A race condition occurs within concurrent environments, and it is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc.
A race condition violates these properties, which are closely related:
A race condition exists when an "interfering code sequence" can still access the shared resource, violating exclusivity.
The interfering code sequence could be "trusted" or "untrusted." A trusted interfering code sequence occurs within the product; it cannot be modified by the attacker, and it can only be invoked indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the vulnerable product.
Scope | Impact | Likelihood |
---|---|---|
Availability | DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other) Note: When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion. | |
Availability | DoS: Crash, Exit, or Restart, DoS: Instability Note: When a race condition allows multiple control flows to access a resource simultaneously, it might lead the product(s) into unexpected states, possibly resulting in a crash. | |
Confidentiality Integrity | Read Files or Directories, Read Application Data Note: When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59). | |
Access Control | Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism Note: This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider. |
Reference | Description |
---|---|
Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition. | |
Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV. | |
Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV. | |
Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV. | |
chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys | |
Chain: race condition (CWE-362) in anti-malware product allows deletion of files by creating a junction (CWE-1386) and using hard links during the time window in which a temporary file is created and deleted. | |
TOCTOU in sandbox process allows installation of untrusted browser add-ons by replacing a file after it has been verified, but before it is executed | |
Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237]. | |
Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time. | |
chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. | |
chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. | |
Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object. | |
Race condition during initialization triggers a buffer overflow. | |
Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock. | |
chain: race condition triggers NULL pointer dereference | |
Race condition in library function could cause data to be sent to the wrong process. | |
Race condition in file parser leads to heap corruption. | |
chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory. | |
chain: race condition for an argument value, possibly resulting in NULL dereference | |
chain: race condition might allow resource to be released before operating on it, leading to NULL dereference | |
Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415). |
Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.
Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-26 | Leveraging Race Conditions The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file. |
CAPEC-29 | Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly. |
Name | Organization | Date | Date Release | Version |
---|---|---|---|---|
PLOVER | Draft 3 |
Name | Organization | Date | Comment |
---|---|---|---|
Eric Dalci | Cigital | updated Time_of_Introduction | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships, Research_Gaps | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Potential_Mitigations | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Detection_Factors, References, Relationships | |
CWE Content Team | MITRE | updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References | |
CWE Content Team | MITRE | updated Observed_Examples, Potential_Mitigations, Relationships | |
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships | |
CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Potential_Mitigations, References, Relationships | |
CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples, References, Research_Gaps, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples | |
CWE Content Team | MITRE | updated Observed_Examples, References | |
CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
CWE Content Team | MITRE | updated Observed_Examples, References | |
CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Description | |
CWE Content Team | MITRE | updated References, Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes, Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Alternate_Terms, Common_Consequences, Description, Diagram, Modes_of_Introduction |