Content deleted Content added
m Task 70: Update syntaxhighlight tags - remove use of deprecated <source> tags |
404 fixed; URL updated; cite web completed |
||
Line 1:
In [[software development]], '''time-of-check to time-of-use''' ('''TOCTOU''', '''TOCTTOU''' or '''TOC/TOU''') is a class of [[software bug]]s caused by a [[race condition]] involving the ''checking'' of the state of a part of a system (such as a security credential) and the ''use'' of the results of that check.
TOCTOU race conditions are common in [[Unix]] between operations on the [[File system#Metadata|file system]],<ref>{{Cite web
| url=https://www.usenix.org/conference/fast-05/tocttou-vulnerabilities-unix-style-file-systems-anatomical-study
| title=TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study
| last=Wei
| first=Jinpeng
| last2=Pu
| first2=Calton
| date=December 2005
| publisher=[[USENIX]]
| access-date=2019-01-14}}</ref> but can occur in other contexts, including local [[Unix ___domain socket|sockets]] and improper use of [[database transaction]]s. In the early 1990s, the mail utility of BSD 4.3 UNIX had an [[Exploit (computer security)|exploitable]] race condition for temporary files because it used the <code>mktemp()</code><ref name="mktemp">{{cite web
| url=https://man7.org/linux/man-pages/man3/mktemp.3.html
| title=mktemp(3)
| work=Linux manual page
| date=2017-09-15}}</ref> function.<ref>{{cite web
| author=Shangde Zhou(周尚德)
| date=1991-10-01
| title=A Security Loophole in Unix
| language=cn
| url=http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html
| url-status=dead
| archiveurl=https://archive.is/20130116041403/http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html
| archivedate=2013-01-16}}</ref>
Early versions of [[OpenSSH]] had an exploitable race condition for [[Unix ___domain sockets]].<ref>{{cite web
| last=Acheson
| first=Steve
| date=1999-11-04
| title=The Secure Shell (SSH) Frequently Asked Questions
| url=http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html
| url-status=dead
| archiveurl=https://web.archive.org/web/20170213004928/http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html
| archivedate=2017-02-13 }}</ref> They remain a problem in modern systems; as of 2019, a TOCTOU race condition in [[Docker (software)|Docker]] allows root access to the filesystem of the host platform.<ref>{{Cite we
| url=https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system
| title=Docker Bug Allows Root Access to Host File System
| work=Decipher
| publisher=Duo Security
| access-date=2019-05-29}}</ref>
== Examples ==
Line 55 ⟶ 89:
Exploiting a TOCTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the <code>symlink</code> system call precisely between the <code>access</code> and <code>open</code>. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim.
In the case of BSD 4.3 mail utility and mktemp(),<ref
Techniques for single-stepping a victim program include file system mazes<ref>{{cite journal
| last1=Borisov
| first1=Nikita
| last2=Johnson
| first2=Rob
| last3=Sastry
| first3=Naveen
| last4=Wagner
| first4=David
| year=2005
| title=Fixing races for fun and profit: how to abuse atime
| journal=Proceedings of the 14th Conference on USENIX Security Symposium
| ___location=Baltimore, MD
| date=August 2005
| volume=14
| pages=303–314
| citeseerx=10.1.1.117.7757 }}</ref> and algorithmic complexity attacks.<ref>{{cite web
| author1=Xiang Cai
| author2=Yuwei Gui
| last3=Johnson
| first3=Rob
| date=2009-03-06
| title=Exploiting Unix File-System Races via Algorithmic Complexity Attacks
| work=Proceedings of the [[IEEE]] Symposium on Security and Privacy
| url=http://www.cs.sunysb.edu/~rob/papers/races2.pdf
| ___location=Berkeley, CA
| date=May 2009}}</ref> In both cases, the attacker manipulates the OS state to control scheduling of the victim.
File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up.
