Race Condition

A software bug that occurs when the outcome of a program depends on the unpredictable order in which threads or processes, access and modify share resources

A race condition is where the system’s substantive behavior is dependent on the sequence of timing of other uncontrollable events

Security Vulnerability Race condition: when the system’s substantive behavior is dependent on the sequence or timing of attacker-controllable events

Attackers exploit race conditions by changing the state that a program is running in while the program assumes that the state has not been changed

Root causes for race conditions

Shared resources
- Volatile memory (DRAM)
- Non-Volatile Memory (filesystem, etc)
Parallelism
- The faux-parallelism (multi-threading)
  - 2+ clients talking to the same server
  - 2+ tabs executing javascript in the same browser
  - 2+ userspace threads/apps executing syscalls in same OS
  - 2+ OSes running in the same hypervisor
- The true-parallelism (multi-processing)
  - 2+ CPU cores executing in parallel in the same System on a Chip
  - 2+ chips on a shared bus
    Double fetch
    A vulnerability when data is accessed multiple times.

TOCTOU Vulnerability

Not all TOCTOU vulnerabilities are Double fetch

TOCTOU (Time of check / Time of use) is a class of software bugs caused by race conditions involving the checking of the state of a part of a system and the use of the results of that check.

TOCTOU race conditions are common in Unix between operations on the file system but can occur in other contexts, including local sockets and improper use of database transactions.

class="highlight">

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#include <stdio.h>
#include <assert.h>
#include <stdlib.h>

void check_input(char *filename) {
	int i;
	FILE *fp = fopen(filename, "r");
	fscanf(fp, "%d", &i);
	fclose(fp);
	assert(i == 0);
}

void do_action(char *filename) {
	int i;
	FILE *fp = fopen(filename, "r");
	fscanf(fp, "%d", &i);
	fclose(fp);
	
	i++;
	fp = fopen(filename, "w");
	fprintf(fp, "%d\n", i);
	printf("Wrote %d.\n", i);
	fclose(fp);
}

int main(int argc, char **argv) {
	check_input(argv[1]);
	do_action(argv[1]);
	return 0;
}
run on loop
class="highlight">1
while :; do ./toctou num; done 2>/dev/null
other terminal
class="highlight">1
while :; do echo 0 > num ; done 2>/dev/null
class="highlight">1
while :; do echo 1 > num ; done 2>/dev/null
Races in the filesystem
Races in Memory
memory is a shared resource between threads.
Resources
Samclass on Race conditions
pwn college
Recently Updated
  Pwn & Reverse Engineering Lab with Docker
  Buffer Overflow with Global Variable Control
 UMDCTF Gambling CTF WriteUp
 Protostar Stack
Trending Tags
 pwn-env
© 2025 Nkateko Tibane. Some rights reserved.
Using the Chirpy theme for Jekyll.
Trending Tags
 pwn-env
 
 
A new version of content is available.