Time-of-check to time-of-use: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:17, 7 December 2020 edit Davemck (talk \| contribs) Extended confirmed users 135,345 edits m Clean up duplicate template arguments using findargdups ← Previous edit		Latest revision as of 22:38, 12 August 2025 edit undo CortexFiend (talk \| contribs) 91 edits Link suggestions feature: 3 links added. Tags: Visual edit Newcomer task Suggested: add links
(28 intermediate revisions by 24 users not shown)
Line 1: {{Short description\|Class of software bugs}} In [[software development]], '''time-of-check to time-of-use''' ('''TOCTOU''', '''TOCTTOU''' or '''TOC/TOU''') is a class of [[software bug]]s caused by a [[race condition]] involving the ''checking'' of the state of a part of a system (such as a security credential) and the ''use'' of the results of that check. Line 4 ⟶ 5: \| url=https://www.usenix.org/conference/fast-05/tocttou-vulnerabilities-unix-style-file-systems-anatomical-study \| title=TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study \| ~~last~~last1=Wei \| ~~first~~first1=Jinpeng \| last2=Pu \| first2=Calton Line 18 ⟶ 19: \| date=1991-10-01 \| title=A Security Loophole in Unix \| language=cnen \| url=http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html \| url-status=dead \| archiveurl=https://archive.istoday/20130116041403/http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html \| archivedate=2013-01-16}}</ref> Early versions of [[OpenSSH]] had an exploitable race condition for [[Unix ___domain sockets]].<ref>{{cite web Line 31 ⟶ 32: \| url-status=dead \| archiveurl=https://web.archive.org/web/20170213004928/http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html \| archivedate=2017-02-13 }}</ref> They remain a problem in modern systems; as of 2019, a TOCTOU race condition in [[Docker (software)\|Docker]] allows root access to the filesystem of the host platform.<ref>{{Cite weweb \| url=https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system \| title=Docker Bug Allows Root Access to Host File System \| work=Decipher \| date=28 May 2019 \| publisher=Duo Security \| access-date=2019-05-29}}</ref> In the 2023 [[Pwn2Own]] competition in Vancouver, a team of hackers were able to compromise the gateway in an updated [[Tesla Model 3]] using this bug.<ref>{{Cite web \|title=Windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023 \|url=https://www.bleepingcomputer.com/news/security/windows-11-tesla-ubuntu-and-macos-hacked-at-pwn2own-2023/ \|access-date=2023-03-24 \|website=BleepingComputer \|language=en-us}}</ref> ~~\| access-date=2019-05-29}}</ref>~~ == Examples == {{Unsourced section\|date=July 2022}} In [[Unix]], the following [[C (programming language)\|C]] code, when used in a <code>[[setuid]]</code> program, has a TOCTOU bug: <syntaxhighlight lang="c" line="1"> if (access("file", W_OK) != 0) { exit(1); } Line 53 ⟶ 55: This race condition is vulnerable to an attack: {\| class="wikitable" \|+ !Victim \|!Attacker \|- \|<syntaxhighlight lang="c" line="1"> if (access("file", W_OK) != 0) { exit(1); } fd = open("file", O_WRONLY);▼ // Actually writing over /etc/passwd▼ write(fd, buffer, sizeof(buffer));▼ </syntaxhighlight> \|\| \|- <syntaxhighlight lang="c">▼ \| // \|After the access check, before the open, the attacker replaces <code>file</code> with a [[symlink]] to the Unix password file <code>[[/etc/passwd]]</code>:<syntaxhighlight lang="c"> // ~~// After the access check~~ symlink("/etc/passwd", "file"); ~~// Before the open, "file" points to the password database~~ // // </syntaxhighlight> \|- ▲\|<syntaxhighlight lang="c" line="1" start="5"> ▲fd = open("file", O_WRONLY); ▲write(fd, buffer, sizeof(buffer)); ▲<// syntaxhighlight>Actually writing over <code>/etc/passwd</code> \| \|} In this example, an attacker can exploit the race condition between the <code>access</code> and <code>open</code> to trick the <code>setuid</code> victim into overwriting an entry in the system password database. TOCTOU races can be used for [[privilege escalation]], to get administrative access to a machine.▼ ▲In this example, an attacker can exploit the race condition between the <code>access</code> and <code>open</code> to trick the <code>setuid</code> victim into overwriting an entry in the system password database. TOCTOU races can be used for [[privilege escalation]], to get administrative access to a machine. Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty. Line 87 ⟶ 86: == Reliably timing TOCTOU == Exploiting a TOCTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the <code>symlink</code> [[system call]] precisely between the <code>access</code> and <code>open</code>. