The synchronized
keyword is used to acquire a mutual-exclusion lock ; that is, – a lock that cannot be acquired by any other thread while it is held by the executing thread. There are two ways to synchronize access to shared mutable variables: method synchronization and block synchronization.
Methods declared as synchronized and blocks that synchronize on the this
reference both use the objectâs monitor (that is, its intrinsic lock). An attacker can manipulate the system to trigger contention and deadlock by obtaining and indefinitely holding the intrinsic lock of an accessible class, consequently causing a denial of service (DoS).
Wiki Markup |
---|
One technique for preventing this vulnerability is the âprivate_private lock objectâobject_ idiom \[[Bloch 2001|AA. Bibliography#Bloch 01]\]. This idiom uses the intrinsic lock associated with the instance of a {{private}} {{final}} {{java.lang.Object}} declared within the class instead of the intrinsic lock of the object itself. This idiom requires the use of synchronized blocks within the classâs methods rather than the use of synchronized methods. Lock contention between the classâs methods and those of a hostile class becomes impossible, because the hostile class cannot access the {{private}} {{final}} lock object. |
Static methods and state also share this vulnerability. When a static method is declared synchronized
, it acquires the intrinsic lock of the class object before any statements in its body are executed, and it releases the intrinsic lock when the method completes. Untrusted code that has access to an object of the class, or of a subclass, can use the getClass()
method to gain access to the class object , and consequently manipulate the class object's intrinsic lock. Protect static data by locking on a private static final Object
. Reducing the accessibility of the class to package-private adds provides further protection against untrusted callers.
The private lock object idiom is also suitable for classes that are designed for inheritance. When a superclass requests a lock on the objectâs monitor, a subclass can interfere with its operation. For example, a subclass may use the superclass objectâs intrinsic lock for performing unrelated operations, causing lock contention and deadlock. Separating the locking strategy of the superclass from that of the subclass ensures that they do not share a common lock , and also permits fine-grained locking by supporting the use of multiple lock objects for unrelated operations. This increases the overall responsiveness of the application.
...
- Subclass the class. Note that trusted code is permitted to subclass the class.
- Create an object of the class , or of a subclass.
- Access or acquire an object instance of the class , or of a subclass.
Subclasses whose parents use the private lock object idiom must themselves use the idiom. However, when a class uses intrinsic synchronization over on the class object without documenting its locking policy, subclasses must not use intrinsic synchronization over on their own class object. When the superclass documents its policy by stating that client-side locking is supported, the subclasses have the option to choose between intrinsic locking over the class object or use of the and using the private lock object idiom. Subclasses must document their locking policy regardless of which locking option is chosen. See rule TSM00-J. Do not override thread-safe methods with methods that are not thread-safe for related information.
When any of the above preceding restrictions is are violated, the objectâs intrinsic lock cannot be trusted. When the But when these restrictions are obeyed, the private lock object idiom fails to add any additional security. Consequently, objects that comply with all of the above restrictions are permitted to synchronize using their own intrinsic lock. However, block synchronization using the private lock object idiom is superior to method synchronization for methods that contain non-atomic nonatomic operations that could either use a more fine-grained locking scheme involving multiple private final lock objects or that lack a requirement for synchronization. Non-atomic Nonatomic operations can be decoupled from those that require synchronization and can be executed outside the synchronized block. Both for this reason and also for simplification of maintenance, block synchronization using the private lock object idiom is generally preferred over intrinsic synchronization.
...
Code Block | ||
---|---|---|
| ||
public class SomeObject { public synchronized void changeValue() { // Locks on the object's monitor public synchronized void changeValue() { // ... } } // Untrusted code SomeObject someObject = new SomeObject(); synchronized (someObject) { while (true) { // Indefinitely delay someObject Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject } } |
The untrusted code attempts to acquire a lock on the objectâs monitor and, upon succeeding, introduces an indefinite delay that prevents the synchronized changeValue()
method from acquiring the same lock. Note that in the untrusted code, the attacker intentionally violates rule LCK09-J. Do not perform operations that can block while holding a lock.
Noncompliant Code Example (Public Non-
...
final Lock Object)
This noncompliant code example locks on a public non-final nonfinal object in an attempt to use a lock other than {{SomeObject}}âs intrinsic lock.
