Jump to content

Time-of-check to time-of-use: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Simon04 (talk | contribs)
235 edits
→‎Examples: clarify
 
(44 intermediate revisions by 28 users not shown)
Line 1: Line 1:
{{Short description|Class of software bugs}}
In [[software development]], '''time of check to time of use''' ('''TOCTTOU''' or '''TOCTOU''', pronounced "''tock too''") is a class of [[software bug]]s caused by changes in a system between the ''checking'' of a condition (such as a security credential) and the ''use'' of the results of that check. This is one example of a [[race condition]].
In [[software development]], '''time-of-check to time-of-use''' ('''TOCTOU''', '''TOCTTOU''' or '''TOC/TOU''') is a class of [[software bug]]s caused by a [[race condition]] involving the ''checking'' of the state of a part of a system (such as a security credential) and the ''use'' of the results of that check.


TOCTOU race conditions are common in [[Unix]] between operations on the [[File system#Metadata|file system]],<ref>{{Cite web
A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form which can be used to alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since editing has already begun, when the user submits the form, those edits (which have already been made) are accepted. When the user began editing, the appropriate authorization was ''checked'', and the user was indeed allowed to edit. However, the authorization was ''used'' later, at a time when edits should no longer have been allowed.
| url=https://www.usenix.org/conference/fast-05/tocttou-vulnerabilities-unix-style-file-systems-anatomical-study

| title=TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study
TOCTTOU race conditions are most common in [[Unix]] between operations on the [[File system#Metadata|file system]], but can occur in other contexts, including local [[Unix domain socket|sockets]] and improper use of [[database transaction]]s. In the early 1990s, the mail utility of BSD 4.3 UNIX had an [[Exploit (computer security)|exploitable]] race condition for temporary files because it used the [[C_standard_library#Threading_problems,_vulnerability_to_race_conditions|mktemp() C library function]].<ref>{{cite web |author=Shangde Zhou(周尚德) |date=1991-10-01 |title=A Security Loophole in Unix |url=http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html |deadurl=yes |archiveurl=https://archive.is/20130116041403/http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html |archivedate=2013-01-16 |df= }}</ref>
| last1=Wei
Early versions of [[OpenSSH]] had an exploitable race condition for [[Unix domain sockets]].<ref>{{cite web |last=Acheson |first=Steve |date=1999-11-04 |title=The Secure Shell (SSH) Frequently Asked Questions |url=http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html |deadurl=yes |archiveurl=https://web.archive.org/web/20170213004928/http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html |archivedate=2017-02-13 |df= }}</ref>
| first1=Jinpeng
| last2=Pu
| first2=Calton
| date=December 2005
| publisher=[[USENIX]]
| access-date=2019-01-14}}</ref> but can occur in other contexts, including local [[Unix domain socket|sockets]] and improper use of [[database transaction]]s. In the early 1990s, the mail utility of BSD 4.3 UNIX had an [[Exploit (computer security)|exploitable]] race condition for temporary files because it used the <code>mktemp()</code><ref name="mktemp">{{cite web
| url=https://man7.org/linux/man-pages/man3/mktemp.3.html
| title=mktemp(3)
| work=Linux manual page
| date=2017-09-15}}</ref> function.<ref>{{cite web
| author=Shangde Zhou(周尚德)
| date=1991-10-01
| title=A Security Loophole in Unix
| language=en
| url=http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html
| url-status=dead
| archiveurl=https://archive.today/20130116041403/http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html
| archivedate=2013-01-16}}</ref>
Early versions of [[OpenSSH]] had an exploitable race condition for [[Unix domain sockets]].<ref>{{cite web
| last=Acheson
| first=Steve
| date=1999-11-04
| title=The Secure Shell (SSH) Frequently Asked Questions
| url=http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html
| url-status=dead
| archiveurl=https://web.archive.org/web/20170213004928/http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html
| archivedate=2017-02-13 }}</ref> They remain a problem in modern systems; as of 2019, a TOCTOU race condition in [[Docker (software)|Docker]] allows root access to the filesystem of the host platform.<ref>{{Cite web
| url=https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system
| title=Docker Bug Allows Root Access to Host File System
| work=Decipher
| date=28 May 2019
| publisher=Duo Security
| access-date=2019-05-29}}</ref> In the 2023 Pwn²Own competition in Vancouver, a team of hackers was able to compromise the gateway in updated Tesla model 3 using this bug.<ref>{{Cite web |title=Windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023 |url=https://www.bleepingcomputer.com/news/security/windows-11-tesla-ubuntu-and-macos-hacked-at-pwn2own-2023/ |access-date=2023-03-24 |website=BleepingComputer |language=en-us}}</ref>


