Page History

The synchronized keyword is used to acquire a mutual-exclusion lock so that no other thread can acquire the lock while it is being held by the executing thread. There are two ways to synchronize access to shared mutable variables, : method synchronization and block synchronization. A method Methods declared as synchronized always uses the object's monitor (intrinsic lock) as does code that synchronizes on the this reference using a synchronized block. There are some basic issues with this approach such as contention and deadlock which may occur in the code even without an attacker. However, an and blocks that synchronize on the this reference both use the object as a monitor (that is, its intrinsic lock). An attacker can manipulate the system to trigger these conditions and cause Denial of Service (DoS). An inappropriate synchronization policy can create a Denial of Service (DoS) vulnerability because an untrusted class whose member locks on the same object, can fail to release the lock promptly. However, this requires the victim class to be accessible from the offending (untrustworthy) class.

The _private lock object_ idiom prevents this vulnerability. The idiom consists of a {{java.lang.Object}} declared within the class as {{private}} and {{final}}. The object must be explicitly used for locking purposes in {{synchronized}} blocks, within the class's methods. This intrinsic lock is associated with the instance of the internal private object and not with the class itself. Consequently, there is no lock contention between this class's methods and methods of a hostile class. \[[Bloch 01|AA. Java References#Bloch 01]\] 

contention and deadlock by obtaining and indefinitely holding the intrinsic lock of an accessible class, consequently causing a denial of service (DoS).

One technique for preventing this vulnerability is the private lock object idiom [Bloch 2001]. This idiom uses the intrinsic lock associated with the instance of a private final java.lang.Object declared within the class instead of the intrinsic lock of the object itself. This idiom requires the use of synchronized blocks within the class's methods rather than the use of synchronized methods. Lock contention between the class's methods and those of a hostile class becomes impossible because the hostile class cannot access the private final lock object.

Static methods and state also share this vulnerability. When Static state has the same potential problem. If a static method is declared synchronized, it acquires the intrinsic lock of the class object is acquired before executing the any statements in its body are executed, and released it releases the intrinsic lock when the method completes. Any untrusted Untrusted code that can has access to an object of the class, or of a subclass, can use the getClass() method to gain access to the class object . The private lock object idiom can be used to protect static data by declaring the lock as private, static and finaland consequently manipulate the class object's intrinsic lock. Protect static data by locking on a private static final Object. Reducing the accessibility of the class to package-private may offer some reprieve from untrusted callers when using strategies other than internal locking.provides further protection against untrusted callers.

The private lock object idiom is also suitable for classes that are This idiom can also be suitably used by classes designed for inheritance. If When a superclass thread requests a lock on the object's monitor, a subclass thread can interfere with its operation. For example, a subclass may use the superclass object's intrinsic lock for performing unrelated operations, causing significant lock contention . Also, excessive use of the same lock frequently results in deadlocks. This idiom separates and deadlock. Separating the locking strategy of the superclass from that of the subclass . It ensures that they do not share a common lock and also permits fine-grained locking because by supporting the use of multiple lock objects can be used for seemingly unrelated operations. This increases the overall responsiveness of the application.

An object should use an internal Objects that require synchronization must use the private lock object idiom rather than its their own intrinsic lock unless the class can guarantee that in any case where untrusted code cannotcould:

• subclass Subclass the class or its superclass (trusted code is allowed to subclass the class).
• Create create an object of the class (or its superclass, or subclass)or of a subclass.
• Access access or acquire an object instance of the class (or its superclass, or subclass)or of a subclass.

Subclasses whose superclasses use the private lock object idiom must themselves use the idiom. However, when If a class uses an internal private lock to synchronize shared data, subclasses must also use an internal private lock. However, if a class uses intrinsic synchronization over on the class object without documenting its locking policy, subclasses may must not use intrinsic synchronization over on their own class object, unless they explicitly document their locking policy. If . When the superclass documents its policy by stating that client-side locking is supported, the subclasses have the option of choosing to choose between intrinsic locking over the class object and an internal and using the private lock . Regardless of what is chosen, subclasses object idiom. Subclasses must document their locking policy . Refer to the guideline CON10regardless of which locking option is chosen. See rule TSM00-J. Do not override thread-safe methods with methods that are not thread-safe for related information.

