When multiple threads can read or modify the same data, use synchronization techniques to avoid software flaws that can lead to security vulnerabilities. Concurrency problems can often result in abnormal termination or denial of service, but it is possible for them to result in more serious vulnerabilities.
Noncompliant Code Example
Assume this simplified code is part of a multithreaded bank system. Threads call credit() and debit() as money is deposited into and withdrawn from the single account. Because the addition and subtraction operations are not atomic, it is possible that two operations can occur concurrently, but only the result of one would be saved. This despite declaring the account_balance volatile. For example, an attacker can credit the account with a sum of money and make a large number of small debits concurrently. Some of the debits might not affect the account balance because of the race condition, so the attacker is effectively creating money.
static volatile int account_balance;
void debit(int amount) {
account_balance -= amount;
}
void credit(int amount) {
account_balance += amount;
}
Compliant Solution (mutex)
This compliant solution uses a mutex to make credits and debits atomic operations. All credits and debits will now affect the account balance, so an attacker cannot exploit the race condition to steal money from the bank. The mutex is created with the mtx_init() function. Note that the presence of the mutex makes declaring account_balance volatile unnecssary.
#include <threads.h>
static int account_balance;
static mtx_t account_lock;
if(mtx_init(&account_lock, mtx_plain) == thrd_error)
/* handle error */
/* ... */
int debit(int amount) {
if (mtx_lock(&account_lock) == thrd_error)
return -1; /* indicate error to caller */
account_balance -= amount;
if (mtx_unlock(&account_lock) == thrd_error)
return -1; /* indicate error to caller */
return 0; /* indicate success */
}
int credit(int amount) {
if (mtx_lock(&account_lock) == thrd_error)
return -1; /* indicate error to caller */
account_balance += amount;
if (mtx_unlock(&account_lock) == thrd_error)
return -1; /* indicate error to caller */
return 0; /* indicate success */
}
Compliant Solution (atomic)
This compliant solution uses a atomic variable to synchronize credit and debit operations. All credits and debits will now affect the account balance, so an attacker cannot exploit the race condition to steal money from the bank. The atomic integer is created with the atomic_init() function.
#include <stdatomic.h>
atomic_int account_balance;
/* Initialize account_balance */
void debit(int amount) {
atomic_fetch_sub(account_balance, amount);
}
void credit(int amount) {
atomic_fetch_add(account_balance, amount);
}
Risk Assessment
Race conditions caused by multiple threads concurrently accessing and modifying the same data can lead to abnormal termination and denial-of-service attacks or data integrity violations.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON00-C | medium | probable | high | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
MITRE CWE: CWE-366, "Race Condition within a Thread"
Bibliography
[Dowd 2006] Chapter 13, "Synchronization and State"
[Seacord 2005a] Chapter 7, "File I/O"