|
In software development, time of check to time of use (TOCTTOU or TOCTOU, pronounced "''TOCK too''") is a class of software bug caused by changes in a system between the ''checking'' of a condition (such as a security credential) and the ''use'' of the results of that check. This is one example of a race condition. A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form which can be used to alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since editing has already begun, when the user submits the form, those edits (which have already been made) are accepted. When the user began editing, the appropriate authorization was ''checked'', and the user was indeed allowed to edit. However, the authorization was ''used'' later, at a time when edits should no longer have been allowed. TOCTTOU race conditions are most common in Unix between operations on the file system, but can occur in other contexts, including local sockets and improper use of database transactions. In the early 90's, the mail utility of BSD 4.3 UNIX had an exploitable race condition for temporary files because it used the mktemp() C library function.〔(【引用サイトリンク】title=A Security Loophole in Unix )〕 Early versions of OpenSSH had an exploitable race condition for Unix domain sockets.〔(【引用サイトリンク】title=The Secure Shell (SSH) Frequently Asked Questions )〕 == Examples == In Unix, the following C code, when used in a setuid program, is a TOCTTOU bug:if (access("file", W_OK) != 0) fd = open("file", O_WRONLY); write(fd, buffer, sizeof(buffer)); Here, ''access'' is intended to check whether the real user who executed the setuid program would normally be allowed to write the file (i.e., ''access'' checks the real userid rather than effective userid).This race condition is vulnerable to an attack: In this example, an attacker can exploit the race condition between the access and open to trick the setuid victim into overwriting an entry in the system password database. TOCTTOU races can be used for privilege escalation, to get administrative access to a machine.Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty. The implication is that applications cannot assume the state managed by the operating system (in this case the file system namespace) will not change between system calls. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Time of check to time of use」の詳細全文を読む スポンサード リンク
|