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim. In the case of BSD 4.3 mail utility and <code>mktemp()</code>,<ref name="mktemp"/> the attacker can simply keep launching mail utility in one process, and keep guessing the [[temporary file]] names and keep making symlinks in another process. The attack can usually succeed in less than one minute. Techniques for single-stepping a victim program include file system mazes<ref>{{cite journal Line 100 ⟶ 99: \| last4=Wagner \| first4=David ~~\| year=2005~~ \| title=Fixing races for fun and profit: how to abuse atime \| journal=Proceedings of the 14th Conference on USENIX Security Symposium \| publisher=USENIX Association \| ___location=Baltimore, MD \| date=August 2005 \| volume=14 \| pages=303–314 \| citeseerx=10.1.1.117.7757 }}</ref> and algorithmic complexity attacks.<ref>{{cite ~~web~~book \| author1=Xiang Cai \| author2=Yuwei Gui \| last3=Johnson \| first3=Rob \| ~~work~~title=~~Proceedings~~2009 of30th ~~the [[~~IEEE]] Symposium on Security and Privacy▼ \| ~~title~~chapter=Exploiting Unix File-System Races via Algorithmic Complexity Attacks ▲\| work=Proceedings of the [[IEEE]] Symposium on Security and Privacy \| chapter-url=https://www3.cs.stonybrook.edu/~rob/papers/races2.pdf \| publisher=IEEE Computer Society \| ___location=Berkeley, CA \| date=May 2009 \| pages=27–41 \| doi=10.1109/SP.2009.10 \| isbn=978-0-7695-3633-0 \| s2cid=6393789 \|archive-url=https://web.archive.org/web/20210518212029/https://www3.cs.stonybrook.edu/~rob/papers/races2.pdf \|archive-date=2021-05-18 \|url-status=dead }}</ref> In both cases, the attacker manipulates the OS state to control scheduling of the victim. File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's [[hash table]] of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up. == Preventing TOCTOU == Despite conceptual simplicity, TOCTOU race conditions are difficult to avoid and eliminate. One general technique is to use ~~[[exception~~error handling]] instead of pre-checking, under the philosophy of EAFP – "It is easier to ask for forgiveness than permission" {{snd}}rather than LBYL – "look before you leap". ~~– in~~In this case there is no check, and failure of assumptions to hold are ~~detected~~signaled atby ~~use~~an ~~time,~~error ~~by an~~being ~~exception~~returned.<ref>{{cite book \| last=Martelli \| first=Alex Line 136 ⟶ 142: \| isbn=978-0-596-10046-9}}</ref> In the context of file system TOCTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTOU race conditions when using the Unix <code>access</code> and <code>open</code> filesystem calls.<ref>{{cite journal \| last1=Dean \| first1=Drew \| last2=Hu \| first2=Alan J. ~~\| year=2004~~ \| title=Fixing Races for Fun and Profit: How to use access(2) \| journal=Proceedings of the 13th USENIX Security Symposium Line 165 ⟶ 170: \| url=https://dominoweb.draco.res.ibm.com/c4028924309762d18525746e004a4feb.html}}</ref> An alternative solution proposed in the research community is for ~~UNIX~~Unix systems to adopt [[transaction processing\|transaction]]s in the file system or the OS kernel. Transactions provide a [[concurrency control]] abstraction for the OS, and can be used to prevent TOCTOU races. While no production ~~UNIX~~Unix kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system<ref>{{cite web \| last1=Spillane \| first1=Richard P. Line 174 ⟶ 179: \| last4=Zadok \| first4=Erez ~~\| year=2009~~ \| title=Enabling Transactional File Access via Lightweight Kernel Extensions \| work=Seventh USENIX Conference on File and Storage Technologies (FAST 2009) Line 190 ⟶ 194: \| last5=Witchel \| first5=Emmett ~~\| year=2009~~ \| title=Operating System Transactions \| work=Proceedings of the 22nd [[Association for Computing Machinery\|ACM]] Symposium on Operating Systems Principles (SOSP '09) Line 200 ⟶ 203: \| last2=Solomon \| first2=David A. ~~\| year=2009~~ \| title=Windows Internals \| publisher=[[Microsoft Press]] Line 207 ⟶ 209: \| website=[[Microsoft Developer Network]] \| url=https://docs.microsoft.com/en-us/windows/win32/fileio/deprecation-of-txf \| access-date=10 December 2015~~}}</ref>~~ \| archive-url=https://web.archive.org/web/20220929200925/https://learn.microsoft.com/en-us/windows/win32/fileio/deprecation-of-txf \| archive-date=29 September 2022}}</ref> [[File locking]] is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, nor does locking work well with networked filesystems, and cannot prevent TOCTOU race conditions. For <code>setuid</code> binaries, a possible solution is to use the <code>seteuid()</code> system call to change the effective user and then perform the <code>open()</code> call. Differences in <code>setuid()</code> between operating systems can be problematic.<ref>{{cite web \| author1=Hao Chen \| last2=Wagner Line 233 ⟶ 237: [[Category:Computer security exploits]] [[Category:software bugs]]