A TOCTOU (time-of-check, time-of-use) race condition is possible when two or more concurrent processes are operating on a shared file system [Seacord 2013b]. Typically, the first access is a check to verify some attribute of the file, followed by a call to use the file. An attacker can alter the file between the two accesses, or replace the file with a symbolic or hard link to a different file. These TOCTOU conditions can be exploited when a program performs two or more file operations on the same file name or path name.
A program that performs two or more file operations on a single file name or path name creates a race window between the two file operations. This race window comes from the assumption that the file name or path name refers to the same resource both times. If an attacker can modify the file, remove it, or replace it with a different file, then this assumption will not hold.
Noncompliant Code Example
If an existing file is opened for writing with the
mode argument, the file's previous contents (if any) are
destroyed. This noncompliant code example tries to prevent an existing
file from being overwritten by first opening it for reading before
opening it for writing. An attacker can exploit the race window
between the two calls to
to overwrite an existing file.
This compliant solution invokes
at a single location and uses the
, which was added in C11. This mode causes
to fail if the file exists. This check and subsequent open is
performed without creating a race window. The
mode provides exclusive access to the file only if the host
environment provides this support.
Compliant Solution (POSIX)
This compliant solution uses the
flags of POSIX's
function. These flags cause
to fail if the file exists.
FIO45-C-EX1: TOCTOU race conditions require that the vulnerable process is more privileged than the attacker; otherwise there is nothing to be gained from a successful attack. An unprivileged process is not subject to this rule.
FIO45-C-EX2: Accessing a file name or path name multiple times is permitted if the file referenced resides in a secure directory. (For more information, see FIO15-C. Ensure that file operations are performed in a secure directory.)
FIO45-C-EX3: Accessing a file name or path name multiple times is permitted if the program can verify that every operation operates on the same file.
This POSIX code example verifies that each subsequent file access
operates on the same file. In POSIX, every file can be uniquely
identified by using its device and i-node attributes. This code
example checks that a file name refers to a regular file (and not a
directory, symbolic link, or other special file) by invoking
. This call also retrieves its device and i-node. The file is
subsequently opened. Finally, the program verifies that the file that
was opened is the same one (matching device and i-nodes) as the file
that was confirmed as a regular file.