== Examples ==
== Examples ==
{{Unsourced section|date=July 2022}}

In [[Unix]], the following [[C (programming language)|C]] code, when used in a <code>[[setuid]]</code> program, has a TOCTTOU bug:
In [[Unix]], the following [[C (programming language)|C]] code, when used in a <code>[[setuid]]</code> program, has a TOCTOU bug:
<source lang="c">
<syntaxhighlight lang="c" line="1">
if (access("file", W_OK) != 0) {
if (access("file", W_OK) != 0) {
exit(1);
exit(1);
}
}


fd = open("file", O_WRONLY);
fd = open("file", O_WRONLY);
write(fd, buffer, sizeof(buffer));
write(fd, buffer, sizeof(buffer));
</syntaxhighlight>
</source>


Here, ''access'' is intended to check whether the real user who executed the <code>setuid</code> program would normally be allowed to write the file (i.e., <code>''access''</code> checks the [[real userid]] rather than [[effective userid]]).
Here, ''access'' is intended to check whether the real user who executed the <code>setuid</code> program would normally be allowed to write the file (i.e., <code>''access''</code> checks the [[real userid]] rather than [[effective userid]]).


This race condition is vulnerable to an attack:
This race condition is vulnerable to an attack:

{| class="wikitable"
{| class="wikitable"
|Victim
|+
!Victim
|Attacker
!Attacker
|-
|-
|<source lang="c">
|<syntaxhighlight lang="c" line="1">
if (access("file", W_OK) != 0) {
if (access("file", W_OK) != 0) {
exit(1);
exit(1);
}
}
</syntaxhighlight>

|
|-
|
|After the access check, before the open, the attacker replaces <code>file</code> with a [[symlink]] to the Unix password file <code>[[/etc/passwd]]</code>:<syntaxhighlight lang="c">
symlink("/etc/passwd", "file");
</syntaxhighlight>
|-
|<syntaxhighlight lang="c" line="1" start="5">
fd = open("file", O_WRONLY);
fd = open("file", O_WRONLY);
// Actually writing over /etc/passwd
write(fd, buffer, sizeof(buffer));
write(fd, buffer, sizeof(buffer));
</syntaxhighlight>Actually writing over <code>/etc/passwd</code>
</source>
||
|
<source lang="c">
//
//
// After the access check
symlink("/etc/passwd", "file");
// Before the open, "file" points to the password database
//
//
</source>
|}
|}
In this example, an attacker can exploit the race condition between the <code>access</code> and <code>open</code> to trick the <code>setuid</code> victim into overwriting an entry in the system password database. TOCTOU races can be used for [[privilege escalation]] to get administrative access to a machine.

In this example, an attacker can exploit the race condition between the <code>access</code> and <code>open</code> to trick the <code>setuid</code> victim into overwriting an entry in the system password database. TOCTTOU races can be used for [[privilege escalation]], to get administrative access to a machine.


Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty.
Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty.
Line 53: Line 84:
The implication is that applications cannot assume the state managed by the operating system (in this case the file system namespace) will not change between system calls.
The implication is that applications cannot assume the state managed by the operating system (in this case the file system namespace) will not change between system calls.


== Reliably timing TOCTTOU ==
== Reliably timing TOCTOU ==


Exploiting a TOCTTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the <code>symlink</code> system call precisely between the <code>access</code> and <code>open</code>. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim.
Exploiting a TOCTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the <code>symlink</code> system call precisely between the <code>access</code> and <code>open</code>. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim.


In the case of BSD 4.3 mail utility and mktemp(),<ref>{{cite web|url=http://linux.die.net/man/3/mktemp|title=mktemp(3) - Linux man page}}</ref> the attacker can simply keep launching mail utility in one process, and keep guessing the temporary file names and keep making symlinks in another process. The attack can usually succeed in less than one minute.
In the case of BSD 4.3 mail utility and <code>mktemp()</code>,<ref name="mktemp"/> the attacker can simply keep launching mail utility in one process, and keep guessing the temporary file names and keep making symlinks in another process. The attack can usually succeed in less than one minute.


