...
If these restrictions are not met, the object's intrinsic lock is not trustworthy. If all conditions are satisfied, then the object gains no significant security from using an private final lock object, and may synchronize using its own intrinsic lock.
Noncompliant Code Example (method synchronization)
This noncompliant code example exposes instances of the someObject class to untrusted code.
...
The untrusted code attempts to acquire a lock on the object's monitor and upon succeeding, introduces an indefinite delay which prevents the synchronized changeValue() method from acquiring the same lock. Note that the attacker intentionally violates CON20-J. Do not perform operations that may block while holding a lock in the untrusted code.
Noncompliant Code Example (public non-final lock object)
This noncompliant code example locks on a public non-final object in an attempt to use a lock other than SomeObject's intrinsic lock.
...
However, it is possible for untrusted code to change the value of the lock object and disrupt proper synchronization.
Noncompliant Code Example (publicly-accessible final lock object)
This noncompliant code example synchronizes on a private but non-final field.
...
Any thread can modify the field's value to refer to some other object in the presence of an accessor such as setLock(). This might cause two threads that intend to lock on the same object to lock on different objects, enabling them to execute the two critical sections in an unsafe manner. For example, if one thread is in its critical section and the lock is changed, a second thread will lock on the new reference instead of the old one.
Compliant Solution (private final lock object)
Thread-safe public classes that may interact with untrusted code must use a private final lock object. Existing classes that use intrinsic synchronization must be refactored to use block synchronization on a private final lock object. In this compliant solution, calling changeValue() obtains a lock on a private final Object instance that is inaccessible from callers outside the class's scope.
...
A private final lock object can only be used with block synchronization. Block synchronization is preferred over method synchronization, because operations that do not require synchronization can be moved outside the synchronized region, reducing lock contention and blocking. Note that there is no need to declare lock as volatile because of the strong visibility semantics of final fields. Instead of using setter methods to change the lock, declare and use multiple private final lock objects to satisfy the granularity requirements.
Noncompliant Code Example (static)
This noncompliant code example exposes the class object of someObject to untrusted code.
...
A compliant solution must comply with CON32-J. Internally synchronize classes containing accessible mutable static fields. However, the attacker intentionally violates CON20-J. Do not perform operations that may block while holding a lock in the untrusted code.
Compliant Solution (static)
Thread-safe public classes that may interact with untrusted code and use intrinsic synchronization over the class object must be refactored to use a static private final lock object and block synchronization.
...
In this compliant solution ChangeValue() obtains a lock on a static private Object that is inaccessible from the caller.
Exceptions
EX1: A class may violate this guideline, if all the following conditions are met:
...
EX2: If a superclass of the class documents that it supports client-side locking and synchronizes on its class object, the class should also support client-side locking in the same way and document this policy. If instead the superclass uses an internal private lock, the derived class should document its own locking policy.
Risk Assessment
Exposing the class object to untrusted code can result in denial-of-service.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON04-J | low | probable | medium | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Bloch 01|AA. Java References#Bloch 01]\] Item 52: "Document Thread Safety" |
...