Exploiting a TOCTTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim. In the example above, the attacker must execute the symlink system calls precisely between the access and open. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim.
Techniques for single-stepping a victim program include file system mazes<ref> Borisov, Nikita; Johnson, Rob; Sastry, Naveen; and Wagner, David; 2005; [http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=F70A03643D48FB5944F0FA3FA62D1D96summary?doi=10.1.1.117.7757&rep=rep1&type=pdf ''Fixing Races for Fun and Profit: How to abuse atime'']; Proceedings of the 14th Conference on USENIX Security Symposium (Security'05), Baltimore (MD), July 31–August 5, 2005, Vol. 14, pp. 303–314</ref> and algorithmic complexity attacks.<ref>Cai, Xiang; Gui, Yuwei; and Johnson, Rob; 2009; [http://www.cs.sunysb.edu/~rob/papers/races2.pdf ''Exploiting UNIX file-system races via algorithmic complexity attacks'']; Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA.</ref>. In both cases, the attacker manipulates OS state to control scheduling of the victim.
File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up.
