home | about

TOCTOU
Complete

Summary

Premise

  • system performs a check (e.g., file permission) and later acts on the resource assuming the check still holds
  • attacker can act between check and use
  • shared resources and non-atomic sequences on multi-process/multi-threaded systems

Attack

  • once a program checks access to file, attacker quickly replaces it with a symlink(pointer) to another file before the program opens it
  • program acts on attacker-controlled target with original privileges
  • requires careful timing or multiple threads/processes
  • requires code excution on the target machine

Attacker’s goals

  • access sensitive files -> coonfidentiality
  • escalate privileges, alter program behavior, or cause corruption.

Defense

  • use atomic operations
  • minimize privileged windows between check and use, which the attacker could use to run the replacement
  • run with least privilege and validate after use if possible

Concept

Race conditions

  • when multiple parallel processes access shared data
  • the order in which they access the shared data can lead to different outcomes

TOCTOU

  • time-of-check-time-of-use
  • race condition
  • exploits the delay between time of check and time of use
VictimprocessAttackerprocessCheck¯lepermissionsOpen¯leforwritingtimegapReplace¯lewithsymlinkGainaccesstotarget¯let1:Check(TOC)t2:Replacet3:Use(TOU)