.NET Framework 2.0 Security Inspection Questions - Multi-Threading

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Jason Taylor, Rudolph Araujo


Threading Vulnerabilities and Implications

Vulnerability

Implications

Race conditions

Incorrect logic and application malfunction

Synchronization issues

Application malfunction.

Multi-threaded code is prone to subtle timing-related issues or race conditions that can result in security vulnerabilities. To locate multi-threaded code, search source code for the text "Thread" to identify where new Thread objects are created, as shown in the following code example.

Thread t = new Thread(new ThreadStart(someObject.SomeThreadStartMethod));

The following review questions help you to identify potential threading vulnerabilities:

  • Is the code subject to race conditions?
  • Does the code impersonate?
  • Does the code contain static class constructors?
  • Does the code synchronize Dispose methods?


Is the code subject to race conditions?

Check for race conditions, especially in static methods and constructors. Consider the following code example.

private static int amtRecvd = 0;
public static int IncrementAmountReceived(int increment)
{
 return(amtRecvd += increment);
}

If two threads call this code at the same time, it could result in an incorrect calculation for the amtRecvd value.


Code is particularly vulnerable to race conditions if it caches the results of a security check—for example, in a static or global variable—and then uses the flag to make subsequent security decisions.


Does the code impersonate?

Is the thread that creates a new thread currently impersonating? The new thread always assumes the process-level security context and not the security context of the existing thread.


Does the code contain static class constructors?

Review static class constructors to verify that they are not vulnerable if two or more threads access them simultaneously. If necessary, synchronize the threads to prevent this condition.


Does the code synchronize Dispose methods?

If an object's Dispose method is not synchronized, it is possible for two threads to execute Dispose on the same object. This can cause security issues, particularly if the cleanup code releases unmanaged resource handlers such as file, process, or thread handles.



Personal tools