Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There are two ways to synchronize access to shared mutable variables: method synchronization and block synchronization. Methods declared as synchronized and blocks that synchronize on the this reference both use the object as a monitor (that is, its intrinsic lock). An attacker can manipulate the system to trigger contention and deadlock by obtaining and indefinitely holding the intrinsic lock of an accessible class, consequently causing a denial of service (DoS).

One technique for preventing this vulnerability is the private lock object idiom [Bloch 2001]. This idiom uses the intrinsic lock associated with the instance of a private final java.lang.Object declared within the class instead of the intrinsic lock of the object itself. This idiom requires the use of synchronized blocks within the class's methods rather than the use of synchronized methods. Lock contention between the class's methods and those of a hostile class becomes impossible because the hostile class cannot access the private final lock object.

Static methods and state also share this vulnerability. When a static method is declared synchronized, it acquires the intrinsic lock of the class object before any statements in its body are executed, and it releases the intrinsic lock when the method completes. Untrusted code that has access to an object of the class, or of a subclass, can use the getClass() method to gain access to the class object and consequently manipulate the class object's intrinsic lock. Protect static data by locking on a private static final Object. Reducing the accessibility of the class to package-private provides further protection against untrusted callers.

The private lock object idiom is also suitable for classes that are designed for inheritance. When a superclass requests a lock on the object's monitor, a subclass can interfere with its operation. For example, a subclass may use the superclass object's intrinsic lock for performing unrelated operations, causing lock contention and deadlock. Separating the locking strategy of the superclass from that of the subclass ensures that they do not share a common lock and also permits fine-grained locking by supporting the use of multiple lock objects for unrelated operations. This increases the overall responsiveness of the application.

Objects that require synchronization must use the private lock object idiom rather than their own intrinsic lock in any case where untrusted code could:

  • Subclass the class.
  • Create an object of the class or of a subclass.
  • Access or acquire an object instance of the class or of a subclass.

Subclasses whose superclasses use the private lock object idiom must themselves use the idiom. However, when a class uses intrinsic synchronization on the class object without documenting its locking policy, subclasses must not use intrinsic synchronization on their own class object. When the superclass documents its policy by stating that client-side locking is supported, the subclasses have the option to choose between intrinsic locking and using the private lock object idiom. Subclasses must document their locking policy regardless of which locking option is chosen. See rule TSM00-J. Do not override thread-safe methods with methods that are not thread-safe for related information.

When any of these restrictions are violated, the object's intrinsic lock cannot be trusted. But when these restrictions are obeyed, the private lock object idiom fails to add any additional security. Consequently, objects that comply with all of the restrictions are permitted to synchronize using their own intrinsic lock. However, block synchronization using the private lock object idiom is superior to method synchronization for methods that contain nonatomic operations that could either use a more fine-grained locking scheme involving multiple private final lock objects or that lack a requirement for synchronization. Nonatomic operations can be decoupled from those that require synchronization and can be executed outside the synchronized block. Both for this reason and for simplification of maintenance, block synchronization using the private lock object idiom is generally preferred over intrinsic synchronization.

Noncompliant Code Example (Method Synchronization)

This noncompliant code example exposes instances of the SomeObject class to untrusted code.

Code Block
bgColor#FFCCCC
public class SomeObject {

  // Locks on the object's monitor
  public synchronized void changeValue() { 
    // ...
  }
 
  public static SomeObject lookup(String name) {
    // ...
  }
}

// Untrusted code
String name = // ...
SomeObject someObject = SomeObject.lookup(name);
if (someObject == null) {
  // ... handle error
}
synchronized (someObject) {
  while (true) {
    // Indefinitely lock someObject
    Thread.sleep(Integer.MAX_VALUE); 
  }
}

The untrusted code attempts to acquire a lock on the object's monitor and, upon succeeding, introduces an indefinite delay that prevents the synchronized changeValue() method from acquiring the same lock. Furthermore, the object locked is publicly available via the lookup() method.

Alternatively, an attacker could create a private SomeObject object and make it available to trusted code to use it before the attacker code grabs and holds the lock.

Note that in the untrusted code, the attacker intentionally violates rule LCK09-J. Do not perform operations that can block while holding a lock.