Techniques for single-stepping a victim program include file system mazes<ref>{{cite journal
Techniques for single-stepping a victim program include file system mazes<ref>{{cite web |last1=Borisov |first1=Nikita |last2=Johnson |first2=Rob |last3=Sastry |first3=Naveen |last4=Wagner |first4=David |year=2005 |title=Fixing races for fun and profit: how to abuse atime |work=Proceedings of the 14th Conference on [[USENIX]] Security Symposium, Baltimore (MD), July 31 – August 5, 2005 |volume=14 |pages=303–314 |url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.117.7757}}</ref> and algorithmic complexity attacks.<ref>{{cite web |author1=Xiang Cai |author2=Yuwei Gui |last3=Johnson|first3=Rob |date=2009-03-06 |title=Exploiting Unix File-System Races via Algorithmic Complexity Attacks |work=Proceedings of the [[IEEE]] Symposium on Security and Privacy, Berkeley (CA), May 17–20, 2009 |url=http://www.cs.sunysb.edu/~rob/papers/races2.pdf |format=PDF}}</ref> In both cases, the attacker manipulates the OS state to control scheduling of the victim.
| last1=Borisov
| first1=Nikita
| last2=Johnson
| first2=Rob
| last3=Sastry
| first3=Naveen
| last4=Wagner
| first4=David
| year=2005
| title=Fixing races for fun and profit: how to abuse atime
| journal=Proceedings of the 14th Conference on USENIX Security Symposium
| location=Baltimore, MD
| date=August 2005
| volume=14
| pages=303–314
| citeseerx=10.1.1.117.7757 }}</ref> and algorithmic complexity attacks.<ref>{{cite book
| author1=Xiang Cai
| author2=Yuwei Gui
| last3=Johnson
| first3=Rob
| title=2009 30th IEEE Symposium on Security and Privacy
| chapter=Exploiting Unix File-System Races via Algorithmic Complexity Attacks
| chapter-url=https://www3.cs.stonybrook.edu/~rob/papers/races2.pdf
| location=Berkeley, CA
| date=May 2009
| pages=27–41
| doi=10.1109/SP.2009.10
| isbn=978-0-7695-3633-0
| s2cid=6393789
|archive-url=https://web.archive.org/web/20210518212029/https://www3.cs.stonybrook.edu/~rob/papers/races2.pdf
|archive-date=2021-05-18
|url-status=dead
}}</ref> In both cases, the attacker manipulates the OS state to control scheduling of the victim.


File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up.
File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up.


== Preventing TOCTTOU ==
== Preventing TOCTOU ==


Despite conceptual simplicity, TOCTTOU race conditions are difficult to avoid and eliminate. One general technique is to use [[exception handling]] instead of checking, under the philosophy of '''EAFP''' "It is easier to ask for forgiveness than permission" rather than '''LBYL''' "look before you leap" – in this case there is no check, and failure of assumptions to hold are detected at use time, by an exception.<ref>{{cite book |last=Martelli |first=Alex |authorlink=Alex Martelli |year=2006 |title=Python in a Nutshell |edition=2nd |chapter=Chapter 6: Exceptions |publisher=[[O'Reilly Media]] |isbn=978-0-596-10046-9 |page=134}}</ref>
Despite conceptual simplicity, TOCTOU race conditions are difficult to avoid and eliminate. One general technique is to use error handling instead of pre-checking, under the philosophy of EAFP "It is easier to ask for forgiveness than permission" rather than LBYL "look before you leap" – in this case there is no check, and failure of assumptions to hold are signaled by an error being returned.<ref>{{cite book
| last=Martelli
| first=Alex
| authorlink=Alex Martelli
| year=2006
| title=Python in a Nutshell
| edition=2
| chapter=Chapter 6: Exceptions
| publisher=[[O'Reilly Media]]
| page=134
| isbn=978-0-596-10046-9}}</ref>


