Wikipedia

Time-of-check to time-of-use: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m looks like OR to me; added multiple tag; fixed dashes using a script
BattyBot (talk | contribs)
Bots
1,957,398 edits
Line 1:
{{multiple}}In [[software development]], '''time of check to time of use''' ('''TOCTTOU''', pronounced "''TOCK too''") is a class of [[software bug]] caused by changes in a system between the ''checking'' of a condition (such as a security credential) and the ''use'' of the results of that check. It is a kind of [[race condition]].
 
A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form by which he can alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since the user has already begun editing, when he submits the form, his edits are accepted. When the user began editing, his authorization was ''checked'', and he was indeed allowed to edit. However, the authorization was ''used'' later, after he should no longer have been allowed.
Line 78:
== Further reading ==
 
* Bishop, Matt; and Dilger, Michael; 1996; [http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf ''Checking for race conditions in file accesses'']; Computing Systems, Vol. 9, No. 2, pp.  131–152
* Tsafrir, Dan; Hertz, Tomer; Wagner, David; and Da Silva, Dilma; 2008; [http://www.cs.berkeley.edu/~daw/papers/tocttou-fast08.pdf ''Portably Solving File TOCTTOU Races with Hardness Amplification''], Proceedings of the 6th USENIX Conference on File and Storage Technologies (FAST '08), San Jose (CA), February 26–29, 2008, pp.  189–206
 
[[Category:Computer security exploits]]
Retrieved from "https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use"