OWASP TimeGap Theory Handbook
Search
K

TOCTOU

What are these issues? How do they become security issues?
From Wikipedia: In software development, time-of-check to time-of-use is a class of software bugs caused by a race condition involving the checking of the state of a part of a system and the use of the results of that check.
You + friends @ restaurant
Confused? Let us look at a scenario:
  1. 1.
    Your friends are at a restaurant
  2. 2.
    You joined them late
  3. 3.
    You noticed an empty chair and proceeded to sit there
  4. 4.
    Your friends want to shake hands with you, so you stand up again
  5. 5.
    Meanwhile, one of the friends pulled the chair
  6. 6.
    You proceeded to sit but ended up falling on the floor
You falling due to the time gap between check and use
There were two threads in the above scenario. One was you, and the other one was your friend. Both of you were accessing the same variable, i.e. the chair. Your friend acted on the variable and made a change. You were not aware of the change and proceeded to sit on the variable - chair.
Let us look at another example:
  1. 1.
    You and your brother are running a mattress store
  2. 2.
    A customer approaches you
  3. 3.
    The customer asks you if they can get two sets of pillows
  4. 4.
    You check if you have enough stock
  5. 5.
    You have exactly two sets of pillows available
  6. 6.
    You bill the customer
  7. 7.
    You go back and find only one set of pillows in stock
  8. 8.
    Your brother already sold one set of pillows to another customer
Do you see where this is going?
  1. 1.
    You did your job
  2. 2.
    Your brother did his job
  3. 3.
    However, both of you did not talk to each other
  4. 4.
    In the end, one customer was unhappy
  5. 5.
    You also were left unhappy which eventually made your brother unhappy
You and your brother in a heated verbal exchange
These scenarios can be applied to software development. You think of a problem, write a simple solution, and then deploy this code. During runtime, the code will run in parallel threads, but these threads do not talk to each other. Neither do they share a common state. They often share the same variables (storage units) in memory or in a database. What if one thread modifies these variables while the other thread is still working on it? This can cause concurrency issues.
In software applications, these concurrency issues can lead to annoying bugs. Sometimes these bugs can turn into bigger security issues. Ultimately, these security issues can lead to major business risks. You might ask yourself how? We will discuss that next in this guide.
Previous
Welcome
Next
Lab Setup!
Last modified 2yr ago