What are TOCTTOU Vulnerabilities?

They say timing is everything... and cyberattacks are no different.

Timing-based attacks exploit timing vulnerabilities in software and hardware. The best example of this is TOCTTOU ("time-to-check to time-of-use") attacks, which are a category of timing-based attacks that can be difficult to identify and protect against.

Today, the ethical hackers at Packetlabs outline everything you need to know about TOCTTOU vulnerabilities and the different types of time-based exploits SMBs are likely to encounter.

Simple Timing Attacks

Simple timing attacks are one form of side-channel attack that measure the time it takes to perform certain operations. For example, an attacker may measure the duration of a password comparison operation and use that information to extract the correct password. SQL injection timing-based attacks are effective when the contents of a database cannot be printed to the screen.

The attack will check the value of each character of database content and provide SQL code that will "sleep" the process for a fraction of a second when the correct character is guessed. SQL Injection timing-based attacks can be very powerful and, when given enough time, can allow an attacker to exfiltrate an entire database.

Race Condition Timing Attacks (AKA TOCTTOU Attacks)

Race condition (AKA TOCTTOU) vulnerabilities are caused by logical errors in how a software application or hardware such as a CPU or other integrated circuit has been designed.

In a TOCTTOU attack, an attacker exploits the timing and order of events to gain unauthorized access to a resource or execute unintended operations. These attacks take advantage of a time differential between when a resource is checked (for example, to see if it is available) and the time when it is used.

During this period, an attacker can potentially modify the resource in question, leading to unauthorized access, logical errors, or other unexpected behaviour. These vulnerabilities have the most negative impact when an attacker can use the exploit to gain higher privileges or an attacker can "double spend" money in a user account.

Software-Based TOCTTOU Attacks

An example of a typical software TOCTTOU vulnerability is shown in the diagram below. The logic flow on the left includes a vulnerable period of time that can allow an attacker to take advantage of the software state. This occurs during the transfer of funds from one account to another because the funds are deposited into the second account before they are removed from the first account.

If an attacker can submit a second request before the first request has been completed, it could allow the attacker to take advantage of the software flaw. Consider the two examples below. In the exploitable example, the attacker has a time window, when the requested money transfer has been added to the destination account, but has not been removed from the source account yet.

However, in the not-exploitable example, the transaction's logic flow protects against the TOCTTOU attack.

Hardware-Based TOCTTOU Attacks: Spectre and Meltdown

The Spectre and Meltdown attacks are two examples of hardware timing attacks that exploit the speculative execution feature of modern CPUs to leak sensitive information from the CPU cache.

Speculative execution is a technique used by CPUs to improve performance by executing instructions out of order before it is certain they will be needed. In doing so, the CPU can avoid delays caused by waiting for instructions, but in 2018 attack techniques were disclosed that took advantage of this speculative processing of information to leak sensitive data including admin passwords and encryption keys from the targeted system.

Protecting Against TOCTTOU Attacks

TOCTTOU attacks can have an enormously negative impact on an organization and can impact both hardware and software. Most forms of timing-based attacks, especially TOCTTOU attacks are difficult to detect and prevent because they are not "noisy" and therefore are unlikely to set off a rate limiter.

Here's what cyber-defenders can do to prevent timing-based attacks:

Apply Security Patches Immediately

Most IT environments consist of mostly third-party software making it difficult for defenders to have strong assurances about each application they use. This makes it very important to only use software from trusted sources, and to apply security patches to fix bugs such as TOCTTOU vulnerabilities as soon as they are available.

In response to the Spectre and Meltdown attacks, Intel implemented hardware and software mitigations, including disabling the affected CPU features to prevent speculative execution attacks, so it's also important to monitor hardware for security updates as well. Vulnerability scanning can help to identify software with known vulnerabilities and verify that all updates have been applied.

Conduct Application Security Testing (AST)

Static and dynamic code analysis can help identify timing-based attacks by assessing the program's source code to identify where a timing-based attack might take place and simulating such attacks to verify an application's resilience against them. Applications that process payment transactions such as an e-commerce system are particularly likely targets for TOCTTOU attacks.

TOCTTOU FAQs

"What type of vulnerability does a TOCTTOU attack target?"

The most common TOCTTOU vulnerabilities are found on a multitasking operating system, allowing the attacker's code to execute and change the resource between check and use.

"Which one of the following is a proper remediation technique for race conditions?"

When it comes to race conditions and other similar time-oriented cyberthreats, your PTaaS provider can determine that different strains of execution do not share resources as just one of your actionable remediation steps.

"Where do 90% of all cyberattacks come from?"

90% of cyberattacks come from human error, and timing-based threats are no exception. To better identify and circumvent these attacks, we highly recommend to brief employees on what they look like and the damage they can cause.

Conclusion

Timing attacks, in general, are a class of attacks that exploit the timing behaviour of a system to extract sensitive information. These attacks can exploit various types of timing-related vulnerabilities, such as measuring the time it takes for a system to perform certain operations or exploiting the order that sensitive processes are executed. 

TOCTTOU attacks are a class of security vulnerabilities that can affect both software and hardware systems. These attacks exploit timing windows between when a resource is checked and when it's used and can lead to unexpected program behaviour, unauthorized access, or control of affected systems. It is important for system designers and developers to be aware of these vulnerabilities and to implement appropriate security measures to prevent them.

Seeking even more information on how to better protect your organization from timing-oriented threats? Contact our team of friendly neighbourhood ethical hackers today.