If When any of these restrictions are not metviolated, the object's intrinsic lock is not trustworthy. If all conditions are satisfied, then the object gains no significant security from using an internal private lock object, and may synchronize using its own intrinsic lockcannot be trusted. But when these restrictions are obeyed, the private lock object idiom fails to add any additional security. Consequently, objects that comply with all of the restrictions are permitted to synchronize using their own intrinsic lock. However, block synchronization using the private lock object idiom is superior to method synchronization for methods that contain nonatomic operations that could either use a more fine-grained locking scheme involving multiple private final lock objects or that lack a requirement for synchronization. Nonatomic operations can be decoupled from those that require synchronization and can be executed outside the synchronized block. Both for this reason and for simplification of maintenance, block synchronization using the private lock object idiom is generally preferred over intrinsic synchronization.

Noncompliant Code Example (

...

Method Synchronization)

This noncompliant code example exposes instances of the object someObject SomeObject class to untrusted code.

public class SomeObject {

  // Locks on the object's monitor
  public synchronized void changeValue() { 
    // Locks on the object's monitor ...
  }
 
  public static SomeObject lookup(String name) {
    // ...   
  }
}

// Untrusted code
String name = // ...
SomeObject someObject = SomeObject.lookup(name);
if (someObject == null) {
  // ... handle error
}
synchronized (someObject) {
  while (true) {
    // Indefinitely lock someObject
    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject
  }
}

The untrusted code attempts to acquire a lock on the object's monitor and, upon succeeding, introduces an indefinite delay which that prevents the synchronized changeValue() method from acquiring the same lock. Furthermore, the object locked is publicly available via the lookup() method.

Alternatively, an attacker could create a private SomeObject object and make it available to trusted code to use it before the attacker code grabs and holds the lock.

Note that in the untrusted code also violates CON20, the attacker intentionally violates rule LCK09-J. Do not perform operations that may can block while holding a lock.

Noncompliant Code Example (

...

Public Non-final

...

Lock Object)

This noncompliant code example locks on a public non-final nonfinal object in an attempt to use a lock that differs from SomeObjectother than {{SomeObject}}'s own intrinsic lock.

public class SomeObject {
  public Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

However, it is possible for untrusted code to change This change fails to protect against malicious code. For example, untrusted or malicious code could disrupt proper synchronization by changing the value of the lock object and foil all attempts to synchronize on the correct object.

Noncompliant Code Example (

...

Publicly Accessible Non-

...

final

...

Lock Object)

This noncompliant code example synchronizes on a private but non-final fieldpublicly accessible but nonfinal field. The lock field is declared volatile so that changes are visible to other threads.

public class SomeObject {
  private volatile Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }

  public void setLock(Object lockValue) {
    lock = lockValue;
  }
}

Any thread can modify the field's value to refer to some other a different object in the presence of an accessor such as setLock(). This That modification might cause two threads that intend to lock on the same object to lock on different objects, enabling thereby permitting them to execute the two critical sections in an unsafe manner. For example, if the lock were changed when one thread is was in its critical section and the lock is changed, a second thread will would lock on the new reference object instead of the old one .

Compliant Solution (internal private final lock object)

and would enter its critical section erroneously.

A class that lacks accessible methods to change the lock is secure against untrusted manipulation. However, it remains susceptible to inadvertent modification by the programmer.

Noncompliant Code Example (Public Final Lock Object)

This noncompliant code example uses a public final lock object.

public class SomeObject {
  public final Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

This noncompliant code example also violates rule OBJ01-J. Limit accessibility of fields.