In the context of file system TOCTTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTTOU race conditions.<ref>{{cite web |last1=Dean |first1=Drew |last2=Hu |first2=Alan J. |year=2004 |title=Abstract Fixing Races for Fun and Profit: How to use access(2) |work=Proceedings of the 13th USENIX Security Symposium, San Diego (CA), August 9–13, 2004 |pages=195–206 |url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.8647}}</ref>
In the context of file system TOCTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTOU race conditions when using the UNIX <code>access</code> and <code>open</code> filesystem calls.<ref>{{cite journal
| last1=Dean
| first1=Drew
| last2=Hu
| first2=Alan J.
| year=2004
| title=Fixing Races for Fun and Profit: How to use access(2)
| journal=Proceedings of the 13th USENIX Security Symposium
| location=San Diego, CA)
| date=August 2004
| pages=195–206
| citeseerx=10.1.1.83.8647 }}</ref>


Since this impossibility result, libraries for tracking [[file descriptor]]s and ensuring correctness have been proposed by researchers.<ref>{{cite web |last1=Tsafrir |first1=Dan |last2=Hertz |first2=Tomer |last3=Wagner |first3=David |last4=Da Silva |first4=Dilma |authorlink4=Dilma Da Silva |date=June 2008 |title=Portably Preventing File Race Attacks with User-Mode Path Resolution |work=Technical Report RC24572, [[Thomas J. Watson Research Center|IBM T. J. Watson Research Center]], Yorktown Heights (NY) |url=http://domino.watson.ibm.com/library/CyberDig.nsf/1e4115aea78b6e7c85256b360066f0d4/c4028924309762d18525746e004a4feb}}</ref>
Since this impossibility result, libraries for tracking [[file descriptor]]s and ensuring correctness have been proposed by researchers.<ref>{{cite web
| last1=Tsafrir
| first1=Dan
| last2=Hertz
| first2=Tomer
| last3=Wagner
| first3=David
| last4=Da Silva
| first4=Dilma
| authorlink4=Dilma Da Silva
| date=June 2008
| title=Portably Preventing File Race Attacks with User-Mode Path Resolution
| work=Technical Report RC24572, [[Thomas J. Watson Research Center|IBM T. J. Watson Research Center]]
| location=Yorktown Heights, NY
| url=https://dominoweb.draco.res.ibm.com/c4028924309762d18525746e004a4feb.html}}</ref>