Noncompliant Code Example (Public Non-final Lock Object)

This noncompliant code example locks on a public nonfinal object in an attempt to use a lock other than {{SomeObject}}'s intrinsic lock.

Code Block
bgColor#FFcccc
public class SomeObject {
  public Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

This change fails to protect against malicious code. For example, untrusted or malicious code could disrupt proper synchronization by changing the value of the lock object.

Noncompliant Code Example (Publicly Accessible Non-final Lock Object)

This noncompliant code example synchronizes on a publicly accessible but nonfinal field. The lock field is declared volatile so that changes are visible to other threads.

Code Block
bgColor#FFcccc
public class SomeObject {
  private volatile Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }

  public void setLock(Object lockValue) {
    lock = lockValue;
  }
}

Any thread can modify the field's value to refer to a different object in the presence of an accessor such as setLock(). That modification might cause two threads that intend to lock on the same object to lock on different objects, thereby permitting them to execute two critical sections in an unsafe manner. For example, if the lock were changed when one thread was in its critical section, a second thread would lock on the new object instead of the old one and would enter its critical section erroneously.

A class that lacks accessible methods to change the lock is secure against untrusted manipulation. However, it remains susceptible to inadvertent modification by the programmer.

Noncompliant Code Example (Public Final Lock Object)

This noncompliant code example uses a public final lock object.

Code Block
bgColor#FFcccc
public class SomeObject {
  public final Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

This noncompliant code example also violates rule OBJ01-J. Limit accessibility of fields.

Compliant Solution (Private Final Lock Object)

Thread-safe public classes that may interact with untrusted code must use a private final lock object. Existing classes that use intrinsic synchronization must be refactored to use block synchronization on such an object. In this compliant solution, calling changeValue() obtains a lock on a private final Object instance that is inaccessible to callers that are outside the class's scope.

Code Block
bgColor#ccccff
public class SomeObject {
  private final Object lock = new Object(); // private final lock object

  public void changeValue() {
    synchronized (lock

The synchronized keyword is used to acquire a mutual-exclusion lock so that no other thread can acquire the lock, while it is being held by the executing thread. The synchronized keyword always uses the object's intrinsic 'monitor' lock. This lock is available to any code that the object itself is available to; consequently any code can lock on the object, and potentially cause a denial of service.

Recall that there are two ways to synchronize access to shared mutable variables, method synchronization and block synchronization. Excessive synchronization can induce a denial of service (DoS) vulnerability because another class whose member locks on the class object, can fail to release the lock promptly. However, this requires the victim class to be accessible from the hostile class.

Wiki Markup
The _private lock object_ idiom can be used to prevent the DoS vulnerability. The idiom consists of a {{private}} object declared as an instance field. The {{private}} object must be explicitly used for locking purposes in {{synchronized}} blocks, within the class's methods. This lock object belongs to an instance of the object and is not associated with the class object itself. Consequently, there is no lock contention between a class method and a method of a hostile class when both try to lock on the class object. \[[Bloch 01|AA. Java References#Bloch 01]\]  

This idiom can also be suitably used by classes designed for inheritance. If a superclass thread requests a lock on the class object's monitor, a subclass thread can interfere with its operation. Refer to the guideline CON02-J. Always synchronize on the appropriate object for more details.

An object should use a private lock rather than its intrinsic lock. An object should rely on its intrinsic lock only if all of the following conditions are met:

  • The object's class is package-private.
  • No objects of that class (or a subclass) ever escape its package.
  • None of the object's superclasses use synchronization at all.

If any of these conditions are violated, the object's intrinsic lock is not trustworthy. If all conditions are satisfied, then the object gains no security from using a private internal lock, and so it may rely on its intrinsic lock.

Noncompliant Code Example

This noncompliant code example exposes the class object someObject to untrusted code. The untrusted code attempts to acquire a lock on the class object's monitor and upon succeeding, introduces an indefinite delay which holds up the synchronized changeValue() method from acquiring the same lock. Note that the untrusted code also violates CON06-J. Do not defer a thread that is holding a lock.

