Time of check to time of use

The concept of Time-of -Check -to -Time - of-use problem, abbreviated as TOCTTOU (pronounced TOCK - tuu ), describes one of a program error ( software bug ) resulting from, and occurring in the final execution of computer programs, where appropriate, facts. Generally, it is thus a form of race condition referred to in the period between the examination of a system state ( time-to- check) - for example, if write access to a file exists - and the use of test results ( time-to -use) - so for example, a desired change in this file - is used to the tested condition, here to change the write access to a file, thus making the test for the other program running irrelevant. Thus, for example, would also be a performed a virus check of an anti- virus program may fall unless between checking the file for viruses and their use in the subsequent program execution, this file is modified so that it contains a virus, or its activation or execution allowed only.

The term was introduced in 1996 by Matt Bishop and Michael Dilger in this context. Andrey Kolishak described the same problem for the use of Windows hooks 2003.

Examples

A web application example, it may allow their users to change certain pages, but also give the administrator of the application the ability to block sites against changes. If the user wants to perform its change, an input screen is displayed for him, in which he can enter or change its data. A fraught with the problem TOCTTOU system has him at this moment, the change allowed ( time-to- check), since it has proven its entitlement to change. However, if the administrator then after the user have the rights and before he has his changes saved, locks the side opposite changes and thus in principle forbids a change, the administrator action is in a faulty system in a subsequent saving of user data, and thus to the time of use ( time-to -use ) of the write enable will be ignored.

In Unix, the following portion of a program written in C would have the TOCTTOU problem when it would be used for a equipped with setuid privileges program:

If ( access (file, R_OK )! = 0) {   exit (1 ); }   fd = open (file, O_RDONLY ); / / Do something with fd ... This program piece is to check whether the logged user who uses this program, with the rights of their own user account (real userid, in contrast to the Effective Userid, which may include other rights) a certain file (file here ) (Read R_OK for Read, Read dt ) may. This race condition attack opens up the following possibility:

For an attacker, it is quite possible to create these conditions for an attack. However, the method requires precise timing of individual actions.

It follows in this case that the system call used in current Unix systems ( system call ) access should be in the form used here only used in special cases, such as the first step to obtaining exclusive access rights ( mutex, Test and Test -and set ).