JISE


  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]


Journal of Information Science and Engineering, Vol. 38 No. 6, pp. 1171-1188


A Novel Detection Method for the Security Vulnerability of Time-of-Check to Time-of-Use


YUNGYU ZHUANG+ AND YAO-NANG TSENG
Department of Computer Science and Information Engineering
National Central University
Taoyuan, 32001 Taiwan
E-mail: yungyu@ncu.edu.tw; 106522031@cc.ncu.edu.tw


Since Artificial Intelligence (AI) is applied to various applications for intelligent and automatic processing, ensuring systems security is even important. Many developers still prefer C-like languages for flexibility, usability, and historical reasons to implement underlay systems, though other languages support more modern features. As a result of lacking higher-level abstraction and exception handling, languages like C are known to risk several security vulnerabilities. Time-of-Check to Time-of-Use (TOCTOU) is one of the security vulnerabilities in C codes, a kind of bug caused by race conditions. Unexpected use of certain function calls might be executed and result in failure or abnormal behaviors of systems if someone injects malicious operations between the time of check on system status and the use of the check result. Several research activities on code analysis, including static and dynamic approaches, were devoted to developing detection methods, but there is room for improvement. We propose a novel method to statically detect the TOCTOU vulnerability and implement a tool built atop of a solid static analyzer to show the feasibility of our idea. Our tool was evaluated with the test cases for TOCTOU vulnerabilities and compared with existing detection methods. The results show that our method can detect TOCTOU vulnerabilities more accurately and cover all possible paths in the source code.


Keywords: security vulnerability, source code analysis, static analysis, time-of-check to time-of-use, TOCTOU

  Retrieve PDF document (JISE_202206_05.pdf)