TOCTOU
What are these issues? How do they become security issues?
Last updated
What are these issues? How do they become security issues?
Last updated
From Wikipedia: In software development, time-of-check to time-of-use is a class of software bugs caused by a race condition involving the checking of the state of a part of a system and the use of the results of that check.
Confused? Let us look at a scenario:
Your friends are at a restaurant
You joined them late
You noticed an empty chair and proceeded to sit there
Your friends want to shake hands with you, so you stand up again
Meanwhile, one of the friends pulled the chair
You proceeded to sit but ended up falling on the floor
There were two threads in the above scenario. One was you, and the other one was your friend. Both of you were accessing the same variable, i.e. the chair. Your friend acted on the variable and made a change. You were not aware of the change and proceeded to sit on the variable - chair.
Let us look at another example:
You and your brother are running a mattress store
A customer approaches you
The customer asks you if they can get two sets of pillows
You check if you have enough stock
You have exactly two sets of pillows available
You bill the customer
You go back and find only one set of pillows in stock
Your brother already sold one set of pillows to another customer
Do you see where this is going?
You did your job
Your brother did his job
However, both of you did not talk to each other
In the end, one customer was unhappy
You also were left unhappy which eventually made your brother unhappy
These scenarios can be applied to software development. You think of a problem, write a simple solution, and then deploy this code. During runtime, the code will run in parallel threads, but these threads do not talk to each other. Neither do they share a common state. They often share the same variables (storage units) in memory or in a database. What if one thread modifies these variables while the other thread is still working on it? This can cause concurrency issues.
In software applications, these concurrency issues can lead to annoying bugs. Sometimes these bugs can turn into bigger security issues. Ultimately, these security issues can lead to major business risks. You might ask yourself how? We will discuss that next in this guide.
