Jump to content

Time-of-check to time-of-use

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Quarl (talk | contribs) at 07:57, 12 September 2005 (New article). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

In Computer Security, a time-of-check-to-time-of-use (TOCTTOU − pronounced "TOCK too") bug is a specific type of race condition that exists in security-conscious software, leading to a security vulnerability.

The race condition exists between the time of check of a property, and the time of use of said property.

Example

Suppose Mallet, a malicious Wikipedia visitor wished to deface the Wikipedia Main Page. The Main Page and all images on it are normally protected from modification by non-administrators precisely for this purpose.

Mallet proposes some article A as a featured article, so that a blurb of article A will appear on the Main Page. If the article text itself contained suspicious material, it would immediately be noticed, so what Mallet intends to do is arrange for the image to be not locked.

Consider this hypothetical model for the process for including an article A on the Main Page:

  1. Check that images in A are locked.
  2. Copy first paragraph of current version of A to Main Page, and include the linked image.

Article A normally shows an image I.jpg. If Mallet could modify article A exactly between steps 1 and 2 so that the image pointed instead to I1.jpg, an initially identical looking image, then initially the Main Page would look fine. But in fact Mallet has engineered an unlocked image onto the Main Page. He is now free to change the image at will while it is displayed on the Main Page.

This would be a time-of-use-to-time-of-check error in the featured article inclusion process. The solution in this case would be for step 2 to copy the same version of A that step 1 looked at.

access Example

In Unix, the following C code, when in a setuid program, is a TOCTTOU bug: 

if (access(file, R_OK) != 0) {
   exit(1);
}

fd = open(file, O_RDONLY);
// do something with fd...

Here, access is intended to check whether the real user who executed the setuid program would normally be allowed to read the file (i.e., access checks the real userid rather than effective userid).

This race condition is vulnerable to an attack:

  1. Create a file the user can read
  2. Start the program
  3. Change the file to a symlink pointing to a file that the user shouldn't be able to read

Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty.

The implication is that the access system call, as it currently exists in Unix, should never be used.

References

Retrieved from "https://en.wikipedia.org/w/index.php?title=Time-of-check_to_time-of-use&oldid=23090018"