View Help Online

Start here

Home
About Klocwork
What's new
Fixed issues
Release notes
Installation

Reference

C/C++ checkers
Java checkers
C# checkers
MISRA C 2004 checkers
MISRA C++ 2008 checkers
MISRA C 2012 checkers
MISRA C 2012 checkers with Amendment 1
Commands
Metrics
Troubleshooting
Reference

Product components

C/C++ Integration build analysis
Java Integration build analysis
Desktop analysis
Refactoring
Klocwork Static Code Analysis
Klocwork Code Review
Structure101
Tuning
Custom checkers

Coding environments

Visual Studio
Eclipse for C/C++
Eclipse for Java
IntelliJ IDEA
Other

Administration

Project configuration
Build configuration
Administration
Analysis performance
Server performance
Security/permissions
Licensing
Klocwork Static Code Analysis Web API
Klocwork Code Review Web API

Community

View help online
Visit RogueWave.com
Klocwork Support
Rogue Wave Videos

Legal

Legal information

SV.TOCTOU.FILE_ACCESS

TOCTOU race in file access

Functions like access, chown, chgrp, and chmod that operate on file names are vulnerable to time-of-check time-of-use (TOCTOU) errors. A TOCTOU error refers to a situation in which a resource's status can change between the time software checks it and the time it's used. The lapse of time invalidates the check, and can cause invalid actions when the resource is in an unexpected state.

If an attacker is able to change the state of an object between the time of the check and the time it's used, there is potential for a TOCTOU error, which typically happens with shared resources such as files, memory, and variables in multi-threaded programs.

The following functions are prone to this type of attack:

  • acct
  • access
  • chmod
  • lchown
  • chown
  • fopen
  • fdopen
  • freopen
  • fchmod
  • fchown
  • chdir
  • chgrp
  • creat
  • open
  • pathconf
  • opendir
  • lstat
  • stat
  • rename
  • link
  • lchown

The SV.TOCTOU.FILE_ACCESS checker flags function calls that have the potential for a TOCTOU error.

Vulnerability and risk

A typical instance of this vulnerability occurs when a system call is used to check whether the current process has rights to a file before opening the file. A process using this approach can be suspended between the time the check is made and the time the actual file is opened. While the process is suspended, another process can change which file is associated with the name.

Usually this situation involves an operating system that supports symbolic links to files. For instance, using symbolic links to manipulate the meaning of a string given for a password file allows an attacker to get a bogus entry into any location. In one case, an .rhosts file was created in a targeted user directory, allowing the attacker to log in remotely as that user.

This vulnerability can allow a malicious user to gain access to unauthorized resources, and make alterations, delete files, and gain elevated privileges.

Mitigation and prevention

Avoid using functions and system calls that take a file name as an argument-use calls that take a file handle or file descriptor instead. Once the operating system has assigned a file handler or descriptor, it can't be changed as easily as the manipulation of a file name with symbolic links.

If you need to specify a file name in a function

  • set the effective gid and uid for statement execution to that of the current user and group
  • limit the interval of time between the check and the use of a resource
  • check the resource after the use call to make sure that the appropriate action was taken
  • use environmental locking mechanisms to protect resources

External guidance

Parent topic: Suspicious code practices
Previous topic: SV.FMTSTR.GENERIC
Next topic: SV.USAGERULES.PERMISSIONS

© Rogue Wave Software, Inc. All rights reserved. | Contact