Oh what a tangled web we weave...... when first to thread we do conceive.

Slides:



Advertisements
Similar presentations
Chapter 12 Lists and Iterators. List Its an abstract concept not a vector, array, or linked structure. Those are implementations of a List. A list is a.
Advertisements

DATA STRUCTURES Lecture: Interfaces Slides adapted from Prof. Steven Roehrig.
Relaxed Consistency Models. Outline Lazy Release Consistency TreadMarks DSM system.
Gots ta move dat data and not trash your threads...
Introduction CSCI 444/544 Operating Systems Fall 2008.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
Intro to Threading CS221 – 4/20/09. What we’ll cover today Finish the DOTS program Introduction to threads and multi-threading.
Road Map Introduction to object oriented programming. Classes
In Sync (No, not the lame boy band.). Today in history... Last time: Thinking about design: interface design Survey of code complexity: P1 vs. P3 Intro.
The Zen of Threads When you can snatch the lock from the object, grasshopper, then you are ready to spawn the thread...
Synchronization in Java Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
Oh what a tangled web we weave when first to thread we do conceive.
Inner Classes & the True Nature of Static. Administrivia Today: R2 Next Wed (Mar 30): Quiz 3 Multithreading and synchronization JDK java.lang.Thread,
Administrivia P2 all grades available now Relative importance of scores M1: 30% M2: 30% Rollout: 40% P3 -- good progress so far! Looks like a lot of the.
Building Secure Software Chapter 9 Race Conditions.
Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Terms and Rules Professor Evan Korth New York University (All rights reserved)
Talking to Threads. Administriva Grade summary today.
Administrivia Midterm exam: Mar 10 (in class) Interfaces vs. Abstract classes Inner classes Data views; iterators Lexical analyzers (tokenizers) Theory:
Oh what a tangled web we weave… … when first to thread we do conceive Lecture 24, Dec 08.
Race Conditions and Security. News o’ the day Java security flaws 3 bugs in Sun’s JRE Elevation of privilege, execution of arbitrary code, read/write.
Interfaces and Inner Classes. What is an Interface?  What is “presented to the user”?  The public part of a class?  What is the substance of an interface?
Proxy Design Pattern Source: Design Patterns – Elements of Reusable Object- Oriented Software; Gamma, et. al.
Threads in Java1 Concurrency Synchronizing threads, thread pools, etc.
Highly Available ACID Memory Vijayshankar Raman. Introduction §Why ACID memory? l non-database apps: want updates to critical data to be atomic and persistent.
Concurrency Recitation – 2/24 Nisarg Raval Slides by Prof. Landon Cox.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
CSE 425: Object-Oriented Programming II Implementation of OO Languages Efficient use of instructions and program storage –E.g., a C++ object is stored.
50.003: Elements of Software Construction Week 8 Composing Thread-safe Objects.
Question of the Day  On a game show you’re given the choice of three doors: Behind one door is a car; behind the others, goats. After you pick a door,
Templates An introduction. Simple Template Functions template T max(T x, T y) { if (x > y) { return x; } else { return y; } } int main(void) { int x =
Optimistic Design 1. Guarded Methods Do something based on the fact that one or more objects have particular states  Make a set of purchases assuming.
COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.
Internet Software Development Controlling Threads Paul J Krause.
School of Engineering and Computer Science Victoria University of Wellington Copyright: Peter Andreae david streader, VUW Networking and Concurrency COMP.
Synchronized and Monitors. synchronized is a Java keyword to denote a block of code which must be executed atomically (uninterrupted). It can be applied.
Week 2, Day 2: The Factory Method Pattern Other good design principles Cohesion vs. Coupling Implementing the Strategy Pattern Changing strategies (behaviors)
Synchronizing threads, thread pools, etc.
Lecture 14 Page 1 CS 236 Online Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different.
CS162 Week 5 Kyle Dewey. Overview Announcements Reactive Imperative Programming Parallelism Software transactional memory.
Synchronization and semaphores Programming Language Design and Implementation (4th Edition) by T. Pratt and M. Zelkowitz Prentice Hall, 2001 Section
CIS Intro to JAVA Lecture Notes Set July-05 GUI Programming – Home and reload buttons for the webbrowser, Applets.
Discussion Week 2 TA: Kyle Dewey. Overview Concurrency Process level Thread level MIPS - switch.s Project #1.
Threads in Java1 Concurrency Synchronizing threads, thread pools, etc.
CMSC 330: Organization of Programming Languages Java Generics.
School of Computer Science & Information Technology G6DICP - Lecture 6 Errors, bugs and debugging.
Thread basics. A computer process Every time a program is executed a process is created It is managed via a data structure that keeps all things memory.
Iterators ITI 1121 N. El Kadri. Motivation Given a (singly) linked-list implementation of the interface List, defined as follows, public interface List.
Week 9, Class 3: Java’s Happens-Before Memory Model (Slides used and skipped in class) SE-2811 Slide design: Dr. Mark L. Hornick Content: Dr. Hornick Errors:
Today Quiz not yet graded Final report requirements posted More on Multithreading Happens-Before in Java SE-2811 Slide design: Dr. Mark L. Hornick Content:
(c) University of Washington10-1 CSC 143 Java Errors and Exceptions Reading: Ch. 15.
CSC CSC 143 Threads. CSC Introducing Threads  A thread is a flow of control within a program  A piece of code that runs on its own. The.
Testing Concurrent Programs Sri Teja Basava Arpit Sud CSCI 5535: Fundamentals of Programming Languages University of Colorado at Boulder Spring 2010.
Concurrency in Java MD. ANISUR RAHMAN. slide 2 Concurrency  Multiprogramming  Single processor runs several programs at the same time  Each program.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
R Some of these slides are from Prof Frank Lin SJSU. r Minor modifications are made. 1.
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Atomic Operations in Hardware
Atomic Operations in Hardware
Lecture 25 More Synchronized Data and Producer/Consumer Relationship
Atomicity CS 2110 – Fall 2017.
Modularity and Memory Clearly, programs must have access to memory
Multithreaded Programming in Java
Synchronization Lecture 23 – Fall 2017.
More on Thread Safety CSE451 Andrew Whitaker.
Threads and Memory Models Hal Perkins Autumn 2009
CSE 451: Operating Systems Spring 2012 Module 22 Remote Procedure Call (RPC) Ed Lazowska Allen Center
Presentation transcript:

