Page History

public class SomeObject {

  // Locks on the object's monitor
  public synchronized void changeValue() { 
    // ...
  }
 
  public static SomeObject lookup(String name) {
    // ...
  }
}

// Untrusted code
String name = // ...
SomeObject someObject = SomeObject.lookup(name);
if (someObject == null) {
  // ... handle error
}
synchronized (someObject) {
  while (true) {
    // Indefinitely lock someObject
    Thread.sleep(Integer.MAX_VALUE); 
  }
}

public class SomeObject {
  public Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

The {{synchronized}} keyword is used to acquire a mutual-exclusion lock so that no other thread can acquire the lock while it is being held by the executing thread. Recall that there are two ways to synchronize access to shared mutable variables, method synchronization and block synchronization.

A method declared as {{synchronized}} always uses the object's monitor (intrinsic lock) and so does code that synchronizes on the {{this}} reference using a synchronized block. Because this lock is available to any code that the object is available to, any code that can lock on the object can potentially cause a denial of service (DoS). An inappropriate synchronization policy can create a DoS vulnerability because another class whose member locks on the same object, can fail to release the lock promptly. However, this requires the victim class to be accessible from the offending class. Untrusted callers may purposely exploit this vulnerability to cause DoS. {mc} note that even trusted classes can leave the code vulnerable {mc}

The _private lock object_ idiom can be used to prevent this vulnerability. The idiom consists of a raw {{Object}} declared within the class as {{private}} and {{final}}. The object must be explicitly used for locking purposes in {{synchronized}} blocks, within the class's methods. This intrinsic lock is associated with the instance of the internal private object and not with the class itself. Consequently, there is no lock contention between this class's methods and methods of a hostile class. \[[Bloch 01|AA. Java References#Bloch 01]\] 

Static state has the same potential problem. If a static method is declared {{synchronized}}, the intrinsic lock of the Class object is acquired before executing the statements in its body, and released when the method completes. Any untrusted code that can access an object of the class, or a subclass, can use the {{getClass()}} method to gain access to the Class object. The private internal lock object idiom can be used to protect static data by declaring the lock as {{private}}, {{static}} and {{final}}. Reducing the accessibility of the class to package-private may offer some reprieve from untrusted callers when using strategies other than internal locking.

This idiom can also be suitably used by classes designed for inheritance. If a superclass thread requests a lock on the object's monitor, a subclass thread can interfere with its operation. For example, a subclass may use the superclass object's intrinsic lock for unrelated operations, causing significant increases in lock contention. Also, excessive use of the same lock frequently results in deadlocks. This idiom separates the locking strategy of the superclass from that of the subclass. It also permits fine-grained locking because multiple lock objects can then be used for seemingly unrelated operations. This increases the overall responsiveness of the application.

An object should use an internal private lock object rather than its own intrinsic lock unless the class can guarantee that untrusted code can not:
* Subclass the class or its superclass (trusted code is allowed to subclass the class)
* Create an object of the class (or its superclass, or subclass)
* Access or acquire an object instance of the class (or its superclass, or subclass)

If a superclass uses an internal private lock to synchronize shared data, subclasses must also use an internal private lock. However, if a class uses intrinsic synchronization over the class object without documenting its locking policy, subclasses may not use intrinsic synchronization over their own class object, unless they explicitly document their locking policy. If the superclass documents its policy by stating that client-side locking is supported, the subclasses have the option of choosing between intrinsic locking over the class object and an internal private lock. Regardless of what is chosen, subclasses must document their locking policy. Refer to the guideline [CON10-J. Do not override thread-safe methods with methods that are not thread-safe] for related information. 

If these restrictions are not met, the object's intrinsic lock is not trustworthy. If all conditions are satisfied, then the object gains no significant security from using a private internal lock object, and may synchronize using its own intrinsic lock. 


h2. Noncompliant Code Example (method synchronization)

This noncompliant code example exposes the object {{someObject}} to untrusted code. 

{code:bgColor=#FFCCCC}
public class SomeObject {
  publicprivate volatile synchronizedObject voidlock changeValue()= { // Locks on the object's monitor
new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}

//  Untrustedpublic code
synchronizedvoid setLock(someObjectObject lockValue) {
  while (true) {
lock    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject= lockValue;
  }
}
{code}

The untrusted code attempts to acquire a lock on the object's monitor and upon succeeding, introduces an indefinite delay which prevents the {{synchronized}} {{changeValue()}} method from acquiring the same lock. Note that the untrusted code also violates [CON20-J. Do not perform operations that may block while holding a lock].


h2. Noncompliant Code Example ({{public}} non-final lock object)

This noncompliant code example locks on a {{public}} non-final object in an attempt to use a lock that differs from {{SomeObject}}'s own intrinsic lock. 

