What is TOCTOU?
Time-of-check to time-of-use, or TOCTOU, is a category of race condition. In an application with a TOCTOU vulnerability, there is a period of time between when the application checks a piece of information about its state, and when it actually uses the results of that check. This can be a serious security issue when it applies to sensitive conditions such as user creation or permissions, and attackers can exploit these vulnerabilities to reveal sensitive data or gain access to critical systems.
Why write a book about TOCTOU?
Balakrishnan’s road to writing the book began in a threat modeling session. As a security engineer, he identified a software design that could be vulnerable to TOCTOU. When he pointed it out, he found that most of the people in the session did not know what a TOCTOU vulnerability was. He wanted to help solve that problem. “My first idea was to come up with a video or a blog post,” Balakrishnan said. “There are lots of blog posts and videos already on this topic, but still people don’t know what are the actual implications of this issue.”
So, Balakrishnan thought bigger. He envisioned a project that would cover these vulnerabilities in a more complete manner than a short video or blog post could. He wanted to create something that would reach more people and educate them about the dangers of TOCTOU vulnerabilities in web applications, how to find them, and how to exploit them.
Balakrishnan began by creating the OWASP TimeGap Theory Lab. The lab is a web application, designed in Capture the Flag (CTF) style, designed around seven TOCTOU exploit scenarios. Since a lab is not as useful without clear documentation of the exercises, Balakrishna began to write. As he refined and expanded his discussion of TOCTOU vulnerabilities and the TimeGap Theory Lab, OWASP TimeGap Theory Handbook emerged. After two years of writing and revision, Balakrishnan has created a book that he hopes will both educate people about TOCTOU vulnerabilities and build a foundation for further work.
Both the cover and the contents of the book feature dinosaurs prominently “I have a toddler,” said Balakrishnan. “His favorite TV series is Peppa Pig. There is a character called George; his favorite toy is a dinosaur. That became my son’s favorite toy.” He saw dinosaurs around the house often as he built the lab and wrote the book.
As he chose a mascot for the project, choosing a dinosaur was natural. He was already calling the project TimeGap Theory, since the gap of time between checking the system state and using the result of the check was at the heart of TOCTOU vulnerabilities. Not only do the drawings of dinosaurs make the project more fun, but Balakrishnan noted that they fit the theme. “There is a time gap between when we came to know about dinosaurs and when they actually existed.”
Balakrishnan is still involved with research and education. Though the OWASP TimeGap Theory Handbook requires experience in application security or software development, he got enough questions from people trying to learn security that he began to develop Tiny Bird CTF, a CTF with fifty challenges and counting. Tiny Bird CTF uses a series of challenges to teach web application security and testing principles to people new to the field. He is also working on Snow, a privacy application to prevent shoulder-surfing; he aims to release Snow later in 2021.
I encourage you to watch my discussion with Abhi Balakrishnan, so you can learn more about TOCTOU vulnerabilities, his work, and his book. You can get your own copy of the OWASP TimeGap Theory Handbook, as well as access the accompanying TimeGap Theory labs, at timegaptheory.com.
After watching the interview and reading about Balakrishnan’s book, you may have questions about whether your web applications are vulnerable to TOCTOU or whether your security team is equipped to identify and remediate those issues. Security Compass has deep expertise in web application security testing, including over fifteen years of working with developers to both test software and secure it. When you are ready to talk to us about your web application security questions, we are here to listen.