The code requires that certain state should not be modified
between two operations, but a timing window exists in which the state can be
modified by an unexpected actor or process.
Extended Description
This can have security implications when the expected synchronization is
in security-critical code, such as recording whether a user is
authenticated, or modifying important state information that should not be
influenced by an outsider.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Architectural Paradigms
Concurrent Systems Operating on Shared Resources (Often)
Common Consequences
Availability
When a race condition makes it possible to bypass a resource cleanup
routine or trigger multiple initialization routines, it may lead to
resource exhaustion (CWE-400).
Availability
When a race condition allows multiple control flows to access a
resource simultaneously, it might lead the program(s) into unexpected
states, possibly resulting in a crash.
Confidentiality
Integrity
When a race condition is combined with predictable resource names and
loose permissions, it may be possible for an attacker to overwrite or
access confidential data (CWE-59).
Likelihood of Exploit
Medium
Demonstrative Examples
This code could be used in an e-commerce application that supports
transfers between accounts. It takes the total amount of the transfer, sends
it to the new account, and deducts the amount from the original
account.
Perl Example:
$transfer_amount = GetTransferAmount();
$balance = GetBalanceFromDatabase();
if ($transfer_amount < 0) {
FatalError("Bad Transfer Amount");
}
$newbalance = $balance - $transfer_amount;
if (($balance - $transfer_amount) < 0) {
FatalError("Insufficient Funds");
}
SendNewBalanceToDatabase($newbalance);
NotifyUser("Transfer of $transfer_amount succeeded.");
NotifyUser("New balance: $newbalance");
A race condition could occur between the calls to
GetBalanceFromDatabase() and SendNewBalanceToDatabase().
Suppose the same user can invoke this program multiple times
simultaneously, such as by making multiple requests in a web
application. An attack could be constructed as follows:
PseudoCode Example:
Suppose the balance is initially 100.00.
The attacker makes two simultaneous calls of the program, CALLER-1
and CALLER-2. Both callers are for the same user account.
CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance
that handles CALLER-1). CALLER-2 is associated with
PROGRAM-2.
CALLER-1 makes a transfer request of 80.00.
PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to
100.00
PROGRAM-1 calculates $newbalance as 20.00, then calls
SendNewBalanceToDatabase().
Due to high server load, the PROGRAM-1 call to
SendNewBalanceToDatabase() encounters a delay.
CALLER-2 makes a transfer request of 1.00.
PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to
100.00. This happens because the previous PROGRAM-1 request was not
processed yet.
PROGRAM-2 determines the new balance as 99.00.
After the initial delay, PROGRAM-1 commits its balance to the
database, setting it to 20.00.
PROGRAM-2 sends a request to update the database, setting the
balance to 99.00
At this stage, the attacker should have a balance of 19.00 (due to
81.00 worth of transfers), but the balance is 99.00, as recorded in the
database.
To prevent this weakness, the programmer has several options,
including using a lock to prevent multiple simultaneous requests to the
web application, or using a synchronization mechanism that includes all
the code between GetBalanceFromDatabase() and
SendNewBalanceToDatabase().
chain: time-of-check time-of-use (TOCTOU) race
condition in program allows bypass of protection mechanism that was designed
to prevent symlink attacks.
chain: time-of-check time-of-use (TOCTOU) race
condition in program allows bypass of protection mechanism that was designed
to prevent symlink attacks.
Race condition leading to a crash by calling a
hook removal procedure while other activities are occurring at the same
time.
Potential Mitigations
Architecture and Design
In languages that support it, use synchronization primitives. Only
wrap these around critical code to minimize the impact on
performance.
Architecture and Design
Use thread-safe capabilities such as the data access abstraction in
Spring.
Architecture and Design
Minimize the usage of shared resources in order to remove as much
complexity as possible from the control flow and to reduce the
likelihood of unexpected conditions occurring.
Additionally, this will minimize the amount of synchronization
necessary and may even help to reduce the likelihood of a denial of
service where an attacker may be able to repeatedly trigger a critical
section (CWE-400).
Implementation
When using multi-threading, only use thread-safe functions on shared
variables.
Implementation
Use atomic operations on shared variables. Be wary of innocent-looking
constructs like "x++". This is actually non-atomic, since it involves a
read followed by a write.
Implementation
Use a mutex if available, but be sure to avoid related weaknesses such
as CWE-412.
Implementation
Avoid double-checked locking (CWE-609) and other implementation errors
that arise when trying to avoid the overhead of synchronization.
Implementation
Disable interrupts or signals over critical parts of the code, but
also make sure that the code does not go into a large or infinite
loop.
Implementation
Use the volatile type modifier for critical variables to avoid
unexpected compiler optimization or reordering. This does not
necessarily solve the synchronization problem, but it can help.
Testing
Stress-test the software by calling it simultaneously from a large
number of threads or processes, and look for evidence of any unexpected
behavior. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results.
Insert breakpoints or delays in between relevant code statements to
artificially expand the race window so that it will be easier to
detect.
Testing
Identify error conditions that are not likely to occur during normal
usage and trigger them. For example, run the program under low memory
conditions, run with insufficient privileges or permissions, interrupt a
transaction before it is completed, or disable connectivity to basic
network services such as DNS. Monitor the software for any unexpected
behavior. If you trigger an unhandled exception or similar error that
was discovered and handled by the application's environment, it may
still indicate unexpected conditions that were not handled by the
application itself.
Race conditions in web applications are under-studied and probably
under-reported. However, in 2008 there has been growing interest in this
area.
Much of the focus of race condition research has been in Time-of-check
Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are
related to synchronization problems that do not necessarily require a
time-of-check.
Taxonomy Mappings
Mapped Taxonomy Name
Node ID
Mapped Node Name
PLOVER
Race Conditions
CERT C Secure Coding
FIO31-C
Do not simultaneously open the same file multiple
times
The relationship between race conditions and synchronization problems
(CWE-662) needs to be further developed. They are not necessarily two
perspectives of the same core concept, since synchronization is only one
technique for avoiding race conditions, and synchronization can be used for
other purposes besides race condition prevention.
Description
Architecture and Design