Compliant Solution (Private Final Lock Object)

Thread-safe public classes that may interact with untrusted code must use a private final lock object. Existing classes that use intrinsic synchronization must be refactored to use block synchronization on such an objectThread-safe classes that use the intrinsic synchronization of their respective objects may be protected by using the private lock object idiom and refactoring them to use block synchronization. In this compliant solution, if the method calling changeValue() is called, the lock is obtained obtains a lock on a private final Object instance that is inaccessible from to callers that exist are outside the class's scope.

public class SomeObject {
  private final Object lock = new Object(); // private final lock object

  public void changeValue() {
    synchronized (lock) { // Locks on the private Object
      // ...
    }
  }
}

A private final lock object can only be used only with block synchronization. Block synchronization is preferred over method synchronization , because operations that do not require without a requirement for synchronization can be moved outside the synchronized region, reducing lock contention and blocking. Note that there it is no need unnecessary to declare the lock as field volatile because of the strong visibility semantics of final fields. Instead of using setter methods to change the lockWhen granularity issues require the use of multiple locks, declare and use multiple internal private final lock objects to meet satisfy the required locking granularity objectivesgranularity requirements rather than using a mutable reference to a lock object along with a setter method.

Noncompliant Code Example (

...

Static)

This noncompliant code example exposes the class object of someObject SomeObject to untrusted code.

public class SomeObject {
  public static synchronized void ChangeValue() { //changeValue Lockslocks on the class object's monitor
  public static synchronized void changeValue() { 
    // ...   
  }
}

// Untrusted code
synchronized (someObjectSomeObject.getClass(class)) {
  while (true) {
    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject
  }
}

The untrusted code attempts to acquire a lock on the class object''s monitor and, upon succeeding, introduces an indefinite delay which that prevents the synchronized changeValue() method from acquiring the same lock.

A complete implementation of this noncompliant code example would compliant solution must also comply with CON32rule LCK05-J. Internally synchronize classes containing accessible mutable static fields. However, Synchronize access to static fields that can be modified by untrusted code.
In the untrusted code violates CON20, the attacker intentionally violates rule LCK09-J. Do not perform operations that may can block while holding a lock.

Compliant Solution (

...

Static)

Thread-safe public classes that both use intrinsic synchronization over the class object should and may interact with untrusted code must be refactored to use a static internal private final lock object and block synchronization.

public class SomeObject {
  private static final Object lock = new Object(); // private lock object

  public static void ChangeValuechangeValue() {
    synchronized (lock) { // Locks on the private Object
      // ...
    }
  }
}

In this compliant solution, if the method ChangeValuechangeValue() is called, the lock is obtained obtains a lock on a private static private Object that is inaccessible from to the caller.

Exceptions

EX1LCK00-J-EX0: A class may violate this guideline, if rule when all of the following conditions are met:

• it It sufficiently documents that callers must not pass objects of this class to untrusted code,.
• the The class does not cannot invoke methods, directly or indirectly, on objects of any untrusted classes that violate this guideline directly or indirectly,rule.
• The the synchronization policy of the class is documented properly documented. Classes that claim to support client-side locking should be used with care..

Clients are permitted to A client may use a class that violates this guideline, if rule when all of the following conditions are met:

• it does not not pass objects of this Neither the client class nor any other class in the system passes objects of the violating class to untrusted code by using suitable encapsulation.
• The violating class cannot invoke methods, directly or indirectly, from it does not use any untrusted classes that violate this guideline directly or indirectlyrule.

LCK00-J-EX1: When EX2: If a superclass of the class documents that it supports client-side locking and synchronizes on its class object, the class should also can support client-side locking in the same way and document this policy. If instead the superclass uses an internal private lock, the derived class should document its own locking policy.

LCK00-J-EX2: Package-private classes that are never exposed to untrusted code are exempt from this rule because their accessibility protects against untrusted callers. However, use of this exemption should be documented explicitly to ensure that trusted code within the same package neither reuses the lock object nor changes the lock object inadvertently.

Risk Assessment

Exposing the class lock object to untrusted code can result in denial-of-serviceDoS.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[Bloch 01|AA. Java References#Bloch 01]\] Item 52: "Document Thread Safety"

Automated Detection

Related Guidelines

Bibliography

Image Added      Image Added      Image AddedCON03-J. Do not use background threads during class initialization      11. Concurrency (CON)      CON05-J. Do not invoke Thread.run()