Time-of-check-to-time-of-use

From Wikipedia, the free encyclopedia

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced "TOCK too") is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

A simple example is as follows: Consider a Web application that allows a user to edit pages, but allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form by which they can alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since the user has already begun editing, when they submit the form, their edits are accepted. When the user began editing, their authorization was checked, and they were indeed allowed to edit. However, the authorization was used later, after they should no longer have been allowed.

[edit] access Example

In Unix, the following C code, when used in a setuid program, is a TOCTTOU bug:

if (access(file, R_OK) != 0) {
   exit(1);
}

fd = open(file, O_RDONLY);
// do something with fd...

Here, access is intended to check whether the real user who executed the setuid program would normally be allowed to read the file (i.e., access checks the real userid rather than effective userid).

This race condition is vulnerable to an attack:

  1. Create a file the user can read
  2. Start the program
  3. Change the file to a symlink pointing to a file that the user shouldn't be able to read

Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty.

The implication is that the access system call, as it currently exists in Unix, should never be used.

[edit] References