- •Table of Contents
- •List of Figures
- •List of Tables
- •Acknowledgments
- •About This Report
- •The Secure Coding Standard Described in This Report
- •Guideline Priorities
- •Abstract
- •1 Introduction
- •1.1.2 Synchronization
- •1.1.3.1 Atomic Classes
- •1.1.3.3 Explicit Locking
- •2 Visibility and Atomicity (VNA) Guidelines
- •2.1.5 Exceptions
- •2.1.6 Risk Assessment
- •2.1.7 References
- •2.2.1 Noncompliant Code Example
- •2.2.2 Compliant Solution (Synchronization)
- •2.2.5 Risk Assessment
- •2.2.6 References
- •2.3.1 Noncompliant Code Example (Logical Negation)
- •2.3.2 Noncompliant Code Example (Bitwise Negation)
- •2.3.4 Compliant Solution (Synchronization)
- •2.3.8 Noncompliant Code Example (Addition of Primitives)
- •2.3.9 Noncompliant Code Example (Addition of Atomic Integers)
- •2.3.10 Compliant Solution (Addition)
- •2.3.11 Risk Assessment
- •2.3.12 References
- •2.4.2 Compliant Solution (Method Synchronization)
- •2.4.4 Compliant Solution (Synchronized Block)
- •2.4.6 Compliant Solution (Synchronization)
- •2.4.8 Risk Assessment
- •2.4.9 References
- •2.5.1 Noncompliant Code Example
- •2.5.2 Compliant Solution
- •2.5.3 Risk Assessment
- •2.5.4 References
- •2.6.1 Noncompliant Code Example
- •2.6.2 Compliant Solution (Volatile)
- •2.6.3 Exceptions
- •2.6.4 Risk Assessment
- •2.6.5 References
- •2.7.1 Noncompliant Code Example (Arrays)
- •2.7.3 Compliant Solution (Synchronization)
- •2.7.4 Noncompliant Code Example (Mutable Object)
- •2.7.6 Compliant Solution (Synchronization)
- •2.7.8 Compliant Solution (Instance Per Call/Defensive Copying)
- •2.7.9 Compliant Solution (Synchronization)
- •2.7.10 Compliant Solution (ThreadLocal Storage)
- •2.7.11 Risk Assessment
- •2.7.12 References
- •3 Lock (LCK) Guidelines
- •3.1.1 Noncompliant Code Example (Method Synchronization)
- •3.1.4 Noncompliant Code Example (Public Final Lock Object)
- •3.1.5 Compliant Solution (Private Final Lock Object)
- •3.1.6 Noncompliant Code Example (Static)
- •3.1.7 Compliant Solution (Static)
- •3.1.8 Exceptions
- •3.1.9 Risk Assessment
- •3.1.10 References
- •3.2.2 Noncompliant Code Example (Boxed Primitive)
- •3.2.7 Compliant Solution (Private Final Lock Object)
- •3.2.8 Risk Assessment
- •3.2.9 References
- •3.3.2 Compliant Solution (Class Name Qualification)
- •3.3.5 Compliant Solution (Class Name Qualification)
- •3.3.6 Risk Assessment
- •3.3.7 References
- •3.4.3 Risk Assessment
- •3.4.4 References
- •3.5.1 Noncompliant Code Example (Collection View)
- •3.5.2 Compliant Solution (Collection Lock Object)
- •3.5.3 Risk Assessment
- •3.5.4 References
- •3.6.1 Noncompliant Code Example
- •3.6.2 Compliant Solution
- •3.6.3 Risk Assessment
- •3.6.4 References
- •3.7.2 Noncompliant Code Example (Method Synchronization for Static Data)
- •3.7.3 Compliant Solution (Static Lock Object)
- •3.7.4 Risk Assessment
- •3.7.5 References
- •3.8.1 Noncompliant Code Example (Different Lock Orders)
- •3.8.2 Compliant Solution (Private Static Final Lock Object)
- •3.8.3 Compliant Solution (Ordered Locks)
- •3.8.5 Noncompliant Code Example (Different Lock Orders, Recursive)
- •3.8.6 Compliant Solution
- •3.8.7 Risk Assessment
- •3.8.8 References
- •3.9.1 Noncompliant Code Example (Checked Exception)
- •3.9.4 Noncompliant Code Example (Unchecked Exception)
- •3.9.6 Risk Assessment
- •3.9.7 References
- •3.10.1 Noncompliant Code Example (Deferring a Thread)
- •3.10.2 Compliant Solution (Intrinsic Lock)
- •3.10.3 Noncompliant Code Example (Network I/O)
- •3.10.4 Compliant Solution
- •3.10.5 Exceptions
- •3.10.6 Risk Assessment
- •3.10.7 References
- •3.11.1 Noncompliant Code Example
- •3.11.2 Compliant Solution (Volatile)
- •3.11.3 Compliant Solution (Static Initialization)
- •3.11.4 Compliant Solution (Initialize-On-Demand, Holder Class Idiom)
- •3.11.5 Compliant Solution (ThreadLocal Storage)
- •3.11.6 Compliant Solution (Immutable)
- •3.11.7 Exceptions
- •3.11.8 Risk Assessment
- •3.11.9 References
- •3.12.1 Noncompliant Code Example (Intrinsic Lock)
- •3.12.2 Compliant Solution (Private Final Lock Object)
- •3.12.3 Noncompliant Code Example (Class Extension and Accessible Member Lock)
- •3.12.4 Compliant Solution (Composition)
- •3.12.5 Risk Assessment
- •3.12.6 References
- •4 Thread APIs (THI) Guidelines
- •4.1.2 Compliant Solution (Volatile Flag)
