[Forgot Password]
Login  Register Subscribe

23631

 
 

122183

 
 

98060

 
 

909

 
 

79198

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

ID: 362Date: (C)2012-05-14   (M)2017-12-05
Type: weaknessStatus: DRAFT
Abstraction Type: Class





Description

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Extended Description

This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.

A race condition occurs within concurrent environments, and is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc.

A race condition violates these properties, which are closely related:

Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties of the shared resource before the original sequence has completed execution.

Atomicity - the code sequence is behaviorally atomic, i.e., no other thread or process can concurrently execute the same sequence of instructions (or a subset) against the same resource.

A race condition exists when an "interfering code sequence" can still access the shared resource, violating exclusivity. Programmers may assume that certain code sequences execute too quickly to be affected by an interfering code sequence; when they are not, this violates atomicity. For example, the single "x++" statement may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read (the original value of x), followed by a computation (x+1), followed by a write (save the result to x).

The interfering code sequence could be "trusted" or "untrusted." A trusted interfering code sequence occurs within the program; it cannot be modified by the attacker, and it can only be invoked indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the vulnerable program.

Likelihood of Exploit: Medium

Applicable Platforms
Language: C
Language: Sometimes
Language: C++
Language: Sometimes
Language: Java
Language: Sometimes
Language Class: Language-independent
Architectural Paradigm: Often
Architectural Paradigm: Concurrent Systems Operating on Shared Resources

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Availability
 
DoS: resource consumption (CPU)
DoS: resource consumption (memory)
DoS: resource consumption (other)
 
When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion (CWE-400).
 
Availability
 
DoS: crash / exit / restart
DoS: instability
 
When a race condition allows multiple control flows to access a resource simultaneously, it might lead the program(s) into unexpected states, possibly resulting in a crash.
 
Confidentiality
Integrity
 
Read files or directories
Read application data
 
When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).
 

Detection Methods

NameDescriptionEffectivenessNotes
Black Box
 
Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.
 
  
White Box
 
Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).
 
  
Automated Dynamic Analysis
 
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.
Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.
 
Moderate
 
 

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
 
  
Architecture and Design
 
 Use thread-safe capabilities such as the data access abstraction in Spring.
 
  
Architecture and Design
 
 Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
 
  
Implementation
 
 When using multithreading and operating on shared variables, only use thread-safe functions.
 
  
Implementation
 
 Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
 
  
Implementation
 
 Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
 
  
Implementation
 
 Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
 
  
Implementation
 
 Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
 
  
Implementation
 
 Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
 
  
Architecture and Design
Operation
 
Environment Hardening
 
Run your code using the lowest privileges that are required to accomplish the necessary tasks [R.362.11]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
 
  

Relationships

Related CWETypeViewChain
CWE-362 ChildOf CWE-894 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following function attempts to acquire a lock in order to perform operations on a shared resource. (Demonstrative Example Id DX-24)
  2. This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.

Observed Examples

  1. CVE-2008-5044 : Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time.
  2. CVE-2008-2958 : chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
  3. CVE-2008-1570 : chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
  4. CVE-2008-0058 : Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object.
  5. CVE-2008-0379 : Race condition during initialization triggers a buffer overflow.
  6. CVE-2007-6599 : Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock.
  7. CVE-2007-6180 : chain: race condition triggers NULL pointer dereference
  8. CVE-2007-5794 : Race condition in library function could cause data to be sent to the wrong process.
  9. CVE-2007-3970 : Race condition in file parser leads to heap corruption.
  10. CVE-2008-5021 : chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory.
  11. CVE-2009-4895 : chain: race condition for an argument value, possibly resulting in NULL dereference
  12. CVE-2009-3547 : chain: race condition might allow resource to be released before operating on it, leading to NULL dereference

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Race Conditions
 
 
CERT C Secure Coding FIO31-C
 
Do not simultaneously open the same file multiple times
 
 
CERT Java Secure Coding VNA03-J
 
Do not assume that a group of calls to independently atomic methods is atomic
 
 
CERT C++ Secure Coding FIO31-CPP
 
Do not simultaneously open the same file multiple times
 
 
CERT C++ Secure Coding CON02-CPP
 
Use lock classes for mutex management
 
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 13: Race Conditions." Page 205'. Published on 2010.
  2. Andrei Alexandrescu .volatile - Multithreaded Programmer's Best Friend. Dr. Dobb's. 2008-02-01.
  3. Steven Devijver .Thread-safe webapps using Spring.
  4. David Wheeler .Prevent race conditions. 2007-10-04.
  5. Matt Bishop .Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux. Published on September 1995.
  6. David Wheeler .Secure Programming for Linux and Unix HOWTO. 2003-03-03.
  7. Blake Watts .Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit. Published on April 2002.
  8. Roberto Paleari Davide Marrone Danilo Bruschi Mattia Monga .On Race Vulnerabilities in Web Applications.
  9. .Avoiding Race Conditions and Insecure File Operations. Apple Developer Connection.
  10. Johannes Ullrich .Top 25 Series - Rank 25 - Race Conditions. SANS Software Security Institute. 2010-03-26.
  11. Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.
CVE    194
CVE-2003-1562
CVE-2005-4883
CVE-2006-4801
CVE-2007-2654
...

© 2013 SecPod Technologies