Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')ID: 362 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Class |
Description
The program contains a code sequence that can run concurrently
with other code, and the code sequence requires temporary, exclusive access to a
shared resource, but a timing window exists in which the shared resource can be
modified by another code sequence that is operating
concurrently.
Extended DescriptionThis can have security implications when the expected synchronization is
in security-critical code, such as recording whether a user is authenticated
or modifying important state information that should not be influenced by an
outsider.A race condition occurs within concurrent environments, and is effectively
a property of a code sequence. Depending on the context, a code sequence may
be in the form of a function call, a small number of instructions, a series
of program invocations, etc.A race condition violates these properties, which are closely
related:Exclusivity - the code sequence is given exclusive access to the
shared resource, i.e., no other code sequence can modify properties of
the shared resource before the original sequence has completed
execution.Atomicity - the code sequence is behaviorally atomic, i.e., no other
thread or process can concurrently execute the same sequence of
instructions (or a subset) against the same resource.A race condition exists when an "interfering code sequence" can still
access the shared resource, violating exclusivity. Programmers may assume
that certain code sequences execute too quickly to be affected by an
interfering code sequence; when they are not, this violates atomicity. For
example, the single "x++" statement may appear atomic at the code layer, but
it is actually non-atomic at the instruction layer, since it involves a read
(the original value of x), followed by a computation (x+1), followed by a
write (save the result to x).The interfering code sequence could be "trusted" or "untrusted." A trusted
interfering code sequence occurs within the program; it cannot be modified
by the attacker, and it can only be invoked indirectly. An untrusted
interfering code sequence can be authored directly by the attacker, and
typically it is external to the vulnerable program.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage: CLanguage: SometimesLanguage: C++Language: SometimesLanguage: JavaLanguage: SometimesLanguage Class: Language-independentArchitectural Paradigm: OftenArchitectural Paradigm: Concurrent Systems Operating on Shared Resources
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Availability | DoS: resource consumption
(CPU)DoS: resource consumption
(memory)DoS: resource consumption
(other) | When a race condition makes it possible to bypass a resource cleanup
routine or trigger multiple initialization routines, it may lead to
resource exhaustion (CWE-400). |
Availability | DoS: crash / exit /
restartDoS: instability | When a race condition allows multiple control flows to access a
resource simultaneously, it might lead the program(s) into unexpected
states, possibly resulting in a crash. |
ConfidentialityIntegrity | Read files or
directoriesRead application
data | When a race condition is combined with predictable resource names and
loose permissions, it may be possible for an attacker to overwrite or
access confidential data (CWE-59). |
Detection Methods
Name | Description | Effectiveness | Notes |
---|
Black Box | Black box methods may be able to identify evidence of race conditions
via methods such as multiple simultaneous connections, which may cause
the software to become instable or crash. However, race conditions with
very narrow timing windows would not be detectable. | | |
White Box | Common idioms are detectable in white box analysis, such as
time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or
double-checked locking (CWE-609). | | |
Automated Dynamic Analysis | This weakness can be detected using dynamic tools and techniques that
interact with the software using large test suites with many diverse
inputs, such as fuzz testing (fuzzing), robustness testing, and fault
injection. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results.Race conditions may be detected with a stress-test by calling the
software simultaneously from a large number of threads or processes, and
look for evidence of any unexpected behavior.Insert breakpoints or delays in between relevant code statements to
artificially expand the race window so that it will be easier to
detect. | Moderate | |
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | In languages that support it, use synchronization primitives. Only
wrap these around critical code to minimize the impact on
performance. | | |
Architecture and Design | | Use thread-safe capabilities such as the data access abstraction in
Spring. | | |
Architecture and Design | | Minimize the usage of shared resources in order to remove as much
complexity as possible from the control flow and to reduce the
likelihood of unexpected conditions occurring.Additionally, this will minimize the amount of synchronization
necessary and may even help to reduce the likelihood of a denial of
service where an attacker may be able to repeatedly trigger a critical
section (CWE-400). | | |
Implementation | | When using multithreading and operating on shared variables, only use
thread-safe functions. | | |
Implementation | | Use atomic operations on shared variables. Be wary of innocent-looking
constructs such as "x++". This may appear atomic at the code layer, but
it is actually non-atomic at the instruction layer, since it involves a
read, followed by a computation, followed by a write. | | |
Implementation | | Use a mutex if available, but be sure to avoid related weaknesses such
as CWE-412. | | |
Implementation | | Avoid double-checked locking (CWE-609) and other implementation errors
that arise when trying to avoid the overhead of synchronization. | | |
Implementation | | Disable interrupts or signals over critical parts of the code, but
also make sure that the code does not go into a large or infinite
loop. | | |
Implementation | | Use the volatile type modifier for critical variables to avoid
unexpected compiler optimization or reordering. This does not
necessarily solve the synchronization problem, but it can help. | | |
Architecture and DesignOperation | Environment Hardening | Run your code using the lowest privileges that are required to
accomplish the necessary tasks [R.362.11]. If possible, create isolated
accounts with limited privileges that are only used for a single task.
That way, a successful attack will not immediately give the attacker
access to the rest of the software or its environment. For example,
database applications rarely need to run as the database administrator,
especially in day-to-day operations. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-362 ChildOf CWE-894 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following function attempts to acquire a lock in order to
perform operations on a shared resource. (Demonstrative Example Id DX-24)
- This code could be used in an e-commerce application that supports
transfers between accounts. It takes the total amount of the transfer, sends
it to the new account, and deducts the amount from the original
account.
Observed Examples
- CVE-2008-5044 : Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time.
- CVE-2008-2958 : chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
- CVE-2008-1570 : chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
- CVE-2008-0058 : Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object.
- CVE-2008-0379 : Race condition during initialization triggers a buffer overflow.
- CVE-2007-6599 : Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock.
- CVE-2007-6180 : chain: race condition triggers NULL pointer dereference
- CVE-2007-5794 : Race condition in library function could cause data to be sent to the wrong process.
- CVE-2007-3970 : Race condition in file parser leads to heap corruption.
- CVE-2008-5021 : chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory.
- CVE-2009-4895 : chain: race condition for an argument value, possibly resulting in NULL dereference
- CVE-2009-3547 : chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Race Conditions | |
CERT C Secure Coding | FIO31-C | Do not simultaneously open the same file multiple
times | |
CERT Java Secure Coding | VNA03-J | Do not assume that a group of calls to independently atomic
methods is atomic | |
CERT C++ Secure Coding | FIO31-CPP | Do not simultaneously open the same file multiple
times | |
CERT C++ Secure Coding | CON02-CPP | Use lock classes for mutex management | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 13: Race Conditions." Page 205'. Published on 2010.
- Andrei Alexandrescu .volatile - Multithreaded Programmer's Best
Friend. Dr. Dobb's. 2008-02-01.
- Steven Devijver .Thread-safe webapps using Spring.
- David Wheeler .Prevent race conditions. 2007-10-04.
- Matt Bishop .Race Conditions, Files, and Security Flaws; or the Tortoise and
the Hare Redux. Published on September 1995.
- David Wheeler .Secure Programming for Linux and Unix HOWTO. 2003-03-03.
- Blake Watts .Discovering and Exploiting Named Pipe Security Flaws for Fun
and Profit. Published on April 2002.
- Roberto Paleari Davide Marrone Danilo Bruschi Mattia Monga .On Race Vulnerabilities in Web Applications.
- .Avoiding Race Conditions and Insecure File
Operations. Apple Developer Connection.
- Johannes Ullrich .Top 25 Series - Rank 25 - Race Conditions. SANS Software Security Institute. 2010-03-26.
- Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.