Line 63 ⟶ 123:
== Preventing TOCTOU ==
Despite conceptual simplicity, TOCTOU race conditions are difficult to avoid and eliminate. One general technique is to use [[exception handling]] instead of checking, under the philosophy of EAFP – "It is easier to ask for forgiveness than permission" rather than LBYL – "look before you leap" – in this case there is no check, and failure of assumptions to hold are detected at use time, by an exception.<ref>{{cite book
| last=Martelli | first=Alex | authorlink=Alex Martelli | year=2006 | | edition= | | publisher=[[O'Reilly Media]] | | isbn=978-0-596-10046-9}}</ref>
In the context of file system TOCTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTOU race conditions.<ref>{{cite journal
| last1=Dean | first1=Drew | | | year=2004 | title=Fixing Races for Fun and Profit: How to use access(2) | journal=Proceedings of the 13th USENIX Security Symposium | ___location=San Diego, | date=August | pages=195–206
| citeseerx=10.1.1.83.8647 }}</ref>
Since this impossibility result, libraries for tracking [[file descriptor]]s and ensuring correctness have been proposed by researchers.<ref>{{cite web
| last1=Tsafrir
| first1=Dan
| last2=Hertz
| first2=Tomer
| last3=Wagner
| first3=David
| last4=Da Silva
| first4=Dilma
| authorlink4=Dilma Da Silva
| date=June 2008
| title=Portably Preventing File Race Attacks with User-Mode Path Resolution
| work=Technical Report RC24572, [[Thomas J. Watson Research Center|IBM T. J. Watson Research Center]]
| ___location=Yorktown Heights, NY
| url=https://dominoweb.draco.res.ibm.com/c4028924309762d18525746e004a4feb.html}}</ref>
An alternative solution proposed in the research community is for UNIX systems to adopt [[transaction processing|transaction]]s in the file system or the OS kernel. Transactions provide a [[concurrency control]] abstraction for the OS, and can be used to prevent TOCTOU races. While no production UNIX kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system<ref>{{cite web
| last1=Spillane
| first1=Richard P.
| last2=Gaikwad
| first2=Sachin
| last3=Chinni
| first3=Manjunath
| last4=Zadok
| first4=Erez
| year=2009
| title=Enabling Transactional File Access via Lightweight Kernel Extensions
| work=Seventh USENIX Conference on File and Storage Technologies (FAST 2009)
| ___location=San Francisco, CA
| date=February 24–27, 2009
| url=http://www.fsl.cs.sunysb.edu/docs/valor/valor_fast2009.pdf}}</ref> and the TxOS kernel.<ref>{{cite web
| last1=Porter
| first1=Donald E.
| last2=Hofmann
| first2=Owen S.
| last3=Rossbach
| first3=Christopher J.
| last4=Benn
| first4=Alexander
| last5=Witchel
| first5=Emmett
| year=2009
| title=Operating System Transactions
| work=Proceedings of the 22nd [[Association for Computing Machinery|ACM]] Symposium on Operating Systems Principles (SOSP '09)
| ___location=Big Sky, MT
| date=October 11–14, 2009
| url=http://www.sigops.org/sosp/sosp09/papers/porter-sosp09.pdf}}</ref> [[Microsoft Windows]] has added transactions to its [[NTFS]] file system,<ref>{{cite book
| last1=Russinovich
| first1=Mark
| last2=Solomon
| first2=David A.
| year=2009
| title=Windows Internals
| publisher=[[Microsoft Press]]
| isbn=978-0735648739}}</ref> but Microsoft discourages their use, and has indicated that they may be removed in a future version of Windows.<ref>{{cite web
| title=Alternatives to using Transactional NTFS
| website=[[Microsoft Developer Network]]
| url=https://docs.microsoft.com/en-us/windows/win32/fileio/deprecation-of-txf
| access-date=10 December 2015}}</ref>
[[File locking]] is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, nor does locking work well with networked filesystems, and cannot prevent TOCTOU race conditions.
For setuid binaries a possible solution is to use the <code>seteuid()</code> system call to change the effective user and then perform the <code>open()</code>. Differences in <code>setuid()</code> between operating systems can be problematic.<ref>{{cite web
| author1=Hao Chen | | first2=David | | | date=2002-05-12 | title=Setuid Demystified | ==See also==
* [[Linearizability]]
==References==
Line 83 ⟶ 228:
==Further reading==
* {{cite web |last1=Bishop |first1=Matt |last2=Dilger |first2=Michael |year=1996 |title=Checking for Race Conditions in File Accesses |work=Computing Systems |volume=9 |number=2 |pages=131–152 |url=http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf }}
* {{cite web |last1=Tsafrir |first1=Dan |last2=Hertz |first2=Tomer |last3=Wagner |first3=David |last4=Da Silva |first4=Dilma |year=2008 |title=Portably Solving File TOCTTOU Races with Hardness Amplification |work=Proceedings of the 6th USENIX Conference on File and Storage Technologies (FAST '08), San Jose (CA), February 26–29, 2008 |pages=189–206 |url=http://www.cs.berkeley.edu/~daw/papers/tocttou-fast08.pdf }}
| |||