Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oh what a tangled web we weave...... when first to thread we do conceive.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Oh what a tangled web we weave...... when first to thread we do conceive."— Presentation transcript:

1 Oh what a tangled web we weave...... when first to thread we do conceive.

2 Administrivia Remember: still time to vote today Q2 back today P3 M1 today and tomorrow All of you have arranged times (good) Remember to think about sched for future meetings (incl. rollout) All group members should be present if at all possible Teleconference can be arranged if you need...

3 A Study of History Last time: Civics advice Definitions for threading & synchronization “Who owns the lock”, part I Today: WOTL, part II Design principle Multi-processing, security, & you: race conditions

4 WOTL: Setup public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; }

5 WOTL: Setup The memory picture:

6 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } }

7 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } } Again, “ this ” owns the lock. Danger Will Robinson! Can have multiple access to y !!!

8 Who owns the lock? Consider: WhoOwnsTheLock foo=new WhoOwnsTheLock(); WhoOwnsTheLock bar=new WhoOwnsTheLock(); // in thread 0 foo.getY0(); // in thread 1 bar.getY0();

9 Who owns the lock?

10 thread 0 synch w/ this lock & thread 1 synch w/ this one

11 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } public static synchronized List getY1() { return y; }

12 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } public static synchronized List getY1() { return y; } Remember: “ static ”==“associated with class” (i.e., class object). So this is synchronized on the class object. No more conflict. (yay!)

13 Who owns the lock?

14 public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } public static synchronized List getY1() { return y; } public static List getY2() { synchronized(y) { return y; } }

15 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized List getY0() { return y; } public static synchronized List getY1() { return y; } public static List getY2() { synchronized(y) { return y; } } Effectively, just as good as previous version...

16 Who owns the lock?

17 public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); }

18 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } Synchronized on “ this ”, but can have concurrent access via y ( x is safe)

19 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); }

20 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } Ok, so this is a syntax error. Can’t access x from static context. :-P But pretend for a moment that it would work. What happens?

21 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } Same problem, but in reverse -- y is safe, but can have multi-access to x.

22 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } public int getXY2() { synchronized(this) { // this will work synchronized(y) { return x.size()+y.size(); } } } }

23 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } public int getXY2() { synchronized(x) { // OR you can do this... synchronized(y) { return x.size()+y.size(); } } } }

24 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public synchronized int getXY0() { return x.size()+y.size(); } public static synchronized int getXY1() { return x.size()+y.size(); } public int getXY2() { synchronized(this) { synchronized(this.getClass()) { // OR this... return x.size()+y.size(); } } } }

25 Who owns the lock? synch(this) synch(y)

26 Who owns the lock? synch(y) synch(x)

27 Who owns the lock? synch(this.getClass) synch(this)

28 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public int getAB0() { synchronized(this) { synchronized(b) { // oh oh... b is atomic return a+b; } } } }

29 Who owns the lock? public class WhoOwnsTheLock { private List x=new LinkedList(); private static List y=new LinkedList(); private int a=3; private static int b=42; public int getAB0() { synchronized(this) { synhronized(y) { return a+b; } } } } Answer 1: synchronize on something “near” b (i.e., something else static) that isn’t, itself, atomic. Sometimes introduce spurious “ Object ” just for this

30 Design principle o’ the day: Fail fastness

31 Proactive bug detection Want a bug to show up as soon as possible As close to the creation of the bug as you can Bug should produce (highly) visible evidence Helps debugging -- bug isn’t hidden by many layers of propagation Fail fast principle: design so that bugs cause failures immediately -- as close to source as possible

32 Fail fast example Use illegal default values when you don’t know the correct final value for a thing private int _arrMax=0; vs. private int _arrMax=-1; Also shows up in java.util.*.iterator() Most built-in JDK iterators are fail fast -- die if you change the collection out from under them

33 Fail fast iterator public class MyCollection implements Iterable { private Object _data[]; private int _modCount=0; public void add(Object o) { ++_modCount;... } private class _myIter implements Iterator { private int _iterModCount=_modCount; public Object next() { if (_iterModCount!=_modCount) { throw new ConcurrentModificationException(); }... }

34 Race Conditions & Security

35 Race Cond. & Security Atomicity failures can sometimes be exploited to break security on multiprocessing systems One of the top 10 classes of exploits since... mid-1980’s, at least 100’s (or more) of reported vulnerabilities Most recently: yesterday Race condition failure reported for mutt mail reader client

36 The core exploit Privileged program creates a resource Hostile program grabs a shared resource (e.g., file): Before it is created (predicting its name/handle) After it is created, but before it is secured Privileged program

37 You thought you were safe Independent of language: Java will not save you! Beware when writing privileged code! N.b.: Sometimes your never-intended-to-be- secure code will be run in privileged context! Happens a lot on the web...

38 Basic Race Cond. Exploit priv proc

39 Basic Race Cond. Exploit priv proc file /tmp/foo write() read() close() unlink() open(“/tmp/foo”, O_RDWR | O_CREAT);

40 Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc open(...) read()

41 Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc chmod()

42 Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc chmod() open(...)

