VOTD: Time of Check, Time of Use Engineering Secure Software Last Revised: September 1, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1
What is Time of Check, Time of Use? Analogy: Jill asks Dan to have tea ready for her when she gets ● home from work. Dan checks that he has a clean cup, tea, and sugar for Jill’s cup of tea; there is just enough sugar. Satisfied that he can make Jill’s tea, Dan takes a nap. While napping, Dan & Jill’s son, Paul, makes a cup of tea and uses all of the sugar. When Dan wakes up to make tea for Jill, he sees that all of the sugar is gone and panics! SWEN-331: Engineering Secure Software Benjamin S Meyers 2
What is Time of Check, Time of Use? Dan (Process 1): checks for sugar ● Paul (Process 2): uses all of the sugar ● Dan (Process 1): tries to use the sugar, but it isn’t there ● Dan and Paul are separate processes competing for the same ● resources This is a race condition , a change in the state of the system ● between when a condition was checked and when action is taken based on that condition SWEN-331: Engineering Secure Software Benjamin S Meyers 3
Examples L1 Terminal Fault ● Microprocessors have different layers of cache (L1, L2, L3) ○ L1 cache is very small (32KB) ○ Processors use virtual and physical memory and try to swap data ○ between the two for optimization purposes A process could check the L1 cache, see that data is there, go do ○ other stuff, but then reference the memory address of that data, which has been swapped to virtual memory More information from the RedHat blog ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 4
Examples PHP ● CVE-2004-0594 ○ The fix ○ Debian’s checkinstall script ● CVE-2008-2958 ○ Original bug report ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 5
Mitigations Whenever possible, make transactions as atomic as possible ● If the technology provides a way to check the data and act on it ○ in a single transaction, always do that If you can’t be atomic, reduce the time between the check ● and use as much as possible Limit the number of processes that can access a resource ● Recheck the resource for integrity after using it ● SWEN-331: Engineering Secure Software Benjamin S Meyers 6
Notes Sometimes, depending on the technology or the situation, ● TOCTOU vulnerabilities cannot be fully mitigated TOCTOU is usually a concurrency issue ● All of the best design practices for concurrency apply here ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 7
Recommend
More recommend