Time-of-check to time-of-use
Class of software bugs / From Wikipedia, the free encyclopedia
In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.
TOCTOU race conditions are common in Unix between operations on the file system,[1] but can occur in other contexts, including local sockets and improper use of database transactions. In the early 1990s, the mail utility of BSD 4.3 UNIX had an exploitable race condition for temporary files because it used the mktemp()
[2] function.[3]
Early versions of OpenSSH had an exploitable race condition for Unix domain sockets.[4] They remain a problem in modern systems; as of 2019, a TOCTOU race condition in Docker allows root access to the filesystem of the host platform.[5] In the 2023 Pwn²Own competition in Vancouver, a team of hackers was able to compromise the gateway in updated Tesla model 3 using this bug.[6]