Time-of-check-to-time-of-use - AbsoluteAstronomy.com

Software development

Software development is the development of a software product...

, time-of-check-to-time-of-use (TOCTTOU, pronounced "TOCK too") is a class of software bug

Software bug

A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...

caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition

Race condition

A race condition or race hazard is a flaw in an electronic system or process whereby the output or result of the process is unexpectedly and critically dependent on the sequence or timing of other events...

.

A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form by which he can alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since the user has already begun editing, when he submits the form, his edits are accepted. When the user began editing, his authorization was checked, and he was indeed allowed to edit. However, the authorization was used later, after he should no longer have been allowed.

TOCTTOU race conditions are most common in Unix

Unix

Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...

between operations on the file system, but can occur in other contexts, including local sockets and improper use of database transaction

Database transaction

A transaction comprises a unit of work performed within a database management system against a database, and treated in a coherent and reliable way independent of other transactions...

s. Early versions of OpenSSH had an exploitable race condition for Unix domain sockets.

Examples

In Unix

Unix

, the following C

C (programming language)

C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....

code, when used in a

setuidSetuid
setuid and setgid  are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...

program, is a TOCTTOU bug:

if (access("file", W_OK) != 0) {
exit(1);
}

fd = open("file", O_WRONLY);
write(fd, buffer, sizeof(buffer));

Here, access is intended to check whether the real user who executed the setuid program would normally be allowed to write the file (i.e., access checks the real userid rather than effective userid).

This race condition is vulnerable to an attack:

Victim	Attacker
if (access("file", W_OK) != 0) { exit(1); } fd = open("file", O_WRONLY); // Actually writing over /etc/passwd write(fd, buffer, sizeof(buffer));	// After the access check // symlink("/etc/passwd", "file"); // Before the open, "file" points to the password database //

In this example, an attacker can exploit the race condition between the access and open to trick the setuid victim into overwriting an entry in the system password database. TOCTTOU races can be used for privilege escalation

Privilege escalation

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...

, to get administrative access to a machine.

Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty.

The implication is that applications cannot assume the state managed by the operating system (in this case the file system namespace) will not change between system calls.

Reliably timing TOCTTOU

Exploiting a TOCTTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the symlink system calls precisely between the access and open. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim.

Techniques for single-stepping a victim program include file system mazes and algorithmic complexity attacks. In both cases, the attacker manipulates the OS state to control scheduling of the victim.

File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up.

Preventing TOCTTOU

Despite conceptual simplicity, TOCTTOU race conditions are difficult to avoid and eliminate. One general technique is to use exception handling

Exception handling

Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of exceptions, special conditions that change the normal flow of program execution....

instead of checking, under the philosophy of EAFP

EAFP

EAFP may refer to:*European Association of Faculties of Pharmacy*European Association of Fish Pathologists*the adage that it is Easier to Ask Forgiveness than it is to get Permission, attributed to Grace Hopper and influential in the semantics of the Python programming language...

"It is easier to ask for forgiveness than permission" rather than LBYL "look before you leap" – in this case there is no check, and failure of assumptions to hold are detected at use time, by an exception.

In the context of file system TOCTTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTTOU race conditions.

Since this impossibility result, libraries for tracking file descriptor

File descriptor

In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...

s and ensuring correctness have been proposed by researchers.

An alternative solution proposed in the research community is for UNIX systems to adopt transactions in the file system or the OS kernel. Transactions provide a concurrency control

Concurrency control

In information technology and computer science, especially in the fields of computer programming , operating systems , multiprocessors, and databases, concurrency control ensures that correct results for concurrent operations are generated, while getting those results as quickly as possible.Computer...

abstraction for the OS, and can be used to prevent TOCTTOU races. While no production UNIX kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system and the TxOS kernel. Microsoft Windows

Microsoft Windows

Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

has added transactions to its NTFS

NTFS

NTFS is the standard file system of Windows NT, including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7....

file system.

File locking

File locking

File locking is a mechanism that restricts access to a computer file by allowing only one user or process access at any specific time. Systems implement locking to prevent the classic interceding update scenario ....

is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, and cannot prevent TOCTTOU race conditions.

Examples

Reliably timing TOCTTOU

Preventing TOCTTOU

Further reading