Code Block | ||
---|---|---|
| ||
public class SomeObject { public Object lock = new Object(); public void changeValue() { synchronized (lock) { // ... } } } |
However, it is possible for untrusted code to change This change fails to protect against malicious code. For example, untrusted or malicious code could disrupt proper synchronization by changing the value of the lock object and disrupt proper synchronization.
Noncompliant Code Example (Publicly Accessible Non-
...
final Lock Object)
This noncompliant code example synchronizes on a private but non-final nonfinal field.
Code Block | ||
---|---|---|
| ||
public class SomeObject { private volatile Object lock = new Object(); public void changeValue() { synchronized (lock) { // ... } } public void setLock(Object lockValue) { lock = lockValue; } } |
Any thread can modify the fieldâs value to refer to a different object in the presence of an accessor such as setLock()
. That modification might cause two threads that intend to lock on the same object to lock on different objects, thereby enabling permitting them to execute two critical sections in an unsafe manner. For example, if the lock were changed when one thread is was in its critical section and the lock is changed, a second thread will would lock on the new object instead of the old one and would enter its critical section erroneously.
A class that lacks accessible methods to change the lock is secure against untrusted manipulation. However, it remains susceptible to inadvertent modification by the programmer.
...
Untrusted code that has the ability to create an instance of the class or has access to an already created instance can invoke the wait()
method on the publicly accessible lock
, causing the lock in the changeValue()
method to be released immediately. Furthermore, if the method invokes were to invoke lock.wait()
from its body and does not test a condition predicate, it will would be vulnerable to malicious notifications. (See rule THI03-J. Always invoke wait() and await() methods inside a loop for more information.)
This noncompliant code example also violates rule OBJ01-J. Declare data members as private and provide accessible wrapper methods.
...
Thread-safe public classes that may interact with untrusted code must use a private final lock object. Existing classes that use intrinsic synchronization must be refactored to use block synchronization on such an object. In this compliant solution, calling changeValue()
obtains a lock on a private final Object
instance that is inaccessible from to callers that are outside the class's scope.
...
A private final lock object can only be used only with block synchronization. Block synchronization is preferred over method synchronization , because operations without a requirement for synchronization can be moved outside the synchronized region, reducing lock contention and blocking. Note that it is unnecessary to declare the lock
field volatile because of the strong visibility semantics of final fields. When granularity issues require the use of multiple locks, declare and use multiple private final lock objects to satisfy the granularity requirements rather than using a mutable reference to a lock object along with a setter method.
...
Thread-safe public classes that both use intrinsic synchronization over the class object and also may interact with untrusted code , must be refactored to use a static private final lock object and block synchronization.
Code Block | ||
---|---|---|
| ||
public class SomeObject {
private static final Object lock = new Object(); // private final lock object
public static void changeValue() {
synchronized (lock) { // Locks on the private Object
// ...
}
}
}
|
...
- It sufficiently documents that callers must not pass objects of this class to untrusted code.
- The class cannot invoke methods, directly or indirectly, on objects of any untrusted classes that violate this rule, whether directly or indirectly.
- The synchronization policy of the class is documented properly.
...
- Neither the client class nor any other class in the system passes objects of the violating class to untrusted code.
- The violating class cannot invoke methods, directly or indirectly, from untrusted classes that violate this rule, whether directly or indirectly.
LCK00-EX1: When a superclass of the class documents that it supports client-side locking and synchronizes on its class object, the class can support client-side locking in the same way and document this policy.
...
Exposing the lock object to untrusted code can result in denial of service (DoS).
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
LCK00-J | low | probable | medium | P4 | L3 |
Related Guidelines
CWE-412, "Unrestricted Externally Accessible Lock" . Unrestricted externally accessible lock | |
| CWE-413, "Improper Resource Locking" . Improper resource locking |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a549fd8f6387d17f-c3098592-434846ad-a4fb9bf7-63e60b10255a5a03c162b6ed"><ac:plain-text-body><![CDATA[ | [[Bloch 2001 | AA. Bibliography#Bloch 01]] | Item 52: ". Document Thread Safety " | ]]></ac:plain-text-body></ac:structured-macro> |
...