Oh what a tangled web we weave when first to thread we do conceive.

Administrivia Remember: still time to vote today Q2 back today P3 M1 today and tomorrow All of you have arranged times (good) Remember to think about sched for future meetings (incl. rollout) All group members should be present if at all possible Teleconference can be arranged if you need...

A Study of History Last time: Civics advice Definitions for threading & synchronization “Who owns the lock”, part I Today: WOTL, part II Design principle Multi-processing, security, & you: race conditions

WOTL: Setup public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; }

WOTL: Setup The memory picture:

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } }

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } } Again, “ this ” owns the lock. Danger Will Robinson! Can have multiple access to y !!!

Who owns the lock? Consider: WhoOwnsTheLock foo=new WhoOwnsTheLock(); WhoOwnsTheLock bar=new WhoOwnsTheLock(); // in thread 0 foo.getY0(); // in thread 1 bar.getY0();

Who owns the lock?

thread 0 synch w/ this lock & thread 1 synch w/ this one

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } public static synchronized List getY1() { return y; }

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } public static synchronized List getY1() { return y; } Remember: “ static ”==“associated with class” (i.e., class object). So this is synchronized on the class object. No more conflict. (yay!)

Who owns the lock?

public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } public static synchronized List getY1() { return y; } public static List getY2() { synchronized(y) { return y; } }

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } public static synchronized List getY1() { return y; } public static List getY2() { synchronized(y) { return y; } } Effectively, just as good as previous version...

Who owns the lock?

public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); }

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } Synchronized on “ this ”, but can have concurrent access via y ( x is safe)

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); }

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } Ok, so this is a syntax error. Can’t access x from static context. :-P But pretend for a moment that it would work. What happens?

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } Same problem, but in reverse -- y is safe, but can have multi-access to x.

