SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 137

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 138

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
This vulnerability can be prevented using a {{java.lang.Object}} declared within the class as {{private}} and {{final}}.  The object must be used explicitly for locking purposes in {{synchronized}} blocks within the class's methods. This intrinsic lock is associated with the instance of the private object and not the class. Consequently, there is no lock contention between this class's methods and the methods of a hostile class.  Joshua Bloch refers to this as the "private lock object" idiom \[[Bloch 01|AA. Java References#Bloch 01]\].

Static state has the same potential problem. If a static method is declared synchronized, the intrinsic lock of the class object is acquired before any statements in its body are executed, and the lock is released when the method completes. Any untrusted code that can access an object of the class, or a subclass, can use the getClass() method to gain access to the class lock. Static data can be protected by locking on a private static final Object. Reducing the accessibility of the class to package-private adds further protection against untrusted callers.

...

If these restrictions are not met, the object's intrinsic lock is not trustworthy. If all conditions are satisfied, the object gains no significant security from using a private final lock object and may synchronize using its own intrinsic lock. However, it is still best to use block synchronization using a private final lock object instead of method synchronization when the method contains non-atomic operations that either do not require any synchronization or can use a more fine-grained locking scheme involving multiple private final lock objects. Non-atomic operations can be decoupled from those that require synchronization and executed outside the synchronized block. For this reason, and for maintainability reasons, block synchronization using a private final lock object is generally recommended.

Noncompliant Code Example (Method Synchronization)

This noncompliant code example exposes instances of the someObject class to untrusted code.

Code Block
bgColor#FFCCCC
public class SomeObject {
  public synchronized void changeValue() { // Locks on the object's monitor
    // ...   
  }
}

// Untrusted code
SomeObject someObject = new SomeObject(); 
synchronized (someObject) {
  while (true) {
    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject
  }
}

The untrusted code attempts to acquire a lock on the object's monitor and upon succeeding, introduces an indefinite delay that prevents the synchronized changeValue() method from acquiring the same lock. Note that the attacker intentionally violates CON25-J. Do not perform operations that may block while holding a lock in the untrusted code.

Noncompliant Code Example (public Non-Final Lock Object)

This noncompliant code example locks on a public non-final object in an attempt to use a lock other than SomeObject's intrinsic lock.

...

However, it is possible for untrusted code to change the value of the lock object and disrupt proper synchronization.

Noncompliant Code Example (Publicly Accessible Non-Final Lock Object)

This noncompliant code example synchronizes on a private but non-final field.

...

A class that does not provide any accessible methods to change the lock is secure against untrusted manipulation. However, it is susceptible to inadvertent modification by the programmer. For maintainability reasons, eliminating the accessor method (which is presumably needed for other reasons) is not the preferred solution.

Noncompliant Code Example (Public Final Lock Object)

This noncompliant code example uses a public final lock object.

Code Block
bgColor#FFcccc
public class SomeObject {
  public final Object lock = new Object();
  
  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

// Untrusted code
SomeObject someObject = new SomeObject(); 
someObject.lock.wait()

Untrusted code that has the ability to create an instance of the class or has access to an already created instance can invoke the wait() method on the publicly accessible lock. This causes the lock in the changeValue() method to be released immediately. Furthermore, if the method invokes lock.wait() from its body and does not test a condition predicate, it will be vulnerable to malicious notifications. (See CON22-J. Always invoke wait() and await() methods inside a loop for more information.)

Compliant Solution (Private Final Lock Object)

Thread-safe public classes that may interact with untrusted code must use a private final lock object. Existing classes that use intrinsic synchronization must be refactored to use block synchronization on a private final lock object. In this compliant solution, calling changeValue() obtains a lock on a private final Object instance that is inaccessible from callers outside the class's scope.

...

A private final lock object can only be used with block synchronization. Block synchronization is preferred over method synchronization, because operations that do not require synchronization can be moved outside the synchronized region, reducing lock contention and blocking. Note that there is no need to declare lock as volatile because of the strong visibility semantics of final fields. Instead of using setter methods to change the lock, declare and use multiple private final lock objects to satisfy the granularity requirements.

Noncompliant Code Example (Static)

This noncompliant code example exposes the class object of someObject to untrusted code.

Code Block
bgColor#FFCCCC
public class SomeObject {
  public static synchronized void ChangeValue() { // Locks on the class object's monitor
    // ...   
  }
}

// Untrusted code
synchronized (SomeObject.class) {
  while (true) {
    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject
  }
}

...

A compliant solution must comply with CON12-J. Synchronize access to static fields that may be modified by untrusted code. However, the attacker intentionally violates CON25-J. Do not perform operations that may block while holding a lock in the untrusted code.

Compliant Solution (Static)

Thread-safe public classes that may interact with untrusted code and use intrinsic synchronization over the class object must be refactored to use a static private final lock object and block synchronization.

...

In this compliant solution, ChangeValue() obtains a lock on a static private Object that is inaccessible from the caller.

Exceptions

EX1: A class may violate this guideline, if all the following conditions are met:

...

EX3: A package-private class may violate this guideline, because its accessibility protects against untrusted callers. However, this condition should be documented explicitly so that trusted code within the same package does not reuse or change the lock object inadvertently.

Risk Assessment

Exposing the class object to untrusted code can result in denial of service.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

CON07-J

low

probable

medium

P4

L3

Related Vulnerabilities

Any vulnerabilities resulting from the violation of this rule are listed on the CERT website.

References

Wiki Markup
\[[Bloch 01|AA. Java References#Bloch 01]\] Item 52: "Document Thread Safety"

...