Code Block
bgColor#FFCCCC

public class SomeObject {
  public synchronized void changeValue() { // Locks on the private Object
      // ...
    }
  }
}

A private final lock object can be used only with block synchronization. Block synchronization is preferred over method synchronization because operations without a requirement for synchronization can be moved outside the synchronized region, reducing lock contention and blocking. Note that it is unnecessary to declare the lock field volatile because of the strong visibility semantics of final fields. When granularity issues require the use of multiple locks, declare and use multiple private final lock objects to satisfy the granularity requirements rather than using a mutable reference to a lock object along with a setter method.

Noncompliant Code Example (Static)

This noncompliant code example exposes the class object of SomeObject to untrusted code.

Code Block
bgColor#FFCCCC
public class SomeObject {
  //changeValue locks on the class object's monitor
  public static synchronized void changeValue() { 
    // ...   
  }
}

// Untrusted code
synchronized (someObjectSomeObject.class) {
  while (true) {
    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject
  }
}

The untrusted code attempts to acquire a lock on the class object''s monitor and, upon succeeding, introduces an indefinite delay that prevents the synchronized changeValue() method from acquiring the same lock.

A compliant solution must also comply with rule LCK05-J. Synchronize access to static fields that can be modified by untrusted code.
In the untrusted code, the attacker intentionally violates rule LCK09-J. Do not perform operations that can block while holding a lock.

Compliant Solution (Static)

Thread-safe public classes that both use intrinsic synchronization of over the class object and may be protected by using the private lock object idiom and adapting them to use block synchronization. In this compliant solution, if the method changeValue() is called, the lock is obtained on a private Object that is inaccessible from the callerinteract with untrusted code must be refactored to use a static private final lock object and block synchronization.

Code Block
bgColor#ccccff

public class SomeObject {
  private static final Object lock = new Object(); // private lock object

  public static void changeValue() {
    synchronized (lock) { // Locks on the private Object
      // ...
    }
  }
}

For more details on using the private Object lock refer to CON02-J. Always synchronize on the appropriate object. There is some performance impact associated with using block synchronization instead of method synchronization but the difference is usually negligible. In the presence of statements that do not require synchronization amongst those that do, block synchronization tends to be a better performer.

In this compliant solution, changeValue() obtains a lock on a private static Object that is inaccessible to the caller.

Exceptions

LCK00-J-EX0: A class may violate this rule when all of the following conditions are met:

  • It sufficiently documents that callers must not pass objects of this class to untrusted code.
  • The class cannot invoke methods, directly or indirectly, on objects of any untrusted classes that violate this rule.
  • The synchronization policy of the class is documented properly.

Clients are permitted to use a class that violates this rule when all of the following conditions are met:

  • Neither the client class nor any other class in the system passes objects of the violating class to untrusted code.
  • The violating class cannot invoke methods, directly or indirectly, from untrusted classes that violate this rule.

LCK00-J-EX1: When a superclass of the class documents that it supports client-side locking and synchronizes on its class object, the class can support client-side locking in the same way and document this policy.

LCK00-J-EX2: Package-private classes that are never exposed to untrusted code are exempt from this rule because their accessibility protects against untrusted callers. However, use of this exemption should be documented explicitly to ensure that trusted code within the same package neither reuses the lock object nor changes the lock object inadvertentlyUsing a private lock may only be achieved with block synchronization, as method synchronization always uses the object's intrinsic lock. However, block synchronization is also preferred over method synchronization, because it is easy to move operations out of the synchronized block when they might take a long time and they are not truly a critical section.

Risk Assessment

Exposing the class lock object to untrusted code can result in denial-of-serviceDoS.

Recommendation

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CON04

LCK00-J

low

probable

medium

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Bloch 01|AA. Java References#Bloch 01]\] Item 52: "Document Thread Safety"

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Lock CheckerConcurrency and lock errors (see Chapter 6)
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.CONCURRENCY.LOCK.ISTR

Synchronization on Interned String (Java)

Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.LCK00.SOPFDo not synchronize on "public" fields since doing so may cause deadlocks
SonarQube
Include Page
SonarQube_V
SonarQube_V
S2445

Related Guidelines

MITRE CWE

CWE-412. Unrestricted externally accessible lock


CWE-413. Improper resource locking

Bibliography

[Bloch 2001]

Item 52. Document Thread Safety


Image Added      Image Added      Image AddedCON03-J. Do not use background threads during class initialization      11. Concurrency (CON)      CON05-J. Ensure that threads do not fail during activation