[concurrency-interest] Concurrency and security

David Holmes davidcholmes at aapt.net.au
Wed May 19 23:54:22 EDT 2010


An unidentified poster writes:
> I am investigating an interesting topic: if the concurrency can harm
software security.
> Is there any software security issue  stemming from concurrency?

Yes. In poorly constructed systems race conditions could lead to various
invariant violations, including those pertaining to "security".

In a platform like Java, the programming language must ensure there are some
basic guarantees even in the face of race conditions. For Java this is
defined as part of the Java Memory Model, which ensures that you can't see
uninitialized fields (though they may be default initialized), and provides
for correct visibility of final fields.

But even if the language provides basic guarantees, it is up to classes to
use the language facilities correctly to ensure that they can't be
compromised by race conditions induced by client code.

And of course the runtime system (for Java that's the VM) must also be
written correctly to ensure no concurrency related security holes exist.

Hope this gives you enough to do a proper investigation. ;-)

David Holmes



More information about the Concurrency-interest mailing list