CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-820: Missing Synchronization

Weakness ID: 820
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

Extended Description

If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

+ Common Consequences
ScopeEffect
Integrity
Confidentiality
Other

Technical Impact: Modify application data; Read application data; Alter execution logic

+ Demonstrative Examples

Example 1

The following code intends to fork a process, then have both the parent and child processes print a single line.

(Bad Code)
Example Languages: C and C++ 
static void print (char * string) {
char * word;
int counter;
for (word = string; counter = *word++; ) {
putc(counter, stdout);
fflush(stdout);
/* Make timing window a little larger... */
sleep(1);
}
}

int main(void) {
pid_t pid;

pid = fork();
if (pid == -1) {
exit(-2);
}
else if (pid == 0) {
print("child\n");
}
else {
print("PARENT\n");
}
exit(0);
}

One might expect the code to print out something like:

PARENT

child

However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as:

PcAhRiElNdT

[blank line]

[blank line]

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base662Improper Synchronization
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory853CERT Java Secure Coding Section 08 - Locking (LCK)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ParentOfWeakness VariantWeakness Variant543Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base567Unsynchronized Access to Shared Data in a Multithreaded Context
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT Java Secure CodingLCK05-JSynchronize access to static fields that can be modified by untrusted code
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2010-08-06MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2010-12-13CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2013-07-17CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017