Time-of-check-to-time-of-use problem
The term time-of-check-to-time-of-use problem , also abbreviated as TOCTTOU (pronounced as TOCK-tuu ), describes one that results from a program error ( software bug ) and that may occur during the final execution of computer programs Facts. They generally do is a form of race condition ( race condition ) refers, in the time between the inspection of a system state ( time-of-check ) - for example, if write access to a file is made - and the use of test results ( time-of-use ) - for example a desired change to this file - is used to change the checked status, here the write access to a file, and thus make the check result irrelevant for the further program run. Thus, for example, a virus check carried out by an anti-virus program would possibly be unnecessary if, between the checking of the file for freedom from viruses and its use in the subsequent program sequence, this file is changed so that it contains a virus, or its activation or execution is only permitted.
The term was introduced in 1996 by Matt Bishop and Michael Dilger in this context. Andrey Kolishak described the same problem with using Windows hooks in 2003 .
Examples
A web application can, for example, allow its users to change certain pages, but also give the application administrator the option of locking pages against changes. If the user wants to make his change, an input mask is displayed for him in which he can enter or change his data. A system afflicted with the TOCTTOU problem allowed him to make the change at this moment (time-to-check) because it checked his authorization to make changes. However, if the administrator then, after the user has received the rights and before he has saved his changes, locks the page against changes and thus in principle forbids a change, this administrator action will be taken in the case of a faulty system when the user data is subsequently saved and thus at the time of use ( Time-of-Use) of the write permission can be ignored.
In Unix , the following section of a program written in C would have the TOCTTOU problem if it were used for a program with setuid rights:
if (access(file, R_OK) != 0) {
exit(1);
}
fd = open(file, O_RDONLY);
// do something with fd…
This section of the program is intended to check whether the registered user who uses this program has the rights of his own user account ( Real Userid , as opposed to the Effective Userid , which can contain other rights ) to read a specific file (here file ) ( R_OK for Read, German reading). This race situation opens up the following attack options:
- You create a file that can be read by the user.
- You start this program.
- You change the file to a symbolic link (symlink) that points to a file that cannot be read by the user.
It is entirely possible for an attacker to create these conditions for an attack. However, the process requires precise timing of the individual actions.
It follows in this case that in current Unix systems used system call (system call) access should be used in the used herein, in special cases, such as the first step exclusive for obtaining access rights ( mutex , test and test-and -set ).
literature
- Matt Bishop, Michael Dilger: Checking for race conditions in file accesses . (PDF; 182 kB) In: Computing Systems , Vol. 9, No. 2, 1996, pp. 131–152 (English)
- Nikita Borisov, Rob Johnson, Naveen Sastry, David Wagner: Fixing Races for Fun and Profit: How to abuse atime . Proceedings of the 14th Conference on USENIX Security Symposium (Security'05), Baltimore (MD), July 31 – August 5, 2005, Vol. 14, 2005, pp. 303–314 (English)
- Dan Tsafrir, Tomer Hertz, David Wagner, Dilma Da Silva: Portably Solving File TOCTTOU Races with Hardness Amplification . (PDF; 632 kB) Proceedings of the 6th USENIX Conference on File and Storage Technologies (FAST '08), San Jose (CA), February 26–29, 2008, pp. 189–206 (English)