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } public int getXY2() { synchronized(this) { // this will work synchronized(y) { return x.size()+y.size(); } } } }

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } public int getXY2() { synchronized(x) { // OR you can do this... synchronized(y) { return x.size()+y.size(); } } } }

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } public int getXY2() { synchronized(this) { synchronized(this.getClass()) { // OR this... return x.size()+y.size(); } } } }

Who owns the lock? synch(this) synch(y)

Who owns the lock? synch(y) synch(x)

Who owns the lock? synch(this.getClass) synch(this)

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public int getAB0() { synchronized(this) { synchronized(b) { // oh oh... b is atomic return a+b; } } } }

Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public int getAB0() { synchronized(this) { synhronized(y) { return a+b; } } } } Answer 1: synchronize on something “near” b (i.e., something else static) that isn’t, itself, atomic. Sometimes introduce spurious “ Object ” just for this

Design principle o’ the day: Fail fastness

Proactive bug detection Want a bug to show up as soon as possible As close to the creation of the bug as you can Bug should produce (highly) visible evidence Helps debugging -- bug isn’t hidden by many layers of propagation Fail fast principle: design so that bugs cause failures immediately -- as close to source as possible

Fail fast example Use illegal default values when you don’t know the correct final value for a thing private int _arrMax=0; vs. private int _arrMax=-1; Also shows up in java.util.*.iterator() Most built-in JDK iterators are fail fast -- die if you change the collection out from under them

Fail fast iterator public class MyCollection implements Iterable { private Object _data[]; private int _modCount=0; public void add(Object o) { ++_modCount;... } private class _myIter implements Iterator { private int _iterModCount=_modCount; public Object next() { if (_iterModCount!=_modCount) { throw new ConcurrentModificationException(); }... }

Race Conditions & Security

Race Cond. & Security Atomicity failures can sometimes be exploited to break security on multiprocessing systems One of the top 10 classes of exploits since... mid-1980’s, at least 100’s (or more) of reported vulnerabilities Most recently: yesterday Race condition failure reported for mutt mail reader client

The core exploit Privileged program creates a resource Hostile program grabs a shared resource (e.g., file): Before it is created (predicting its name/handle) After it is created, but before it is secured Privileged program

You thought you were safe Independent of language: Java will not save you! Beware when writing privileged code! N.b.: Sometimes your never-intended-to-be- secure code will be run in privileged context! Happens a lot on the web...

Basic Race Cond. Exploit priv proc

Basic Race Cond. Exploit priv proc file /tmp/foo write() read() close() unlink() open(“/tmp/foo”, O_RDWR | O_CREAT);

Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc open(...) read()

Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc chmod()

Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc chmod() open(...)

Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc umask()

Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc umask() open(...) read()

Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc umask() symlink(“/tmp/foo”, “/etc/passwd”)

Basic Race Cond. Exploit priv proc stat(“/tmp/foo”); if (!exists) { open(“/tmp/foo”, O_RDWR | O_CREAT); } else { error(); } file /tmp/foo write() read() close() unlink() hostile proc umask()

Basic Race Cond. Exploit priv proc stat(“/tmp/foo”); if (!exists) { open(“/tmp/foo”, O_RDWR | O_CREAT); } else { error(); } file /tmp/foo write() read() close() unlink() hostile proc umask() symlink(“/tmp/foo”, “/etc/passwd”)

Preventing FS Race Conds Could create foo in dir owned/writable only by owner of proc Can be hard to ensure this Still have to watch out for filename collisions

Preventing FS Race Conds Could make file names hard to predict (e.g., picked randomly) Exploit still possible; hard to make fnames really random Similar “prediction” attack used to break early Netscape implementation of SSL

Preventing FS Race Conds Ultimate answer: use OS atomicity facilities open(“/tmp/foo”, O_RDWR | O_CREAT | O_EXCL) Similar mechanisms used at OS level to ensure atomic access to locks/monitors atomicTestAndSet(), et al. Harder w/ distributed databases -- data lives on multiple hosts DBs usually offer atomic access mechanisms for you Always be on guard!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.