Talk With an Expert

A Tour of TOCTTOUs

A Tour of TOCTTOUs (PDF, 1.66MB)Published: 23 May, 2003
Created by:
Craig Lowery

Time of check to time of use (TOCTTOU) vulnerabilities exist due to race conditions arising from an invalid assumption: That nothing affecting the validity of a security assertion changes between the time it is checked and the time an operation that depends on that assertion is performed. In fact it is quite possible that the security of the environment changes with respect to the assertion during this interval. If these changes are cleverly timed and orchestrated the operation may result in a security breach. This paper characterizes this particular category of security vulnerabilities describes various types of TOCTTOUs and particular situations in which they have arisen historically and presents a short set of guidelines for reducing or eliminating these flaws.

A Tour of TOCTTOUs