Revision as of 11:07, 17 December 2011 edit Tony1 (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers, Template editors 279,077 edits m moved Time-of-check-to-time-of-use to Time of check to time of use over redirect ← Previous edit		Revision as of 11:08, 17 December 2011 edit undo Tony1 (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers, Template editors 279,077 edits m looks like OR to me; added multiple tag; fixed dashes using a script Next edit →
Line 1: {{multiple}}In [[software development]], '''time- of- check- to- time- of- use''' ('''TOCTTOU''', pronounced "''TOCK too''") is a class of [[software bug]] caused by changes in a system between the ''checking'' of a condition (such as a security credential) and the ''use'' of the results of that check. It is a kind of [[race condition]]. A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form by which he can alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since the user has already begun editing, when he submits the form, his edits are accepted. When the user began editing, his authorization was ''checked'', and he was indeed allowed to edit. However, the authorization was ''used'' later, after he should no longer have been allowed. Line 56: Exploiting a TOCTTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the <code>symlink</code> system calls precisely between the <code>access</code> and <code>open</code>. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim. Techniques for single-stepping a victim program include file system mazes<ref>[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.117.7757 Borisov, Nikita; Johnson, Rob; Sastry, Naveen; and Wagner, David; 2005; ''Fixing Races for Fun and Profit: How to abuse atime''; Proceedings of the 14th Conference on USENIX Security Symposium<!-- sic! --> (Security'05), Baltimore (MD), July ~~31–August~~31 – August 5, 2005, Vol. 14, pp. 303–314]</ref> and algorithmic complexity attacks.<ref>[http://www.cs.sunysb.edu/~rob/papers/races2.pdf Cai, Xiang; Gui, Yuwei; and Johnson, Rob; 2009; ''Exploiting UNIX file-system races via algorithmic complexity attacks''; Proceedings of the IEEE Symposium on Security and Privacy, Berkeley (CA), May 17–20, 2009]</ref> In both cases, the attacker manipulates the OS state to control scheduling of the victim. File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up.

Time-of-check to time-of-use: Difference between revisions