SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 147

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 148

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
This vulnerability can be prevented using a  {{java.lang.Object}} declared {{private}} and {{final}} within the class. The object must be used explicitly for locking purposes in {{synchronized}} blocks within the class’s methods. This intrinsic lock is associated with the instance of the private object and not the class. Consequently, there is no lock contention between this class’s methods and the methods of a hostile class. Bloch refers to this technique as the “private lock object” idiom \[[Bloch 01|AA. Java References#Bloch 01]\].

...

An object should use a private final lock object rather than its own intrinsic lock unless the class can guarantee that untrusted code cannot •

  • subclass the class or its superclass (trusted code is allowed to subclass the class)

...

  • create an object of the class, its superclass, or subclass

...

  • access or acquire an object instance of the class, its superclass, or subclass

If a class uses a private final lock to synchronize shared data, subclasses must also use a private final lock. However, if a class uses intrinsic synchronization over the class object without docu-menting documenting its locking policy, subclasses may not use intrinsic synchronization over their own class object, unless they explicitly document their locking policy. If the superclass documents its policy by stating that client-side locking is supported, the subclasses have the option of choosing between intrinsic locking over the class object and a private lock. Regardless of which is chosen, subclasses must document their locking policy. See guideline TSM00-J. Do not override thread-safe methods with methods that are not thread-safe for related information.

...

The untrusted code attempts to acquire a lock on the object’s monitor and, upon succeeding, in-troduces introduces an indefinite delay that prevents the {{synchronized}} changeValue() method from acquiring the same lock. Note that in the untrusted code, the attacker intentionally violates guideline LCK09-J. Do not perform operations that may block while holding a lock.

...

This noncompliant code example locks on a public non-final object in an attempt to use a lock other than SomeObject’s {{SomeObject}}’s intrinsic lock.

Code Block
bgColor#FFcccc
public class SomeObject {
  public Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

...

Untrusted code that has the ability to create an instance of the class or has access to an already created instance can invoke the wait() method on the publicly accessible lock, causing the lock in the changeValue() method to be released immediately. method to be released immediately. Furthermore, if the method invokes lock.wait() from its body and does not test a condition predicate, it will be vulnerable to malicious notifications. (See guideline THI03-J. Always invoke wait() and await() methods inside a loop for more information.)

...

Thread-safe public classes that may interact with untrusted code must use a private final lock ob-jectobject. Existing classes that use intrinsic synchronization must be refactored to use block synchroni-zation synchronization on such an object. In this compliant solution, calling changeValue() obtains a lock on a private final Object instance that is inaccessible from callers outside the class's scope.

...

LCK00-EX1: A class may violate this guideline, if all the following conditions are met: •

  • It sufficiently documents that callers must not pass objects of this class to untrusted code.

...

  • The class does not invoke methods on objects of any untrusted classes that violate this guide-line directly or indirectly.

...

  • The synchronization policy of the class is documented properly.

A client may use a class that violates this guideline, if all the following conditions are met: •

  • The class does not pass objects of this class to untrusted code.

...

  • The class does not use any untrusted classes that violate this guideline directly or indirectly.

LCK00-EX2: If a superclass of the class documents that it supports client-side locking and syn-chronizes synchronizes on its class object, the class can support client-side locking in the same way and docu-ment document this policy.

LCK00-EX3: A package-private class may violate this guideline because its accessibility protects against untrusted callers. However, this condition should be documented explicitly so that trusted code within the same package does not reuse or change the lock object inadvertently.

...