Whitepaper: Recognizing and Preventing TOCTOU

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below.

Recognizing and Preventing TOCTOU Whitepaper

03 Mar 2015 – Christopher Hacking

Time-Of-Check-to-Time-Of-Use (TOCTOU) vulnerabilities have been known for decades, but are still frequently discovered in modern code. This diverse class of vulnerabilities can occur on any platform or architecture, across many types of systems. These vulnerabilities are not well understood in the development industry. Even when recognized, attempts to mitigate the threat often just move it, rather that solving the issue.

TOCTOU vulnerabilities occur where a developer has tried to avoid a security risk by checking the validity or trustworthiness of an attacker-controlled resource that, if it were malicious, could result in undesirable behavior. If the check passes, the resource is trusted and used. If an attacker is able to tamper with the resource between check and use, then whatever security the check was intended to provide can be bypassed, exposing the system to threats such as elevation of privilege. Depending on the scenario, there are a number of possible mitigations to TOCTOU vulnerabilities.

iSEC Partners has published a whitepaper that aims to help software engineers recognize and avoid TOCTOU vulnerabilities. The paper is aimed at architects, developers, and testers, and covers identifying and mitigating TOCTOU vulnerabilities. We provide examples for a number of scenarios where TOCTOU vulnerabilities may be found, with explanations and suggested fixes. Although it is not possible to cover every possible TOCTOU scenario, we provide the knowledge necessary to recognize potential TOCTOU risks in any context, and determine the best mitigation.