The synchronized keyword is used to acquire a mutual-exclusion lock so that no other thread can acquire the lock, while it is being held by the executing thread. The synchronized keyword always uses the object's intrinsic 'monitor' lock. This lock is available to any code that the object itself is available to; consequently any code can lock on the object, and potentially cause a denial of service.
Recall that there are two ways to synchronize access to shared mutable variables, method synchronization and block synchronization. Excessive method synchronization can induce a denial of service (DoS) vulnerability because another class whose member locks on the class object, can fail to release the lock promptly. However, this requires the victim class to be accessible from the hostile class.
| Wiki Markup |
|---|
The _private lock object_ idiom can be used to prevent the DoS vulnerability. The idiom consists of a {{private}} object declared as an instance field. The {{private}} object must be explicitly used for locking purposes in {{synchronized}} blocks, within the class's methods. This lock object belongs to an instance of the object and is not associated with the class object itself. Consequently, there is no lock contention between a class method and a method of thea hostile class when both try to lock on the class object. \[[Bloch 01|AA. Java References#Bloch 01]\] |
This idiom can also be suitably used by classes designed for inheritance. If a superclass thread requests a lock on the class object's monitor, a subclass thread can interfere with its operation. Refer to the guideline CON02-J. Always synchronize on the appropriate object for more details.
An object should use a private lock rather than its intrinsic lock. An object should rely on its intrinsic lock only if all of the following conditions are met:
- The object's class is package-private.
- No objects of that class (or a subclass) ever escape its package.
- None of the object's superclasses use synchronization at all.
If any of these conditions are violated, the object's intrinsic lock is not trustworthy. If all conditions are satisfied, then the object gains no security from using a private internal lock, and so it may rely on its This idiom is only useful for objects that may be accessible to hostile code. A private object gains no benefits from synchronizing on a private lock object, rather than synchronizing on its own intrinsic lock.
Noncompliant Code Example
...
For more details on using the private Object lock refer to CON02-J. Always synchronize on the appropriate object. There is some performance impact associated with using block synchronization instead of method synchronization but the difference is usually negligible. In the presence of statements that do not require synchronization amongst those that do, block synchronization tends to be a better performer.
Exceptions
EX1: Classes that are not public may violates this guideline as long as untrusted code cannot infiltrate the package.
EX2: If the deployment is not susceptible to untrusted invocations and untrusted code cannot directly or indirectly access the class object, this guideline may be violatedUsing a private lock may only be achieved with block synchronization, as method synchronization always uses the object's intrinsic lock. However, block synchronization is also preferred over method synchronization, because it is easy to move operations out of the synchronized block when they might take a long time and they are not truly a critical section.
Risk Assessment
Exposing the class object to untrusted code can result in denial-of-service.
...