racecond

TOCTOU (Race Condition)

A race condition occurs when two threads want to access the same memory. Under certain conditions, this can result in a vulnerability. If an attacker can alter data between time of check (TOC) and time of use (TOU), they can bypass whatever limitations are enforced by the check. This attack requires precise timing which can be difficult to achieve.

Attack Vector

An attacker can preform a TOCTOU attack when they can run processes that interact with the same resources the vulnerable process and can cause their accesses to that resource to occur in between accesses by the vulnerable process.

Impact

TOCTOU vulnerabilities can result exploits of various severities. In the case in which the attacker's data is executed, TOCTOU can be used in an arbitrary code execution vulnerability.

Attack Examples

We'll discuss a TOCTOU vulnerability during lecture. Once this lecture has occurred, you can find a demo in the OS lecture demos.

Defenses

TOCTOU defenses are complex and in some settings it is impossible to avoid TOCTOU vulnerabilities. Please refer to the lecture notes for more details.

Tips for Demonstration

In order to demonstrate that you have preformed this exploit you should:

1. Identify the vulnerable process
2. Identify the check step and the use step of the vulnerable process
3. Provide a script which can exploit the TOCTOU vulnerability
4. Note: Your script might not work every time. It should, however, work frequently enough to be practical to show during a demo.

---

Other resources

• TOCTOU
• TOCTOU (CMU)

wschor, srowley1