossum <guido at python.org> wrote:

> On Wed, Nov 15, 2017 at 6:50 PM, Guido van Rossum <guido at python.org
> <javascript:_e(%7B%7D,'cvml','guido at python.org');>> wrote:
>> On Wed, Nov 15, 2017 at 6:37 PM, Armin Rigo <armin.rigo at gmail.com
>> <javascript:_e(%7B%7D,'cvml','armin.rigo at gmail.com');>> wrote:
>>> Hi,
>>> On 14 November 2017 at 14:55, Jan Claeys <lists at janc.be
>>> <javascript:_e(%7B%7D,'cvml','lists at janc.be');>> wrote:
>>> > Sounds like https://www.iso.org/standard/71094.html
>>> > which is updating https://www.iso.org/standard/61457.html
>>> > (which you can download from there if you search a bit; clearly either
>>> > ISO doesn't have a UI/UX "standard" or they aren't following it...)
>>> Just for completeness, I think that what you can download for free
>>> from that second page only contains the first few sections ("Terms and
>>> definitions").  It doesn't even go to "Purpose of this technical
>>> report"---we need to pay $200 just to learn what the purpose is...
>>> *Shrug*
>> Actually it linked to http://standards.iso.org/ittf/
>> PubliclyAvailableStandards/index.html from which I managed to download
>> what looks like the complete c061457_ISO_IEC_TR_24772_2013.pdf (336
>> pages) after clicking on an "I accept" button (I didn't read what I
>> accepted :-). The $200 is for the printed copy I presume.
> So far I learned one thing from the report. They use the term
> "vulnerabilities" liberally, defining it essentially as "bug":
> All programming languages contain constructs that are incompletely
>> specified, exhibit undefined behaviour, are implementation-dependent, or
>> are difficult to use correctly. The use of those constructs may therefore
>> give rise to *vulnerabilities*, as a result of which, software programs
>> can execute differently than intended by the writer.
> They then go on to explain that sometimes vulnerabilities can be
> exploited, but I object to calling all bugs vulnerabilities -- that's just
> using a scary word to get attention for a sleep-inducing document
> containing such gems as "Use floating-point arithmetic only when absolutely
> needed" (page 230).
> --
> --Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20171116/59262726/attachment.html>

More information about the Python-Dev mailing list