Sciweavers

USS
2004

Fixing Races for Fun and Profit: How to Use access(2)

14 years 1 months ago
Fixing Races for Fun and Profit: How to Use access(2)
It is well known that it is insecure to use the access(2) system call in a setuid program to test for the ability of the program's executor to access a file before opening said file. Although the access(2) call appears to have been designed exactly for this use, such use is vulnerable to a race condition. This race condition is a classic example of a time-of-check-to-time-of-use (TOCTTOU) problem. We prove the "folk theorem" that no portable, deterministic solution exists without changes to the system call interface, we present a probabilistic solution, and we examine the effect of increasing CPU speeds on the exploitability of the attack.
Drew Dean, Alan J. Hu
Added 31 Oct 2010
Updated 31 Oct 2010
Type Conference
Year 2004
Where USS
Authors Drew Dean, Alan J. Hu
Comments (0)