An alternative solution proposed in the research community is for UNIX systems to adopt transactions in the file system or the OS kernel. Transactions provide a [[concurrency control]] abstraction for the OS, and can be used to prevent TOCTTOU races. While no production UNIX kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system<ref>{{cite web |last1=Spillane |first1=Richard P. |last2=Gaikwad |first2=Sachin |last3=Chinni |first3=Manjunath |last4=Zadok |first4=Erez |year=2009 |title=Enabling Transactional File Access via Lightweight Kernel Extensions |work=Seventh USENIX Conference on File and Storage Technologies (FAST 2009), San Francisco (CA), February 24–27, 2009 |url=http://www.fsl.cs.sunysb.edu/docs/valor/valor_fast2009.pdf}}</ref> and the TxOS kernel.<ref>{{cite web |last1=Porter |first1=Donald E. |last2=Hofmann |first2=Owen S. |last3=Rossbach |first3=Christopher J. |last4=Benn |first4=Alexander |last5=Witchel |first5=Emmett |year=2009|title=Operating System Transactions |work=Proceedings of the 22nd [[Association for Computing Machinery|ACM]] Symposium on Operating Systems Principles (SOSP '09), Big Sky (MT), October 11–14, 2009 |url=http://www.sigops.org/sosp/sosp09/papers/porter-sosp09.pdf}}</ref> [[Microsoft Windows]] has added transactions to its [[NTFS]] file system,<ref>{{cite book |last1=Russinovich |first1=Mark |last2=Solomon |first2=David A. |year=2009 |title=Windows Internals |publisher=[[Microsoft Press]] |isbn=978-0735648739}}</ref> but Microsoft discourages their use, and has indicated that they may be removed in a future version of Windows.<ref>{{cite web |author=<!--Staff writer(s); no by-line.--> |title=Alternatives to using Transactional NTFS |website=[[Microsoft Developer Network]] |url=https://msdn.microsoft.com/en-us/library/windows/desktop/hh802690%28v=vs.85%29.aspx |access-date=10 December 2015}}</ref>
An alternative solution proposed in the research community is for UNIX systems to adopt [[transaction processing|transaction]]s in the file system or the OS kernel. Transactions provide a [[concurrency control]] abstraction for the OS, and can be used to prevent TOCTOU races. While no production UNIX kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system<ref>{{cite web
| last1=Spillane
| first1=Richard P.
| last2=Gaikwad
| first2=Sachin
| last3=Chinni
| first3=Manjunath
| last4=Zadok
| first4=Erez
| year=2009
| title=Enabling Transactional File Access via Lightweight Kernel Extensions
| work=Seventh USENIX Conference on File and Storage Technologies (FAST 2009)
| location=San Francisco, CA
| date=February 24–27, 2009
| url=https://www.fsl.cs.sunysb.edu/docs/valor/valor_fast2009.pdf}}</ref> and the TxOS kernel.<ref>{{cite web
| last1=Porter
| first1=Donald E.
| last2=Hofmann
| first2=Owen S.
| last3=Rossbach
| first3=Christopher J.
| last4=Benn
| first4=Alexander
| last5=Witchel
| first5=Emmett
| year=2009
| title=Operating System Transactions
| work=Proceedings of the 22nd [[Association for Computing Machinery|ACM]] Symposium on Operating Systems Principles (SOSP '09)
| location=Big Sky, MT
| date=October 11–14, 2009
| url=https://www.sigops.org/s/conferences/sosp/2009/papers/porter-sosp09.pdf}}</ref> [[Microsoft Windows]] has added transactions to its [[NTFS]] file system,<ref>{{cite book
| last1=Russinovich
| first1=Mark
| last2=Solomon
| first2=David A.
| year=2009
| title=Windows Internals
| publisher=[[Microsoft Press]]
| isbn=978-0735648739}}</ref> but Microsoft discourages their use, and has indicated that they may be removed in a future version of Windows.<ref>{{cite web
| title=Alternatives to using Transactional NTFS
| website=[[Microsoft Developer Network]]
| url=https://docs.microsoft.com/en-us/windows/win32/fileio/deprecation-of-txf
| access-date=10 December 2015
| archive-url=https://web.archive.org/web/20220929200925/https://learn.microsoft.com/en-us/windows/win32/fileio/deprecation-of-txf
| archive-date=29 September 2022}}</ref>


[[File locking]] is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, nor does locking work well with networked filesystems, and cannot prevent TOCTTOU race conditions.
[[File locking]] is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, nor does locking work well with networked filesystems, and cannot prevent TOCTOU race conditions.


For setuid binaries a possible solution is to use the <code>seteuid()</code> system call to change the effective user and then perform the <code>open()</code>. Differences in <code>setuid()</code> between operating systems can be problematic.<ref>{{cite web |author1=Hao Chen |last2=Wagner |first2=David |last3=Dean |first3=Drew |date=2002-05-12 |title=Setuid Demystified |url=http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf |format=PDF}}</ref>
For setuid binaries a possible solution is to use the <code>seteuid()</code> system call to change the effective user and then perform the <code>open()</code>. Differences in <code>setuid()</code> between operating systems can be problematic.<ref>{{cite web
| author1=Hao Chen
| last2=Wagner
| first2=David
| last3=Dean
| first3=Drew
| date=2002-05-12
| title=Setuid Demystified
| url=https://people.eecs.berkeley.edu/~daw/papers/setuid-usenix02.pdf}}</ref>


==See also==
==See also==
*[[Linearizability]]
* [[Linearizability]]


==References==
==References==
Line 84: Line 235:


==Further reading==
==Further reading==
* {{cite web |last1=Bishop |first1=Matt |last2=Dilger |first2=Michael |year=1996 |title=Checking for Race Conditions in File Accesses |work=Computing Systems |volume=9 |number=2 |pages=131–152 |url=http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf |format=PDF}}
* {{cite web |last1=Bishop |first1=Matt |last2=Dilger |first2=Michael |year=1996 |title=Checking for Race Conditions in File Accesses |work=Computing Systems |volume=9 |number=2 |pages=131–152 |url=http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf }}

