Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review

File-based <italic>Time-of-Check to Time-of-Use</italic> (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these...

Full description

Bibliographic Details
Main Authors: Razvan Raducu, Ricardo J. Rodriguez, Pedro Alvarez
Format: Article
Language:English
Published: IEEE 2022-01-01
Series:IEEE Access
Subjects:
Online Access:https://ieeexplore.ieee.org/document/9718065/
_version_ 1811342212130144256
author Razvan Raducu
Ricardo J. Rodriguez
Pedro Alvarez
author_facet Razvan Raducu
Ricardo J. Rodriguez
Pedro Alvarez
author_sort Razvan Raducu
collection DOAJ
description File-based <italic>Time-of-Check to Time-of-Use</italic> (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability.
first_indexed 2024-04-13T19:07:35Z
format Article
id doaj.art-e7a019ed3ce04d73ab040a6536d40c7a
institution Directory Open Access Journal
issn 2169-3536
language English
last_indexed 2024-04-13T19:07:35Z
publishDate 2022-01-01
publisher IEEE
record_format Article
series IEEE Access
spelling doaj.art-e7a019ed3ce04d73ab040a6536d40c7a2022-12-22T02:33:57ZengIEEEIEEE Access2169-35362022-01-0110217422175810.1109/ACCESS.2022.31530649718065Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic ReviewRazvan Raducu0https://orcid.org/0000-0002-8938-755XRicardo J. Rodriguez1https://orcid.org/0000-0001-7982-0359Pedro Alvarez2https://orcid.org/0000-0002-6584-7259Department of Computer Science and Systems Engineering, University of Zaragoza, Zaragoza, SpainDepartment of Computer Science and Systems Engineering, University of Zaragoza, Zaragoza, SpainDepartment of Computer Science and Systems Engineering, University of Zaragoza, Zaragoza, SpainFile-based <italic>Time-of-Check to Time-of-Use</italic> (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability.https://ieeexplore.ieee.org/document/9718065/File-based race conditionTOCTOU vulnerabilityavoidance techniques
spellingShingle Razvan Raducu
Ricardo J. Rodriguez
Pedro Alvarez
Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review
IEEE Access
File-based race condition
TOCTOU vulnerability
avoidance techniques
title Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review
title_full Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review
title_fullStr Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review
title_full_unstemmed Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review
title_short Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review
title_sort defense and attack techniques against file based toctou vulnerabilities a systematic review
topic File-based race condition
TOCTOU vulnerability
avoidance techniques
url https://ieeexplore.ieee.org/document/9718065/
work_keys_str_mv AT razvanraducu defenseandattacktechniquesagainstfilebasedtoctouvulnerabilitiesasystematicreview
AT ricardojrodriguez defenseandattacktechniquesagainstfilebasedtoctouvulnerabilitiesasystematicreview
AT pedroalvarez defenseandattacktechniquesagainstfilebasedtoctouvulnerabilitiesasystematicreview