The synchronized
keyword is used to acquire a mutual-exclusion lock so that no other thread can acquire the lock, while it is being held by the executing thread. The synchronized
keyword always uses the object's intrinsic 'monitor' lock. This lock is available to any code that the object itself is available to; consequently any code can lock on the object, and potentially cause a denial of service.
Recall that there are two ways to synchronize access to shared mutable variables, method synchronization and block synchronization. Excessive synchronization can induce a denial of service (DoS) vulnerability because another class whose member locks on the object, can fail to release the lock promptly. However, this requires the victim class to be accessible from the hostile class.
The private lock object idiom can be used to prevent the DoS vulnerability. The idiom consists of a private
object declared as an instance field. The private
object must be explicitly used for locking purposes in synchronized
blocks, within the class's methods. This lock object belongs to an instance of the object and is not associated with the class itself. Consequently, there is no lock contention between a class method and a method of a hostile class when both try to lock on the object. [[Bloch 01]]
This idiom can also be suitably used by classes designed for inheritance. If a superclass thread requests a lock on the object's monitor, a subclass thread can interfere with its operation.
An object should use a private internal lock object rather than its own intrinsic lock unless the class can guarantee that untrusted code may not:
- Subclass the class (However, trusted code may subclass the class.)
- Create an object of the class (or a subclass)
- Access an object of the class (or a subclass)
Furthermore, the class must also ensure that no superclasses it inherits from use synchronization at all.
If these restrictions are not met, the object's intrinsic lock is not trustworthy. If all conditions are satisfied, then the object gains no significant security from using a private internal lock object, and may synchronize using its own intrinsic lock.
Likewise, if a static method has the synchronized
keyword, the intrinsic lock of the Class object is obtained, and released when the method completes. The same restrictions listed above apply to static methods, since any untrusted code that can access an object of the class, or a subclass, can use the getClass()
method to obtain access to the Class object. Furthermore, hostile code must not be able to access the Class object at all. This could be accomplished, for instance, by making the class package-private.
This guideline is an extension of CON02-J. Always synchronize on the appropriate object and is fully compliant with it. It recommends block synchronization using an internal private lock object instead of synchronizing on the this
reference of the class object.
Noncompliant Code Example
This noncompliant code example exposes the object someObject
to untrusted code.
public class SomeObject { public synchronized void changeValue() { // Locks on the object's monitor // ... } } // Untrusted code synchronized (someObject) { while (true) { Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject } }
The untrusted code attempts to acquire a lock on the object's monitor and upon succeeding, introduces an indefinite delay which holds up the synchronized
changeValue()
method from acquiring the same lock. Note that the untrusted code also violates CON20-J. Do not perform operations that may block while holding a lock.
Compliant Solution
Thread-safe classes that use intrinsic synchronization of the object may be protected by using the private lock object idiom and adapting them to use block synchronization. In this compliant solution, if the method changeValue()
is called, the lock is obtained on a private
Object
that is inaccessible from the caller.
public class SomeObject { private final Object lock = new Object(); // private lock object public void changeValue() { synchronized (lock) { // Locks on the private Object // ... } } }
Using a private lock may only be achieved with block synchronization. Block synchronization is preferred over method synchronization, because operations that do not require synchronization can be moved outside the synchronized region which reduces the overall execution time.
Noncompliant Code Example
This noncompliant code example exposes the class object of someObject
to untrusted code.
public class SomeObject { public static synchronized void ChangeValue() { // Locks on the class object's monitor // ... } } // Untrusted code synchronized (someObject.getClass()) { while (true) { Thread.sleep(Integer.MAX_VALUE); // Indefinitely delay someObject } }
The untrusted code attempts to acquire a lock on the class object's monitor and upon succeeding, introduces an indefinite delay which holds up the synchronized
changeValue()
method from acquiring the same lock. Note that the untrusted code also violates CON20-J. Do not perform operations that may block while holding a lock.
Compliant Solution
Thread-safe classes that use intrinsic synchronization of the class object may be protected by using a static private lock object andblock synchronization.
public class SomeObject { private static final Object lock = new Object(); // private lock object public static void ChangeValue() { synchronized (lock) { // Locks on the private Object // ... } } }
In this compliant solution, if the method ChangeValue()
is called, the lock is obtained on a static
private
Object
that is inaccessible from the caller.
Using a private lock may only be achieved with block synchronization, as static method synchronization always uses the intrinsic lock of the object's class. However, block synchronization is also preferred over method synchronization, because it is easy to move operations out of the synchronized block when they might take a long time and they are not truly a critical section.
Exceptions
EX1: A class may violate this guideline, if all the following conditions are met:
- it sufficiently documents that callers must not pass objects of this class to untrusted code,
- trusted callers do not use any untrusted classes that violate this guideline directly or indirectly,
- the synchronization policy of the class is properly documented
Risk Assessment
Exposing the class object to untrusted code can result in denial-of-service.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
CON04-J |
low |
probable |
medium |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Bloch 01]] Item 52: "Document Thread Safety"
CON03-J. Do not use background threads during class initialization 11. Concurrency (CON) CON05-J. Ensure that threads are started properly