词条 | Time of check to time of use | ||||
释义 |
In software development, time of check to time of use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. This is one example of a race condition. A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form which can be used to alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since editing has already begun, when the user submits the form, those edits (which have already been made) are accepted. When the user began editing, the appropriate authorization was checked, and the user was indeed allowed to edit. However, the authorization was used later, at a time when edits should no longer have been allowed. TOCTOU race conditions are common in Unix between operations on the file system,[1] but can occur in other contexts, including local sockets and improper use of database transactions. In the early 1990s, the mail utility of BSD 4.3 UNIX had an exploitable race condition for temporary files because it used the mktemp() C library function.[2] Early versions of OpenSSH had an exploitable race condition for Unix domain sockets.[3] ExamplesIn Unix, the following C code, when used in a Here, access is intended to check whether the real user who executed the This race condition is vulnerable to an attack:
In this example, an attacker can exploit the race condition between the Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty. The implication is that applications cannot assume the state managed by the operating system (in this case the file system namespace) will not change between system calls. Reliably timing TOCTOUExploiting a TOCTOU race condition requires precise timing to ensure that the attacker's operations interleave properly with the victim's. In the example above, the attacker must execute the In the case of BSD 4.3 mail utility and mktemp(),[4] the attacker can simply keep launching mail utility in one process, and keep guessing the temporary file names and keep making symlinks in another process. The attack can usually succeed in less than one minute. Techniques for single-stepping a victim program include file system mazes[5] and algorithmic complexity attacks.[6] In both cases, the attacker manipulates the OS state to control scheduling of the victim. File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up. Preventing TOCTOUDespite conceptual simplicity, TOCTOU race conditions are difficult to avoid and eliminate. One general technique is to use exception handling instead of checking, under the philosophy of EAFP "It is easier to ask for forgiveness than permission" rather than LBYL "look before you leap" – in this case there is no check, and failure of assumptions to hold are detected at use time, by an exception.[7] In the context of file system TOCTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTOU race conditions.[8] Since this impossibility result, libraries for tracking file descriptors and ensuring correctness have been proposed by researchers.[9] An alternative solution proposed in the research community is for UNIX systems to adopt transactions in the file system or the OS kernel. Transactions provide a concurrency control abstraction for the OS, and can be used to prevent TOCTOU races. While no production UNIX kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system[10] and the TxOS kernel.[11] Microsoft Windows has added transactions to its NTFS file system,[12] but Microsoft discourages their use, and has indicated that they may be removed in a future version of Windows.[13] File locking is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, nor does locking work well with networked filesystems, and cannot prevent TOCTOU race conditions. For setuid binaries a possible solution is to use the See also
References1. ^{{Cite web|url=https://www.usenix.org/conference/fast-05/tocttou-vulnerabilities-unix-style-file-systems-anatomical-study|title=TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study|last=Wei|first=Jinpeng|last2=Pu|first2=Calton|date=|website=www.usenix.org|archive-date=|dead-url=|access-date=2019-01-14}} 2. ^{{cite web |author=Shangde Zhou(周尚德) |date=1991-10-01 |title=A Security Loophole in Unix |url=http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html |deadurl=yes |archiveurl=https://archive.is/20130116041403/http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html |archivedate=2013-01-16 |df= }} 3. ^{{cite web |last=Acheson |first=Steve |date=1999-11-04 |title=The Secure Shell (SSH) Frequently Asked Questions |url=http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html |deadurl=yes |archiveurl=https://web.archive.org/web/20170213004928/http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html |archivedate=2017-02-13 |df= }} 4. ^{{cite web|url=http://linux.die.net/man/3/mktemp|title=mktemp(3) - Linux man page}} 5. ^{{cite web |last1=Borisov |first1=Nikita |last2=Johnson |first2=Rob |last3=Sastry |first3=Naveen |last4=Wagner |first4=David |year=2005 |title=Fixing races for fun and profit: how to abuse atime |work=Proceedings of the 14th Conference on USENIX Security Symposium, Baltimore (MD), July 31 – August 5, 2005 |volume=14 |pages=303–314 |url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.117.7757}} 6. ^{{cite web |author1=Xiang Cai |author2=Yuwei Gui |last3=Johnson|first3=Rob |date=2009-03-06 |title=Exploiting Unix File-System Races via Algorithmic Complexity Attacks |work=Proceedings of the IEEE Symposium on Security and Privacy, Berkeley (CA), May 17–20, 2009 |url=http://www.cs.sunysb.edu/~rob/papers/races2.pdf |format=PDF}} 7. ^{{cite book |last=Martelli |first=Alex |authorlink=Alex Martelli |year=2006 |title=Python in a Nutshell |edition=2nd |chapter=Chapter 6: Exceptions |publisher=O'Reilly Media |isbn=978-0-596-10046-9 |page=134}} 8. ^{{cite web |last1=Dean |first1=Drew |last2=Hu |first2=Alan J. |year=2004 |title=Fixing Races for Fun and Profit: How to use access(2) |work=Proceedings of the 13th USENIX Security Symposium, San Diego (CA), August 9–13, 2004 |pages=195–206 |url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.8647}} 9. ^{{cite web |last1=Tsafrir |first1=Dan |last2=Hertz |first2=Tomer |last3=Wagner |first3=David |last4=Da Silva |first4=Dilma |authorlink4=Dilma Da Silva |date=June 2008 |title=Portably Preventing File Race Attacks with User-Mode Path Resolution |work=Technical Report RC24572, IBM T. J. Watson Research Center, Yorktown Heights (NY) |url=http://domino.watson.ibm.com/library/CyberDig.nsf/1e4115aea78b6e7c85256b360066f0d4/c4028924309762d18525746e004a4feb}} 10. ^{{cite web |last1=Spillane |first1=Richard P. |last2=Gaikwad |first2=Sachin |last3=Chinni |first3=Manjunath |last4=Zadok |first4=Erez |year=2009 |title=Enabling Transactional File Access via Lightweight Kernel Extensions |work=Seventh USENIX Conference on File and Storage Technologies (FAST 2009), San Francisco (CA), February 24–27, 2009 |url=http://www.fsl.cs.sunysb.edu/docs/valor/valor_fast2009.pdf}} 11. ^{{cite web |last1=Porter |first1=Donald E. |last2=Hofmann |first2=Owen S. |last3=Rossbach |first3=Christopher J. |last4=Benn |first4=Alexander |last5=Witchel |first5=Emmett |year=2009|title=Operating System Transactions |work=Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP '09), Big Sky (MT), October 11–14, 2009 |url=http://www.sigops.org/sosp/sosp09/papers/porter-sosp09.pdf}} 12. ^{{cite book |last1=Russinovich |first1=Mark |last2=Solomon |first2=David A. |year=2009 |title=Windows Internals |publisher=Microsoft Press |isbn=978-0735648739}} 13. ^{{cite web |author= |title=Alternatives to using Transactional NTFS |website=Microsoft Developer Network |url=https://msdn.microsoft.com/en-us/library/windows/desktop/hh802690%28v=vs.85%29.aspx |access-date=10 December 2015}} 14. ^{{cite web |author1=Hao Chen |last2=Wagner |first2=David |last3=Dean |first3=Drew |date=2002-05-12 |title=Setuid Demystified |url=http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf |format=PDF}} Further reading
1 : Computer security exploits |
||||
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。