* {{cite web |last1=Tsafrir |first1=Dan |last2=Hertz |first2=Tomer |last3=Wagner |first3=David |last4=Da Silva |first4=Dilma |year=2008 |title=Portably Solving File TOCTTOU Races with Hardness Amplification |work=Proceedings of the 6th USENIX Conference on File and Storage Technologies (FAST '08), San Jose (CA), February 26–29, 2008 |pages=189–206 |url=http://www.cs.berkeley.edu/~daw/papers/tocttou-fast08.pdf |format=PDF}}
* {{cite web |last1=Tsafrir |first1=Dan |last2=Hertz |first2=Tomer |last3=Wagner |first3=David |last4=Da Silva |first4=Dilma |year=2008 |title=Portably Solving File TOCTTOU Races with Hardness Amplification |work=Proceedings of the 6th USENIX Conference on File and Storage Technologies (FAST '08), San Jose (CA), February 26–29, 2008 |pages=189–206 |url=https://people.eecs.berkeley.edu/~daw/papers/tocttou-fast08.pdf }}


[[Category:Computer security exploits]]
[[Category:Computer security exploits]]

[[Category:software bugs]]

Latest revision as of 08:22, 13 October 2023

In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

TOCTOU race conditions are common in Unix between operations on the file system,[1] but can occur in other contexts, including local sockets and improper use of database transactions. In the early 1990s, the mail utility of BSD 4.3 UNIX had an exploitable race condition for temporary files because it used the mktemp()[2] function.[3] Early versions of OpenSSH had an exploitable race condition for Unix domain sockets.[4] They remain a problem in modern systems; as of 2019, a TOCTOU race condition in Docker allows root access to the filesystem of the host platform.[5] In the 2023 Pwn²Own competition in Vancouver, a team of hackers was able to compromise the gateway in updated Tesla model 3 using this bug.[6]

Examples[edit]

In Unix, the following C code, when used in a setuid program, has a TOCTOU bug: 

if (access("file", W_OK) != 0) {
    exit(1);
}

fd = open("file", O_WRONLY);
write(fd, buffer, sizeof(buffer));

Here, access is intended to check whether the real user who executed the setuid program would normally be allowed to write the file (i.e., access checks the real userid rather than effective userid).

This race condition is vulnerable to an attack:

Victim Attacker 
if (access("file", W_OK) != 0) {
    exit(1);
}
After the access check, before the open, the attacker replaces file with a symlink to the Unix password file /etc/passwd:
symlink("/etc/passwd", "file");

fd = open("file", O_WRONLY);
write(fd, buffer, sizeof(buffer));
Actually writing over /etc/passwd

In this example, an attacker can exploit the race condition between the access and open to trick the setuid victim into overwriting an entry in the system password database. TOCTOU races can be used for privilege escalation to get administrative access to a machine.

Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty.

The implication is that applications cannot assume the state managed by the operating system (in this case the file system namespace) will not change between system calls.

Reliably timing TOCTOU[edit]

Exploiting a TOCTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the symlink system call precisely between the access and open. For the most general attack, the attacker must be scheduled for execution after each operation by the victim, also known as "single-stepping" the victim.

In the case of BSD 4.3 mail utility and mktemp(),[2] the attacker can simply keep launching mail utility in one process, and keep guessing the temporary file names and keep making symlinks in another process. The attack can usually succeed in less than one minute.

Techniques for single-stepping a victim program include file system mazes[7] and algorithmic complexity attacks.[8] In both cases, the attacker manipulates the OS state to control scheduling of the victim.

File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up.

Preventing TOCTOU[edit]

Despite conceptual simplicity, TOCTOU race conditions are difficult to avoid and eliminate. One general technique is to use error handling instead of pre-checking, under the philosophy of EAFP – "It is easier to ask for forgiveness than permission" rather than LBYL – "look before you leap" – in this case there is no check, and failure of assumptions to hold are signaled by an error being returned.[9]

In the context of file system TOCTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTOU race conditions when using the UNIX access and open filesystem calls.[10]

Since this impossibility result, libraries for tracking file descriptors and ensuring correctness have been proposed by researchers.[11]

An alternative solution proposed in the research community is for UNIX systems to adopt transactions in the file system or the OS kernel. Transactions provide a concurrency control abstraction for the OS, and can be used to prevent TOCTOU races. While no production UNIX kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system[12] and the TxOS kernel.[13] Microsoft Windows has added transactions to its NTFS file system,[14] but Microsoft discourages their use, and has indicated that they may be removed in a future version of Windows.[15]

File locking is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, nor does locking work well with networked filesystems, and cannot prevent TOCTOU race conditions.

