Time-of-check to time-of-use: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 02:09, 16 March 2025 edit Brandon (talk \| contribs) Edit filter managers, Administrators 23,423 edits m Reverted edit by 142.67.219.48 (talk) to last version by Frap Tags: Rollback Mobile edit Mobile web edit Advanced mobile edit ← Previous edit		Latest revision as of 22:38, 12 August 2025 edit undo CortexFiend (talk \| contribs) 91 edits Link suggestions feature: 3 links added. Tags: Visual edit Newcomer task Suggested: add links
(2 intermediate revisions by one other user not shown)
Line 86: == Reliably timing TOCTOU == Exploiting a TOCTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the <code>symlink</code> [[system call]] precisely between the <code>access</code> and <code>open</code>. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim. In the case of BSD 4.3 mail utility and <code>mktemp()</code>,<ref name="mktemp"/> the attacker can simply keep launching mail utility in one process, and keep guessing the [[temporary file]] names and keep making symlinks in another process. The attack can usually succeed in less than one minute. Techniques for single-stepping a victim program include file system mazes<ref>{{cite journal Line 99: \| last4=Wagner \| first4=David ~~\| year=2005~~ \| title=Fixing races for fun and profit: how to abuse atime \| journal=Proceedings of the 14th Conference on USENIX Security Symposium \| publisher=USENIX Association \| ___location=Baltimore, MD \| date=August 2005 Line 114: \| chapter=Exploiting Unix File-System Races via Algorithmic Complexity Attacks \| chapter-url=https://www3.cs.stonybrook.edu/~rob/papers/races2.pdf \| publisher=IEEE Computer Society \| ___location=Berkeley, CA \| date=May 2009 Line 125 ⟶ 126: }}</ref> In both cases, the attacker manipulates the OS state to control scheduling of the victim. File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's [[hash table]] of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up. == Preventing TOCTOU == Line 146 ⟶ 147: \| last2=Hu \| first2=Alan J. ~~\| year=2004~~ \| title=Fixing Races for Fun and Profit: How to use access(2) \| journal=Proceedings of the 13th USENIX Security Symposium Line 179: \| last4=Zadok \| first4=Erez ~~\| year=2009~~ \| title=Enabling Transactional File Access via Lightweight Kernel Extensions \| work=Seventh USENIX Conference on File and Storage Technologies (FAST 2009) Line 195 ⟶ 194: \| last5=Witchel \| first5=Emmett ~~\| year=2009~~ \| title=Operating System Transactions \| work=Proceedings of the 22nd [[Association for Computing Machinery\|ACM]] Symposium on Operating Systems Principles (SOSP '09) Line 205 ⟶ 203: \| last2=Solomon \| first2=David A. ~~\| year=2009~~ \| title=Windows Internals \| publisher=[[Microsoft Press]]