Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A method declared as synchronized always uses the object's monitor (intrinsic lock) as does code that synchronizes on the this reference using a synchronized block. Poorly synchronized code is prone to contention and deadlock. An attacker can manipulate the system to trigger these conditions and cause a Denial of Service (DoS). If the vulnerable class is accessible from an untrusted class, an attacker can lock and hold the same object as the vulnerable class, disrupting correct synchronization.

Wiki Markup
TheThis _privatevulnerability finalcan lockbe object_prevented idiomby prevents this vulnerability. The idiom consists of using a {{java.lang.Object}} declared within the class as {{private}} and {{final}}.  The object must be explicitly used for locking purposes in {{synchronized}} blocks within the class's methods. This intrinsic lock is associated with the instance of the internal private object and not the class. Consequently, there is no lock contention between this class's methods and methods of a hostile class.  Joshua Bloch refers to this as the The "private lock object" idiom. \[[Bloch 01|AA. Java References#Bloch 01]\]. 

...

This idiom is also suitable for classes designed for inheritance. If a superclass thread requests a lock on the object's monitor, a subclass thread can interfere with its operation. For example, a subclass may use the superclass object's intrinsic lock for performing unrelated operations, causing significant lock contention. Also, excessive use of the same lock frequently results in deadlocks. This idiom separates the locking strategy of the superclass from that of the subclass. It also permits fine-grained locking because multiple lock objects can be used for seemingly unrelated operations. This increases the overall responsiveness of the application.

An object should use an internal a private final lock object rather than its own intrinsic lock unless the class can guarantee that untrusted code cannot:

  • subclass the class or its superclass (trusted code is allowed to subclass the class)
  • create an object of the class, its superclass, or subclass
  • access or acquire an object instance of the class, its superclass, or subclass

If a class uses an internal a private final lock to synchronize shared data, subclasses must also use an internal private final lock. However, if a class uses intrinsic synchronization over the class object without documenting its locking policy, subclasses may not use intrinsic synchronization over their own class object, unless they explicitly document their locking policy. If the superclass documents its policy by stating that client-side locking is supported, the subclasses have the option of choosing between intrinsic locking over the class object and an internal private lock. Regardless of what which is chosen, subclasses must document their locking policy. Refer to the guideline CON10-J. Do not override thread-safe methods with methods that are not thread-safe for related information.

If these restrictions are not met, the object's intrinsic lock is not trustworthy. If all conditions are satisfied, then the object gains no significant security from using an internal private final lock object, and may synchronize using its own intrinsic lock.

Noncompliant Code Example (method synchronization)

This noncompliant code example exposes instances of the someObject class to untrusted code.

...

The untrusted code attempts to acquire a lock on the object's monitor and upon succeeding, introduces an indefinite delay which prevents the synchronized changeValue() method from acquiring the same lock. Note that the untrusted code attacker intentionally violates CON20-J. Do not perform operations that may block while holding a lock in the untrusted code.

Noncompliant Code Example (public non-final lock object)

This noncompliant code example locks on a public non-final object in an attempt to use a lock other than SomeObject's intrinsic lock.

...

However, it is possible for untrusted code to change the value of the lock object and disrupt proper synchronization.

Noncompliant Code Example (publicly-accessible final lock object)

This noncompliant code example synchronizes on a private but non-final field.

...

Any thread can modify the field's value to refer to some other object in the presence of an accessor such as setLock(). This might cause two threads that intend to lock on the same object to lock on different objects, enabling them to execute the two critical sections in an unsafe manner. For example, if one thread is in its critical section and the lock is changed, a second thread will lock on the new reference instead of the old one.

Compliant Solution (

...

private final lock object)

Thread-safe public classes that may interact with untrusted code must use a private final lock object. Existing classes that use the intrinsic synchronization of their respective objects may be protected by using the private lock object idiom and refactoring them must be refactored to use block synchronization on a private final lock object. In this compliant solution, if the method calling changeValue() is called, the lock is obtained obtains a lock on a private final Object instance that is inaccessible from callers that exist outside the class's scope.

Code Block
bgColor#ccccff
public class SomeObject {
  private final Object lock = new Object(); // private lock object

  public void changeValue() {
    synchronized (lock) { // Locks on the private Object
      // ...
    }
  }
}

A private final lock object can only be used with block synchronization. Block synchronization is preferred over method synchronization, because operations that do not require synchronization can be moved outside the synchronized region, reducing lock contention and blocking. Note that there is no need to declare lock as volatile because of the strong visibility semantics of final fields. Instead of using setter methods to change the lock, declare and use multiple internal private final lock objects to meet satisfy the required locking granularity objectivesrequirements.

Noncompliant Code Example (static)

This noncompliant code example exposes the class object of someObject to untrusted code.

...

The untrusted code attempts to acquire a lock on the class object's monitor and upon succeeding, introduces an indefinite delay which prevents the synchronized changeValue() method from acquiring the same lock.

A complete implementation of this noncompliant code example would compliant solution must comply with CON32-J. Internally synchronize classes containing accessible mutable static fields. However, the untrusted code attacker intentionally violates CON20-J. Do not perform operations that may block while holding a lock in the untrusted code.

Compliant Solution (static)

Thread-safe public classes that may interact with untrusted code and use intrinsic synchronization over the class object should must be refactored to use a static internal private final lock object and block synchronization.

...

In this compliant solution , if the method ChangeValue() is called, the lock is obtained obtains a lock on a static private Object that is inaccessible from the caller.

Exceptions

EX1: A class may violate this guideline, if all the following conditions are met:

  • it sufficiently documents that callers must not pass objects of this class to untrusted code,
  • the class does not invoke methods on objects of any untrusted classes that violate this guideline directly or indirectly,
  • the synchronization policy of the class is properly documented. Classes that claim to support client-side locking should be used with care.

A client may use a class that violates this guideline, if all the following conditions are met:

  • it does not not pass objects of this class to untrusted code by using suitable encapsulation
  • it does not use any untrusted classes that violate this guideline directly or indirectly

EX2: If a superclass of the class documents that it supports client-side locking and synchronizes on its class object, the class should also support client-side locking in the same way and document this policy. If instead the superclass uses an internal private lock, the derived class should document its own locking policy.

Risk Assessment

Exposing the class object to untrusted code can result in denial-of-service.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

CON04-J

low

probable

medium

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Bloch 01|AA. Java References#Bloch 01]\] Item 52: "Document Thread Safety"

...