For setuid binaries a possible solution is to use the seteuid() system call to change the effective user and then perform the open(). Differences in setuid() between operating systems can be problematic.[16]

See also[edit]

References[edit]

  1. ^ Wei, Jinpeng; Pu, Calton (December 2005). "TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study". USENIX. Retrieved 2019-01-14.
  2. ^ a b "mktemp(3)". Linux manual page. 2017-09-15.
  3. ^ Shangde Zhou(周尚德) (1991-10-01). "A Security Loophole in Unix". Archived from the original on 2013-01-16.
  4. ^ Acheson, Steve (1999-11-04). "The Secure Shell (SSH) Frequently Asked Questions". Archived from the original on 2017-02-13.
  5. ^ "Docker Bug Allows Root Access to Host File System". Decipher. Duo Security. 28 May 2019. Retrieved 2019-05-29.
  6. ^ "Windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023". BleepingComputer. Retrieved 2023-03-24.
  7. ^ Borisov, Nikita; Johnson, Rob; Sastry, Naveen; Wagner, David (August 2005). "Fixing races for fun and profit: how to abuse atime". Proceedings of the 14th Conference on USENIX Security Symposium. 14. Baltimore, MD: 303–314. CiteSeerX 10.1.1.117.7757.{{cite journal}}: CS1 maint: date and year (link)
  8. ^ Xiang Cai; Yuwei Gui; Johnson, Rob (May 2009). "Exploiting Unix File-System Races via Algorithmic Complexity Attacks" (PDF). 2009 30th IEEE Symposium on Security and Privacy. Berkeley, CA. pp. 27–41. doi:10.1109/SP.2009.10. ISBN 978-0-7695-3633-0. S2CID 6393789. Archived from the original (PDF) on 2021-05-18.{{cite book}}: CS1 maint: location missing publisher (link)
  9. ^ Martelli, Alex (2006). "Chapter 6: Exceptions". Python in a Nutshell (2 ed.). O'Reilly Media. p. 134. ISBN 978-0-596-10046-9.
  10. ^ Dean, Drew; Hu, Alan J. (August 2004). "Fixing Races for Fun and Profit: How to use access(2)". Proceedings of the 13th USENIX Security Symposium. San Diego, CA): 195–206. CiteSeerX 10.1.1.83.8647.{{cite journal}}: CS1 maint: date and year (link)
  11. ^ Tsafrir, Dan; Hertz, Tomer; Wagner, David; Da Silva, Dilma (June 2008). "Portably Preventing File Race Attacks with User-Mode Path Resolution". Technical Report RC24572, IBM T. J. Watson Research Center. Yorktown Heights, NY.
  12. ^ Spillane, Richard P.; Gaikwad, Sachin; Chinni, Manjunath; Zadok, Erez (February 24–27, 2009). "Enabling Transactional File Access via Lightweight Kernel Extensions" (PDF). Seventh USENIX Conference on File and Storage Technologies (FAST 2009). San Francisco, CA.{{cite web}}: CS1 maint: date and year (link)
  13. ^ Porter, Donald E.; Hofmann, Owen S.; Rossbach, Christopher J.; Benn, Alexander; Witchel, Emmett (October 11–14, 2009). "Operating System Transactions" (PDF). Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP '09). Big Sky, MT.{{cite web}}: CS1 maint: date and year (link)
  14. ^ Russinovich, Mark; Solomon, David A. (2009). Windows Internals. Microsoft Press. ISBN 978-0735648739.
  15. ^ "Alternatives to using Transactional NTFS". Microsoft Developer Network. Archived from the original on 29 September 2022. Retrieved 10 December 2015.
  16. ^ Hao Chen; Wagner, David; Dean, Drew (2002-05-12). "Setuid Demystified" (PDF).

Further reading[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Time-of-check_to_time-of-use&oldid=1179917508"