• Maybe I’m misunderstanding you, but DoS is exactly the same thing as “denial of service”.

    My point is that memory leaks can only degrade availability; they are categorically distinct from security vulnerabilities.

    • ipkpjersi@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      4 months ago

      I think you might be misunderstanding me.

      According to the CVE Numbering Athorities, there can be vulnerabilities that result in service being denied, and they refer to them as a denial-of-service vulnerability. For example, there can be a bug in a program that causes it to crash if you perform a certain set of steps/actions, thus resulting in the service being denied. Whereas traditionally, a DoS/DDoS attack is simply flooding a target with more bandwidth than they have available downstream bandwidth. Sending massive amounts of data to overwhelm a service is not the same thing as finding a unique set of actions to cause the program to crash.

      So in theory, yes, a memory leak could amount to and result in a security vulnerability, like if the memory leak is reproducible and so severe it causes a service to crash.

      • Aha, I didn’t realize compromising availability was sufficient for the CVE definition of security vulnerability. Projects I’ve worked on have typically excluded availability, though that may not be the norm.

        And I see your point about some exploits being highly asymmetric in the attacker’s favor, compared to classic [D]DoS.