The mobile application must not be vulnerable to race conditions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35753	SRG-APP-999999-MAPP-00071	SV-47040r1_rule		Medium

Description
A race condition occurs when an application receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or functions within the application creating a deadlock situation. Racing can occur when the design uses global variables in place of local variables, multi-threaded application do not use thread safe functions when threads are accessing the same object or data as two examples. Applying this control, the DoD is protected against situations that would reduce the security posture of the application, device, data, and network as a result of security-related components not able to function as a result of the race condition. Furthermore, the user is also protected against access and availability issues that result from the application or certain components of the application from functioning correctly as a result of the race condition. Examples of race conditions vulnerabilities can be obtained from the OWASP website at https://www.owasp.org.

Description

A race condition occurs when an application receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or functions within the application creating a deadlock situation. Racing can occur when the design uses global variables in place of local variables, multi-threaded application do not use thread safe functions when threads are accessing the same object or data as two examples. Applying this control, the DoD is protected against situations that would reduce the security posture of the application, device, data, and network as a result of security-related components not able to function as a result of the race condition. Furthermore, the user is also protected against access and availability issues that result from the application or certain components of the application from functioning correctly as a result of the race condition. Examples of race conditions vulnerabilities can be obtained from the OWASP website at https://www.owasp.org.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44097r2_chk )
If the application does not use multiple threads or if it runs on a MOS that does not support multiple threads, then is IA control is not applicable. If the operating system is not multi-threaded, or never runs more than one application at a time, or effectively mitigates risk through some other mechanism, then the requirement is non-applicable. Perform a review of the documentation to understand how the application manages and is designed around the following items: - Race conditions. - Using global variables when local variables could be used. - Multi-threaded application uses thread safe functions. - Global resources being locked before being accessed by the application Global objects and resources. - Multiple threads or processes are accessing the same object. - Resources created in common areas. - Overly permissive ACLs. If the documentation review cannot be carried out or is inconclusive perform a static program analysis to assess how the application approaches each of the above items. Dynamic program analysis may also be useful to determine if race conditions are realized during operation. If the documentation and static program analysis reveal that the application design is reasonably likely to result in a race condition, this is a finding.

Check Text ( C-44097r2_chk )

If the application does not use multiple threads or if it runs on a MOS that does not support multiple threads, then is IA control is not applicable. If the operating system is not multi-threaded, or never runs more than one application at a time, or effectively mitigates risk through some other mechanism, then the requirement is non-applicable. Perform a review of the documentation to understand how the application manages and is designed around the following items:
- Race conditions.
- Using global variables when local variables could be used.
- Multi-threaded application uses thread safe functions.
- Global resources being locked before being accessed by the application Global objects and resources.
- Multiple threads or processes are accessing the same object.
- Resources created in common areas.
- Overly permissive ACLs.

If the documentation review cannot be carried out or is inconclusive perform a static program analysis to assess how the application approaches each of the above items. Dynamic program analysis may also be useful to determine if race conditions are realized during operation. If the documentation and static program analysis reveal that the application design is reasonably likely to result in a race condition, this is a finding.

Fix Text (F-40298r1_fix)
Remove race conditions from the code.