界: Time and State

分散式運算與時間和狀態相關。也就是說，為了使多個元件進行通訊，必須共用狀態，並且這一切都需要時間。

大多數的程式設計師將他們的工作擬人化。他們想採用一種控制執行緒來執行整個程式，就像他們必須自己完成這項工作一樣。但是，現代的電腦可以非常快速地切換工作，並且在多核心多 CPU 或分散式系統中，兩個事件可能恰好同時發生。瑕疵急於填補程式設計師在程式執行模型與實際情況之間的差距。這些瑕疵與執行緒、處理序、時間和資訊之間的意外互動有關。這些互動透過共用狀態發生：信號、變數、檔案系統，以及基本上任何可以儲存資訊的項目。

Race Condition: File System Access

C/C++
COBOL

Abstract

在檢查檔案屬性和使用檔案的期間內，能夠被用來發動擴大權限的攻擊。

Explanation

File access race condition (也稱為 time-of-check)、time-of-use (TOCTOU) race conditions，在以下情況中出現：

1.程式檢查檔案特性時，根據名稱來參照檔案。

2.程式稍後會使用相同的檔案名稱執行檔案系統作業，並假設先前檢查的屬性並未變更。
範例：以下程式呼叫 CBL_CHECK_FILE_EXIST 常式，以在建立檔案之前先檢查檔案是否存在，並執行必要的操作。


  CALL "CBL_CHECK_FILE_EXIST" USING
      filename
      file-details
      RETURNING status-code
  END-CALL

  IF status-code NOT = 0
      MOVE 3 to access-mode
      MOVE 0 to deny-mode
      MOVE 0 to device

      CALL "CBL_CREATE_FILE" USING
          filename
          access-mode
          deny-mode
          device
          file-handle
          RETURNING status-code
      END-CALL
  END-IF

CBL_CHECK_FILE_EXIST 呼叫的運作方式在意料之中，並傳回一個非零值，表示該檔案不存在。不過，因為 CBL_CHECK_FILE_EXIST 和 CBL_CREATE_FILE 都是對檔案名稱進行操作，而不是對檔案控制碼進行操作，所以當 filename 變數傳遞到 CBL_CREATE_FILE 的時候，就不能保證這個變數仍然能夠像傳遞到 CBL_CHECK_FILE_EXIST 的時候那樣參照磁碟上相同的檔案。如果攻擊者在 CBL_CHECK_FILE_EXIST 呼叫後建立 filename，CBL_CREATE_FILE 的呼叫將會失敗，進而導致程式認為該檔案是空的，但實際上它包含由攻擊者控制的資料。

導致這種攻擊的弱點的間隙是在這段時間內，檔案特性經過測試到檔案被使用為止。即使檔案的使用緊接在測試之後，現代的作業系統也無法確認在程式佔用 CPU 前所執行的程式碼數量。攻擊者有多種技術來延長機會時間的長度，以便更容易地發動攻擊。然而，即使機會時間很短，攻擊企圖也可能一而再地重複，直到成功。

這種類型的弱點可能應用於具有 root 權限的程式，以代表無權限使用者執行特定檔案操作，並使用存取測試來確保它沒有使用其根權限來執行操作，這種權限對目前使用者來說在其他情況下是無法取得的。藉由欺騙程式去執行其他情況下不被允許的操作，攻擊者就可能取得提升的權限。

References

[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley

[2] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367

[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362

[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3

[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 5.1, Rule 1.3

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1), SA-11 Developer Security Testing and Evaluation (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-6 Configuration Settings, SA-11 Developer Testing and Evaluation

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)

[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation

[21] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362

[22] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362

[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II

desc.controlflow.cobol.file_access_race_condition