43 Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc umask()

44 Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc umask() open(...) read()

45 Basic Race Cond. Exploit priv proc open(“/tmp/foo”, O_RDWR | O_CREAT); file /tmp/foo write() read() close() unlink() hostile proc umask() symlink(“/tmp/foo”, “/etc/passwd”)

46 Basic Race Cond. Exploit priv proc stat(“/tmp/foo”); if (!exists) { open(“/tmp/foo”, O_RDWR | O_CREAT); } else { error(); } file /tmp/foo write() read() close() unlink() hostile proc umask()

47 Basic Race Cond. Exploit priv proc stat(“/tmp/foo”); if (!exists) { open(“/tmp/foo”, O_RDWR | O_CREAT); } else { error(); } file /tmp/foo write() read() close() unlink() hostile proc umask() symlink(“/tmp/foo”, “/etc/passwd”)

48 Preventing FS Race Conds Could create foo in dir owned/writable only by owner of proc Can be hard to ensure this Still have to watch out for filename collisions

49 Preventing FS Race Conds Could make file names hard to predict (e.g., picked randomly) Exploit still possible; hard to make fnames really random Similar “prediction” attack used to break early Netscape implementation of SSL

50 Preventing FS Race Conds Ultimate answer: use OS atomicity facilities open(“/tmp/foo”, O_RDWR | O_CREAT | O_EXCL) Similar mechanisms used at OS level to ensure atomic access to locks/monitors atomicTestAndSet(), et al. Harder w/ distributed databases -- data lives on multiple hosts DBs usually offer atomic access mechanisms for you Always be on guard!

Download ppt "Oh what a tangled web we weave...... when first to thread we do conceive."

Similar presentations

Chapter 12 Lists and Iterators. List Its an abstract concept not a vector, array, or linked structure. Those are implementations of a List. A list is a.

Chapter 12 Lists and Iterators. List Its an abstract concept not a vector, array, or linked structure. Those are implementations of a List. A list is a.
DATA STRUCTURES Lecture: Interfaces Slides adapted from Prof. Steven Roehrig.

DATA STRUCTURES Lecture: Interfaces Slides adapted from Prof. Steven Roehrig.
Relaxed Consistency Models. Outline Lazy Release Consistency TreadMarks DSM system.

Relaxed Consistency Models. Outline Lazy Release Consistency TreadMarks DSM system.
Gots ta move dat data...... and not trash your threads...

Gots ta move dat data and not trash your threads...
Introduction CSCI 444/544 Operating Systems Fall 2008.

Introduction CSCI 444/544 Operating Systems Fall 2008.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
Intro to Threading CS221 – 4/20/09. What we’ll cover today Finish the DOTS program Introduction to threads and multi-threading.

Intro to Threading CS221 – 4/20/09. What we’ll cover today Finish the DOTS program Introduction to threads and multi-threading.
Road Map Introduction to object oriented programming. Classes

Road Map Introduction to object oriented programming. Classes
In Sync (No, not the lame boy band.). Today in history... Last time: Thinking about design: interface design Survey of code complexity: P1 vs. P3 Intro.

In Sync (No, not the lame boy band.). Today in history... Last time: Thinking about design: interface design Survey of code complexity: P1 vs. P3 Intro.
The Zen of Threads When you can snatch the lock from the object, grasshopper, then you are ready to spawn the thread...

The Zen of Threads When you can snatch the lock from the object, grasshopper, then you are ready to spawn the thread...
Synchronization in Java Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

Synchronization in Java Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
Oh what a tangled web we weave...... when first to thread we do conceive.

Oh what a tangled web we weave when first to thread we do conceive.
Inner Classes & the True Nature of Static. Administrivia Today: R2 Next Wed (Mar 30): Quiz 3 Multithreading and synchronization JDK java.lang.Thread,

Inner Classes & the True Nature of Static. Administrivia Today: R2 Next Wed (Mar 30): Quiz 3 Multithreading and synchronization JDK java.lang.Thread,
Administrivia P2 all grades available now Relative importance of scores M1: 30% M2: 30% Rollout: 40% P3 -- good progress so far! Looks like a lot of the.

Administrivia P2 all grades available now Relative importance of scores M1: 30% M2: 30% Rollout: 40% P3 -- good progress so far! Looks like a lot of the.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Terms and Rules Professor Evan Korth New York University (All rights reserved)

Terms and Rules Professor Evan Korth New York University (All rights reserved)
Talking to Threads. Administriva Grade summary today.

Talking to Threads. Administriva Grade summary today.
Administrivia Midterm exam: Mar 10 (in class) Interfaces vs. Abstract classes Inner classes Data views; iterators Lexical analyzers (tokenizers) Theory:

Administrivia Midterm exam: Mar 10 (in class) Interfaces vs. Abstract classes Inner classes Data views; iterators Lexical analyzers (tokenizers) Theory:

Similar presentations

Ads by Google