{code:bgColor=#FFcccc}

public class SomeObject {
  public final Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
      // ...
    }
  }
}
{code}

However, it is possible for untrusted code to change the value of the lock object and foil all attempts to synchronize on the correct object.


h2. Noncompliant Code Example (publicly-accessible final lock object)

This noncompliant code example synchronizes on 

public class SomeObject {
  private final Object lock = new Object(); // private final lock objecta private but non-final field.

{code:bgColor=#FFcccc}
public class SomeObject {
  private volatile Object lock = new Object();

  public void changeValue() {
    synchronized (lock) {
 // Locks on the private // ...
Object
     }
 // }...

  public void setLock(Object lockValue) {
    lock = lockValue;
   }
  }
}
{code}

Any thread can modify the field's value to refer to some other object in the presence of an accessor such as {{setLock()}}. This might cause two threads that intend to lock on the same object to lock on different objects, enabling them to execute the two critical sections in an unsafe manner. For example, if one thread is in its critical section and the lock is changed, a second thread would lock on the new reference instead of the old one.


h2. Compliant Solution (private final internal lock object)

Thread-safe classes that use the intrinsic synchronization of their respective objects may be protected by using the _private lock object idiom_ and refactoring them to use block synchronization. In this compliant solution, if the method

public class SomeObject {
  //changeValue locks on the class object's monitor
  public static synchronized void changeValue() { 
    // ...
  }
}

// Untrusted code
synchronized (SomeObject.class) {
  while (true) {
    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject
  }
}

public class SomeObject {
  private static {{changeValue()}} is called, the lock is obtained on a {{private final}} {{Object}} instance that is inaccessible from the caller. 

{code:bgColor=#ccccff}
public class SomeObject {
  private final Object lock = new Object(); // private lock object

  public static void changeValue() {
    synchronized (lock) { // Locks on the private Object
      // ...
    }
  }
}
{code}

A private final lock can only be used with block synchronization. Block synchronization is  preferred over method synchronization, because operations that do not require synchronization can be moved outside the synchronized region, reducing the overall execution time. Note that there is no need to declare {{lock}} as volatile because of the strong visibility semantics of final fields. Instead of using setter methods to change the lock, declare and use multiple internal lock objects to achieve the necessary fine-grained locking semantics. 


h2. Noncompliant Code Example (static)

This noncompliant code example exposes the class object of {{someObject}} to untrusted code. 

{code:bgColor=#FFCCCC}
public class SomeObject {
  public static synchronized void ChangeValue() { // Locks on the class object's monitor
    // ...   
  }
}

// Untrusted code
synchronized (someObject.getClass()) {
  while (true) {
    Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject
  }
}
{code}

The untrusted code attempts to acquire a lock on the class object's monitor and upon succeeding, introduces an indefinite delay which prevents the {{synchronized}} {{changeValue()}} method from acquiring the same lock. 

A complete implementation of this noncompliant code example would comply with [CON32-J. Internally synchronize classes containing accessible mutable static fields]. However, the untrusted code violates [CON20-J. Do not perform operations that may block while holding a lock]. 


h2. Compliant Solution (static)

Thread-safe classes that use intrinsic synchronization over the class object should be refactored to use a static private internal lock object and block synchronization. 

{code:bgColor=#ccccff}
public class SomeObject {
  private static final Object lock = new Object(); // private lock object

  public static void ChangeValue() {
    synchronized (lock) { // Locks on the private Object
      // ...
    }
  }
}
{code}

In this compliant solution, if the method {{ChangeValue()}} is called, the lock is obtained on a {{static}} {{private}} {{Object}} that is inaccessible from the caller. 


h2. Exceptions

*EX1:* A class may violate this guideline, if all the following conditions are met:

* it sufficiently documents that callers must not pass objects of this class to untrusted code,
* the class does not invoke methods on objects of any untrusted classes that violate this guideline directly or indirectly,
* the synchronization policy of the class is properly documented. Classes that claim to support client-side locking should be used with care.

A client may use a class that violates this guideline, if all the following conditions are met:
* it does not not pass objects of this class to untrusted code by using suitable encapsulation
* it does not use any untrusted classes that violate this guideline directly or indirectly

*EX2:* If a superclass of the class documents that it supports client-side locking and synchronizes on its class object, the class should also support client-side locking in the same way and document this policy. If instead the superclass uses an internal private lock, the derived class should document its own locking policy.


h2. Risk Assessment

Exposing the class object to untrusted code can result in denial-of-service.

|| Recommendation || Severity || Likelihood || Remediation Cost || Priority || Level ||
| CON04-J | low | probable | medium | {color:green}{*}P4{*}{color} | {color:green}{*}L3{*}{color} |


h3. Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+CON03-J].

h2. References

\[[Bloch 01|AA. Java References#Bloch 01]\] Item 52: "Document Thread Safety"

----
[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_left.png!|CON03-J. Do not use background threads during class initialization]      [!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_up.png!|11. Concurrency (CON)]      [!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_right.png!|CON05-J. Do not invoke Thread.run()]