Race Condition |
Weakness ID: 362 (Weakness Class) | Status: Draft |
Description Summary
Extended Description
This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated, or modifying important state information that should not be influenced by an outsider.
Architectural Paradigms
Concurrent Systems Operating on Shared Resources: (Often)
Scope | Effect |
---|---|
Availability | When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion (CWE-400). |
Availability | When a race condition allows multiple control flows to access a resource simultaneously, it might lead the program(s) into unexpected states, possibly resulting in a crash. |
Confidentiality Integrity | When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59). |
Black Box Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable. |
White Box Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609). |
Example 1
This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.
A race condition could occur between the calls to GetBalanceFromDatabase() and SendNewBalanceToDatabase().
Suppose the same user can invoke this program multiple times simultaneously, such as by making multiple requests in a web application. An attack could be constructed as follows:
Suppose the balance is initially 100.00.
The attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account.
CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance that handles CALLER-1). CALLER-2 is associated with PROGRAM-2.
CALLER-1 makes a transfer request of 80.00.
PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to 100.00
PROGRAM-1 calculates $newbalance as 20.00, then calls SendNewBalanceToDatabase().
Due to high server load, the PROGRAM-1 call to SendNewBalanceToDatabase() encounters a delay.
CALLER-2 makes a transfer request of 1.00.
PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to 100.00. This happens because the previous PROGRAM-1 request was not processed yet.
PROGRAM-2 determines the new balance as 99.00.
After the initial delay, PROGRAM-1 commits its balance to the database, setting it to 20.00.
PROGRAM-2 sends a request to update the database, setting the balance to 99.00
At this stage, the attacker should have a balance of 19.00 (due to 81.00 worth of transfers), but the balance is 99.00, as recorded in the database.
To prevent this weakness, the programmer has several options, including using a lock to prevent multiple simultaneous requests to the web application, or using a synchronization mechanism that includes all the code between GetBalanceFromDatabase() and SendNewBalanceToDatabase().
Reference | Description |
---|---|
CVE-2008-5044 | Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time. |
CVE-2008-2958 | chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. |
CVE-2008-1570 | chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. |
CVE-2008-0058 | Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object. |
CVE-2008-0379 | Race condition during initialization triggers a buffer overflow. |
CVE-2007-6599 | Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock. |
CVE-2007-6180 | chain: race condition triggers NULL pointer dereference |
CVE-2007-5794 | Race condition in library function could cause data to be sent to the wrong process. |
CVE-2007-3970 | Race condition in file parser leads to heap corruption. |
CVE-2008-5021 | chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory. |
Phase: Architecture and Design In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance. |
Phase: Architecture and Design Use thread-safe capabilities such as the data access abstraction in Spring. |
Phase: Architecture and Design Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring. Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400). |
Phase: Implementation When using multi-threading, only use thread-safe functions on shared variables. |
Phase: Implementation Use atomic operations on shared variables. Be wary of innocent-looking constructs like "x++". This is actually non-atomic, since it involves a read followed by a write. |
Phase: Implementation Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412. |
Phase: Implementation Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization. |
Phase: Implementation Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop. |
Phase: Implementation Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help. |
Phase: Testing Stress-test the software by calling it simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect. |
Phase: Testing Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 361 | Time and State | Development Concepts (primary)699 |
ChildOf | Weakness Class | 691 | Insufficient Control Flow Management | Research Concepts (primary)1000 |
ChildOf | Category | 743 | CERT C Secure Coding Section 09 - Input Output (FIO) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
ChildOf | Category | 751 | 2009 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750 |
ChildOf | Category | 801 | 2010 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800 |
RequiredBy | Compound Element: Composite | 61 | UNIX Symbolic Link (Symlink) Following | Research Concepts1000 |
RequiredBy | Compound Element: Composite | 689 | Permission Race Condition During Resource Copy | Research Concepts1000 |
ParentOf | Weakness Base | 364 | Signal Handler Race Condition | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 365 | Race Condition in Switch | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 366 | Race Condition within a Thread | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 367 | Time-of-check Time-of-use (TOCTOU) Race Condition | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 368 | Context Switching Race Condition | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 421 | Race Condition During Access to Alternate Channel | Development Concepts699 Research Concepts1000 |
MemberOf | View | 635 | Weaknesses Used by NVD | Weaknesses Used by NVD (primary)635 |
CanFollow | Weakness Base | 609 | Double-Checked Locking | Development Concepts699 Research Concepts1000 |
CanFollow | Weakness Base | 662 | Insufficient Synchronization | Development Concepts699 Research Concepts1000 |
CanAlsoBe | Category | 557 | Concurrency Issues | Research Concepts1000 |
Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area. |
Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Race Conditions | ||
CERT C Secure Coding | FIO31-C | Do not simultaneously open the same file multiple times |
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 13: Race Conditions." Page 205. McGraw-Hill. 2010. |
Andrei Alexandrescu. "volatile - Multithreaded Programmer's Best Friend". Dr. Dobb's. 2008-02-01. <http://www.ddj.com/cpp/184403766>. |
Steven Devijver. "Thread-safe webapps using Spring". <http://www.javalobby.org/articles/thread-safe/index.jsp>. |
David Wheeler. "Prevent race conditions". 2007-10-04. <http://www.ibm.com/developerworks/library/l-sprace.html>. |
Matt Bishop. "Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux". September 1995. <http://www.cs.ucdavis.edu/research/tech-reports/1995/CSE-95-9.pdf>. |
David Wheeler. "Secure Programming for Linux and Unix HOWTO". 2003-03-03. <http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html>. |
Blake Watts. "Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit". April 2002. <http://www.blakewatts.com/namedpipepaper.html>. |
Roberto Paleari, Davide Marrone, Danilo Bruschi and Mattia Monga. "On Race Vulnerabilities in Web Applications". <http://security.dico.unimi.it/~roberto/pubs/dimva08-web.pdf>. |
"Avoiding Race Conditions and Insecure File Operations". Apple Developer Connection. <http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/Articles/RaceConditions.html>. |
The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Common Consequences, Demonstrative Examples, Description, Likelihood of Exploit, Maintenance Notes, Observed Examples, Potential Mitigations, References, Relationships, Research Gaps | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples, Potential Mitigations | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Race Conditions | |||