Wikipedia

Time-of-check to time-of-use: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Najajakakaj
Tags: Reverted references removed Visual edit Mobile edit Mobile web edit
m Reverting possible vandalism by 2806:105E:15:4B59:282E:A40E:4009:3C to version by Rlink2. Report False Positive? Thanks, ClueBot NG. (4091311) (Bot)
Line 1:
In [[software development]], '''time-of-check to time-of-use''' ('''TOCTOU''', '''TOCTTOU''' or '''TOC/TOU''') is a class of [[software bug]]s caused by a [[race condition]] involving the ''checking'' of the state of a part of a system (such as a security credential) and the ''use'' of the results of that check.
 
TOCTOU race conditions are common in [[Unix]] between operations on the [[File system#Metadata|file system]],<ref>{{Cite web
[[Exploit (computer security)|e]] race condition for temporary files because it used<code>mp(</code><ref name="mktemp">{{cite web
| url=https://www.usenix.org/conference/fast-05/tocttou-vulnerabilities-unix-style-file-systems-anatomical-study
| title=TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study
| last1=Wei
| first1=Jinpeng
| last2=Pu
| first2=Calton
| date=December 2005
| publisher=[[USENIX]]
| access-date=2019-01-14}}</ref> but can occur in other contexts, including local [[Unix ___domain socket|sockets]] and improper use of [[database transaction]]s. In the early 1990s, the mail utility of BSD 4.3 UNIX had an [[Exploit (computer security)|exploitable]] race condition for temporary files because it used the <code>mktemp()</code><ref name="mktemp">{{cite web
| url=https://man7.org/linux/man-pages/man3/mktemp.3.html
| title=mktemp(3)
Line 14 ⟶ 23:
| archiveurl=https://archive.today/20130116041403/http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html
| archivedate=2013-01-16}}</ref>
Early versioversions of [[OpenSSH|SSH]] had an exploitable race condition for [[Unix ___domain sockets]].<ref>{{cite web
| last=Acheson
| first=Steve
Line 22 ⟶ 31:
| url-status=dead
| archiveurl=https://web.archive.org/web/20170213004928/http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html
| archivedate=2017-02-13 }}</ref> They remain a problem in modern systems; as of 2019, a TOCTOU race condition iin [[Docker (software)|erDocker]] allows root access to the filesystem of the host platform.<ref>{{Cite web
| url=https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system
| title=Docker Bug Allows Root Access to Host File System
Retrieved from "https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use"