TY - JOUR
T1 - A Novel Detection Method for the Security Vulnerability of Time-of-Check to Time-of-Use
AU - Zhuang, Yungyu
AU - Tseng, Yao Nang
N1 - Publisher Copyright:
© 2022 Institute of Information Science. All rights reserved.
PY - 2022/11
Y1 - 2022/11
N2 - Since Artificial Intelligence (AI) is applied to various applications for intelligent and automatic processing, ensuring systems security is even important. Many developers still prefer C-like languages for flexibility, usability, and historical reasons to implement un-derlay systems, though other languages support more modern features. As a result of lack-ing higher-level abstraction and exception handling, languages like C are known to risk several security vulnerabilities. Time-of-Check to Time-of-Use (TOCTOU) is one of the security vulnerabilities in C codes, a kind of bug caused by race conditions. Unexpected use of certain function calls might be executed and result in failure or abnormal behaviors of systems if someone injects malicious operations between the time of check on system status and the use of the check result. Several research activities on code analysis, including static and dynamic approaches, were devoted to developing detection methods, but there is room for improvement. We propose a novel method to statically detect the TOCTOU vulnerability and implement a tool built atop of a solid static analyzer to show the feasi-bility of our idea. Our tool was evaluated with the test cases for TOCTOU vulnerabilities and compared with existing detection methods. The results show that our method can de-tect TOCTOU vulnerabilities more accurately and cover all possible paths in the source code.
AB - Since Artificial Intelligence (AI) is applied to various applications for intelligent and automatic processing, ensuring systems security is even important. Many developers still prefer C-like languages for flexibility, usability, and historical reasons to implement un-derlay systems, though other languages support more modern features. As a result of lack-ing higher-level abstraction and exception handling, languages like C are known to risk several security vulnerabilities. Time-of-Check to Time-of-Use (TOCTOU) is one of the security vulnerabilities in C codes, a kind of bug caused by race conditions. Unexpected use of certain function calls might be executed and result in failure or abnormal behaviors of systems if someone injects malicious operations between the time of check on system status and the use of the check result. Several research activities on code analysis, including static and dynamic approaches, were devoted to developing detection methods, but there is room for improvement. We propose a novel method to statically detect the TOCTOU vulnerability and implement a tool built atop of a solid static analyzer to show the feasi-bility of our idea. Our tool was evaluated with the test cases for TOCTOU vulnerabilities and compared with existing detection methods. The results show that our method can de-tect TOCTOU vulnerabilities more accurately and cover all possible paths in the source code.
KW - security vulnerability
KW - source code analysis
KW - static analysis
KW - time-of-check to time-of-use
KW - TOCTOU
UR - http://www.scopus.com/inward/record.url?scp=85144103794&partnerID=8YFLogxK
U2 - 10.6688/JISE.202211_38(6).0005
DO - 10.6688/JISE.202211_38(6).0005
M3 - 期刊論文
AN - SCOPUS:85144103794
SN - 1016-2364
VL - 38
SP - 1171
EP - 1188
JO - Journal of Information Science and Engineering
JF - Journal of Information Science and Engineering
IS - 6
ER -