- •4.1.5 Compliant Solution
- •4.1.6 Risk Assessment
- •4.1.7 References
- •4.2.1 Noncompliant Code Example
- •4.2.2 Compliant Solution
- •4.2.3 Risk Assessment
- •4.2.4 References
- •4.3.1 Noncompliant Code Example
- •4.3.2 Compliant Solution
- •4.3.3 Exceptions
- •4.3.4 Risk Assessment
- •4.3.5 References
- •4.4.1 Noncompliant Code Example
- •4.4.2 Compliant Solution
- •4.4.3 Risk Assessment
- •4.4.4 References
- •4.5.5 Compliant Solution (Unique Condition Per Thread)
- •4.5.6 Risk Assessment
- •4.5.7 References
- •4.6.2 Compliant Solution (Volatile Flag)
- •4.6.3 Compliant Solution (Interruptible)
- •4.6.5 Risk Assessment
- •4.6.6 References
- •4.7.1 Noncompliant Code Example (Blocking I/O, Volatile Flag)
- •4.7.2 Noncompliant Code Example (Blocking I/O, Interruptible)
- •4.7.3 Compliant Solution (Close Socket Connection)
- •4.7.4 Compliant Solution (Interruptible Channel)
- •4.7.5 Noncompliant Code Example (Database Connection)
- •4.7.7 Risk Assessment
- •4.7.8 References
- •5 Thread Pools (TPS) Guidelines
- •5.1.1 Noncompliant Code Example
- •5.1.2 Compliant Solution
- •5.1.3 Risk Assessment
- •5.1.4 References
- •5.2.1 Noncompliant Code Example (Interdependent Subtasks)
- •5.2.2 Compliant Solution (No Interdependent Tasks)
- •5.2.3 Noncompliant Code Example (Subtasks)
- •5.2.5 Risk Assessment
- •5.2.6 References
- •5.3.1 Noncompliant Code Example (Shutting Down Thread Pools)
- •5.3.2 Compliant Solution (Submit Interruptible Tasks)
- •5.3.3 Exceptions
- •5.3.4 Risk Assessment
- •5.3.5 References
- •5.4.1 Noncompliant Code Example (Abnormal Task Termination)
- •5.4.3 Compliant Solution (Uncaught Exception Handler)
- •5.4.5 Exceptions
- •5.4.6 Risk Assessment
- •5.4.7 References
- •5.5.1 Noncompliant Code Example
- •5.5.2 Noncompliant Code Example (Increase Thread Pool Size)
- •5.5.5 Exceptions
- •5.5.6 Risk Assessment
- •5.5.7 References
- •6 Thread-Safety Miscellaneous (TSM) Guidelines
- •6.1.1 Noncompliant Code Example (Synchronized Method)
- •6.1.2 Compliant Solution (Synchronized Method)
- •6.1.3 Compliant Solution (Private Final Lock Object)
- •6.1.4 Noncompliant Code Example (Private Lock)
- •6.1.5 Compliant Solution (Private Lock)
- •6.1.6 Risk Assessment
- •6.1.7 References
- •6.2.1 Noncompliant Code Example (Publish Before Initialization)
- •6.2.3 Compliant Solution (Volatile Field and Publish After Initialization)
- •6.2.4 Compliant Solution (Public Static Factory Method)
- •6.2.5 Noncompliant Code Example (Handlers)
- •6.2.6 Compliant Solution
- •6.2.7 Noncompliant Code Example (Inner Class)
- •6.2.8 Compliant Solution
- •6.2.9 Noncompliant Code Example (Thread)
- •6.2.10 Compliant Solution (Thread)
- •6.2.11 Exceptions
- •6.2.12 Risk Assessment
- •6.2.13 References
- •6.3.1 Noncompliant Code Example (Background Thread)
- •6.3.4 Exceptions
- •6.3.5 Risk Assessment
- •6.3.6 References
- •6.4.1 Noncompliant Code Example
- •6.4.2 Compliant Solution (Synchronization)
- •6.4.3 Compliant Solution (Final Field)
- •6.4.5 Compliant Solution (Static Initialization)
- •6.4.6 Compliant Solution (Immutable Object - Final Fields, Volatile Reference)
- •6.4.8 Exceptions
- •6.4.9 Risk Assessment
- •6.4.10 References
- •6.5.1 Obtaining Concurrency Annotations
- •6.5.3 Documenting Locking Policies
- •6.5.4 Construction of Mutable Objects
- •6.5.7 Risk Assessment
- •6.5.8 References
- •Appendix Definitions
- •Bibliography
Abstract
An essential element of secure coding in the Java programming language is well-documented and enforceable coding standards. Coding standards encourage programmers to follow a uniform set of guidelines determined by the requirements of the project and organization, rather than by the programmer’s familiarity or preference. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes).
The CERT Oracle Secure Coding Standard for Java provides guidelines for secure coding in the Java programming language. The goal of these guidelines is to eliminate insecure coding practices and undefined behaviors that can lead to exploitable vulnerabilities. Applying this standard will lead to higher quality systems that are robust and more resistant to attack.
This report documents the portion of those Java guidelines that are related to concurrency.
CMU/SEI-2010-TR-015 | xv
CMU/SEI-2010-TR-015 | xvi