SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 145

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 146

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A method declared as synchronized always uses the object's object’s monitor (intrinsic lock), as does code that synchronizes on the this reference using a synchronized block. Poorly synchronized code is prone to contention and deadlock. An attacker can manipulate the system to trigger these conditions and cause a Denial of Service (DoS) denial of service by obtaining and indefinitely holding the intrinsic lock of an accessible class.

Wiki Markup
This vulnerability can be prevented using a  {{java.lang.Object}} declared within the class as {{private}} and {{final}}within the class.  The object must be used explicitly for locking purposes in {{synchronized}} blocks within the class'sclass’s methods. This intrinsic lock is associated with the instance of the private object and not the class. Consequently, there is no lock contention between this class'sclass’s methods and the methods of a hostile class.  Joshua Bloch refers to this technique as the "private“private lock object"object” idiom \[[Bloch 01|AA. Java References#Bloch 01]\].

...

This idiom is also suitable for classes designed for inheritance. If a superclass thread requests a lock on the object's object’s monitor, a subclass thread can interfere with its operation. For example, a subclass may use the superclass object's object’s intrinsic lock for performing unrelated operations, causing caus-ing significant lock contention and deadlock. Separating the locking strategy of the superclass from that of the subclass ensures that they do not share a common lock. It also permits fine-grained locking , because multiple lock objects can be used for unrelated operations, increasing the overall responsiveness of the application.

An object should use a private final lock object rather than its own intrinsic lock unless the class can guarantee that untrusted code cannot:
• subclass the class or its superclass (trusted code is allowed to subclass the class)
• create an object of the class, its superclass, or subclass
• access or acquire an object instance of the class, its superclass, or subclass

If a class uses a private final lock to synchronize shared data, subclasses must also use a private final lock. However, if a class uses intrinsic synchronization over the class object without documenting docu-menting its locking policy, subclasses may not use intrinsic synchronization over their own class object, unless they explicitly document their locking policy. If the superclass documents its policy by stating that client-side locking is supported, the subclasses have the option of choosing between intrinsic locking over the class object and a private lock. Regardless of which is chosen, subclasses must document their locking policy. See CON15guideline TSM00-J. Do not override thread-safe methods with methods that are not thread-safe for related information.

If all of these restrictions are not met, the object's object’s intrinsic lock is not trustworthy. If all conditions they are satisfiedmet, the object gains no significant security from using a private final lock object and may synchronize using its own intrinsic lock. However, it is still best to use block synchronization using with a private final lock object instead of method synchronization when the method contains non-atomic operations that either do not require any synchronization or can use a more fine-grained locking scheme involving multiple private final lock objects. Non-atomic operations can be decoupled from those that require synchronization and executed outside the synchronized block. For this reason , and for maintainability reasons, block synchronization using a private final lock object is generally recommended.

...

The untrusted code attempts to acquire a lock on the object's object’s monitor and, upon succeeding, introduces in-troduces an indefinite delay that prevents the{{synchronized}} changeValue() method from acquiring the same lock. Note that in the untrusted code, the attacker intentionally violates CON25guideline LCK09-J. Do not perform operations that may block while holding a lock in the untrusted code.

Noncompliant Code Example (public Non-Final Lock Object)

This noncompliant code example locks on a public non-final object in an attempt to use a lock other than SomeObject's SomeObject’s intrinsic lock.

Code Block
bgColor#FFcccc
public class SomeObject {
  public Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

...

Any thread can modify the field's field’s value to refer to some other a different object in the presence of an accessor such as setLock(). This That modification might cause two threads that intend to lock on the same object to lock on different objects, thereby enabling them to execute the two critical sections in an unsafe manner. For example, if one thread is in its critical section and the lock is changed, a second thread will lock on the new reference object instead of the old one.

A class that does not provide any accessible methods to change the lock is secure against untrusted un-trusted manipulation. However, it is susceptible to inadvertent modification by the programmer. For maintainability reasons, eliminating the accessor method (which is presumably needed for other reasons) is not the preferred solution.

...

Untrusted code that has the ability to create an instance of the class or has access to an already created instance can invoke the wait() method on the publicly accessible lock. This causes , causing the lock in the changeValue() method to be released immediately. method to be released immediately. Furthermore, if the method invokes lock.wait() from its body and does not test a condition predicate, it will be vulnerable to malicious notifications. (See CON22guideline THI03-J. Always invoke wait() and await() methods inside a loop for more information.)

...

Thread-safe public classes that may interact with untrusted code must use a private final lock objectob-ject. Existing classes that use intrinsic synchronization must be refactored to use block synchronization on a private final lock synchroni-zation on such an object. In this compliant solution, calling changeValue() obtains a lock on a private final Object instance that is inaccessible from callers outside the class's scope.

...

A private final lock object can only be used with block synchronization. Block synchronization is preferred over method synchronization, because operations that do not require synchronization can be moved outside the synchronized region, reducing lock contention and blocking. Note that there is no need to declare lock as volatile because of the strong visibility semantics of final fields. Instead of using setter methods to change the lock, declare and use multiple, private final lock objects to satisfy the granularity requirements.

...

Code Block
bgColor#FFCCCC
public class SomeObject {
  public static synchronized void ChangeValue() { //changeValue Lockslocks on the class object's monitor
  public static synchronized void ChangeValue() { 
    // ...
  }
}

// Untrusted code
synchronized (SomeObject.class) {
  while (true) {
    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject
  }
}

The untrusted code attempts to acquire a lock on the class object's object’s monitor and, upon succeeding, introduces an indefinite delay that prevents the synchronized changeValue() method from acquiring the same lock.

A compliant solution must comply with CON12guideline LCK05-J. Synchronize access to static fields that may be modified by untrusted code. However, in the untrusted code, the attacker intentionally violates CON25guideline LCK09-J. Do not perform operations that may block while holding a lock in the untrusted code.

Compliant Solution (Static)

...

In this compliant solution, ChangeValue() obtains a lock on a static private Object that is inaccessible from to the caller.

Exceptions

LCK00-EX1: A class may violate this guideline, if all the following conditions are met:
• It sufficiently documents that callers must not pass objects of this class to untrusted code.
• The class does not invoke methods on objects of any untrusted classes that violate this

...

guide-line directly or indirectly.
• The synchronization policy of the class is documented properly.
A client may use a class that violates this guideline, if all the following conditions are met:
• The class does not

...

pass objects of this class to untrusted code.
• The class does not use any untrusted classes that violate this guideline directly or indirectly.
LCK00-EX2: If a superclass of the class documents that it supports client-side locking and synchronizes syn-chronizes on its class object, the class should also can support client-side locking in the same way and document this policy. If the superclass uses a private final lock instead, the derived class should document its own locking docu-ment this policy.
LCK00-EX3: A package-private class may violate this guideline , because its accessibility protects against untrusted callers. However, this condition should be documented explicitly so that trusted code within the same package does not reuse or change the lock object inadvertently.

...

Exposing the class object to untrusted code can result in denial of service.

Recommendation Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

CON07 LCK00-J

low

probable

medium

P4

L3

Related Vulnerabilities

...

References

Wiki Markup
\[[Bloch 01|AA. Java References#Bloch 01]\] Item 52: "Document Thread Safety"

...