Methods that both can modify a static field and also can be invoked from untrusted code must synchronize access to the static field. Even when client-side locking is a specified requirement of the method, untrusted clients can fail to synchronize (whether inadvertently or maliciously). Because the static field is shared by all clients, untrusted clients may violate the contract by failing to provide suitable locking.
According to Joshua Bloch [[Bloch 2008]]
If a method modifies a static field, you must synchronize access to this field, even if the method is typically used only by a single thread. It is not possible for clients to perform external synchronization on such a method because there can be no guarantee that unrelated clients will do likewise.
Documented design intent is irrelevant when dealing with untrusted code because an attacker can always choose to ignore the documentation.
Noncompliant Code Example
This noncompliant code example fails to synchronize access to the static counter field.
/** This class is not thread-safe */
public final class CountHits {
private static int counter;
public void incrementCounter() {
counter++;
}
}
This class definition complies with rule VNA02-J. Ensure that compound operations on shared variables are atomic, which only applies to classes that promise thread-safety. However, this class has a mutable static counter field that is modified by the publicly accessible incrementCounter() method. Consequently, this class cannot be used securely by trusted client code, because untrusted code can purposely fail to externally synchronize access to the field.
Compliant Solution
This compliant solution uses a static private final lock to protect the counter field and, consequently, lacks any dependence on external synchronization. This solution also complies with rule LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code.
/** This class is thread-safe */
public final class CountHits {
private static int counter;
private static final Object lock = new Object();
public void incrementCounter() {
synchronized (lock) {
counter++;
}
}
}
Risk Assessment
Failure to internally synchronize access to static fields that can be modified by untrusted code risks incorrect synchronization, because the author of the untrusted code can ignore the synchronization policy (whether inadvertently or maliciously).
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
LCK05-J |
low |
probable |
medium |
P4 |
L3 |
Related Guidelines
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="45a4b071-9428-4616-a52c-c912633c3e91"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
|
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="95ff62ea-953b-4aa7-a233-c528f0dbd9f5"><ac:plain-text-body><![CDATA[ |
[[Bloch 2008 |
AA. Bibliography#Bloch 08]] |
Item 67: "Avoid excessive synchronization" |
]]></ac:plain-text-body></ac:structured-macro> |