{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,16]],"date-time":"2026-05-16T03:59:34Z","timestamp":1778903974087,"version":"3.51.4"},"reference-count":42,"publisher":"Association for Computing Machinery (ACM)","issue":"3","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Storage"],"published-print":{"date-parts":[[2008,11]]},"abstract":"<jats:p>The file-system API of contemporary systems makes programs vulnerable to TOCTTOU (time-of-check-to-time-of-use) race conditions. Existing solutions either help users to detect these problems (by pinpointing their locations in the code), or prevent the problem altogether (by modifying the kernel or its API). But the latter alternative is not prevalent, and the former is just the first step: Programmers must still address TOCTTOU flaws within the limits of the existing API with which several important tasks cannot be accomplished in a portable straightforward manner. Recently, Dean and Hu [2004] addressed this problem and suggested a probabilistic hardness amplification approach that alleviated the matter. Alas, shortly after, Borisov et al. [2005] responded with an attack termed \u201cfilesystem maze\u201d that defeated the new approach.<\/jats:p>\n          <jats:p>We begin by noting that mazes constitute a generic way to deterministically win many TOCTTOU races (gone are the days when the probability was small). In the face of this threat, we: (1) develop a new user-level defense that can withstand mazes; and (2) show that our method is undefeated even by much stronger hypothetical attacks that provide the adversary program with ideal conditions to win the race (enjoying complete and instantaneous knowledge about the defending program's actions and being able to perfectly synchronize accordingly). The fact that our approach is immune to these unrealistic attacks suggests it can be used as a simple and portable solution to a large class of TOCTTOU vulnerabilities, without requiring modifications to the underlying operating system.<\/jats:p>","DOI":"10.1145\/1416944.1416948","type":"journal-article","created":{"date-parts":[[2008,12,4]],"date-time":"2008-12-04T17:19:26Z","timestamp":1228411166000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":12,"title":["Portably solving file races with hardness amplification"],"prefix":"10.1145","volume":"4","author":[{"given":"Dan","family":"Tsafrir","sequence":"first","affiliation":[{"name":"IBM T.J. Watson Research Center, Yorktown Heights, NY"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tomer","family":"Hertz","sequence":"additional","affiliation":[{"name":"Microsoft Research, Redmond, WA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"David","family":"Wagner","sequence":"additional","affiliation":[{"name":"University of California, Berkeley, CA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dilma Da","family":"Silva","sequence":"additional","affiliation":[{"name":"IBM T.J. Watson Research Center, Yorktown Heights, NY"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2008,11,24]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2006.32"},{"key":"e_1_2_1_2_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (S&P), 143--159","author":"Ashcraft K."},{"key":"e_1_2_1_4_1","first-page":"2","article-title":"Checking for race conditions in file accesses","volume":"9","author":"Bishop M.","year":"1996","journal-title":"Comput. Syst."},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 14th USENIX Security Symposium, 303--314","author":"Borisov N."},{"key":"e_1_2_1_6_1","unstructured":"Boulet D. 2002. UNIX domain sockets. http:\/\/everything2.com\/index.pl?node_id=955968. (Accessed Sept. 2007).  Boulet D. 2002. UNIX domain sockets. http:\/\/everything2.com\/index.pl?node_id=955968. (Accessed Sept. 2007)."},{"key":"e_1_2_1_7_1","unstructured":"CERT Coordination Center. 1993. CERT advisory CA-1993-17 xterm logging vulnerability. URL http:\/\/www.cert.org\/advisories\/CA-1993-17.html. (Accessed Jun. 2007).  CERT Coordination Center. 1993. CERT advisory CA-1993-17 xterm logging vulnerability. URL http:\/\/www.cert.org\/advisories\/CA-1993-17.html. (Accessed Jun. 2007)."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586142"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the 11th USENIX Security Symposium, 171--190","author":"Chen H."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.5555\/829514.830534"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 10th USENIX Security Symposium, 165--172","author":"Cowan C."},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the 13th USENIX Security Symposium, 195--206","author":"Dean D."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945468"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/502034.502041"},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the 4th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 1--16","author":"Engler D."},{"key":"e_1_2_1_16_1","volume-title":"3rd International Workshop on Cryptology and Network Security (CANS).","author":"Goyal B."},{"key":"e_1_2_1_17_1","unstructured":"Hu A. J. 2005. On-Line publication list. http:\/\/www.cs.ubc.ca\/spider\/ajh\/pub-list.html. (Accessed Jan. 2008).  Hu A. J. 2005. On-Line publication list. http:\/\/www.cs.ubc.ca\/spider\/ajh\/pub-list.html. (Accessed Jan. 2008)."},{"key":"e_1_2_1_18_1","unstructured":"Josey A. 2006. The open group new API set proposals. http:\/\/www.opengroup.org\/austin\/plato\/uploads\/40\/9756\/NAPI_overview.txt. (Accessed Dec. 2007).  Josey A. 2006. The open group new API set proposals. http:\/\/www.opengroup.org\/austin\/plato\/uploads\/40\/9756\/NAPI_overview.txt. (Accessed Dec. 2007)."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095820"},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (S&P), 177--187","author":"Ko C."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-004-0068-2"},{"key":"e_1_2_1_22_1","unstructured":"Man access(2). 2001. The FreeBSD system calls manual. http:\/\/www.freebsd.org\/cgi\/man.cgi?query=access. (Accessed Jan. 2008).  Man access(2). 2001. The FreeBSD system calls manual. http:\/\/www.freebsd.org\/cgi\/man.cgi?query=access. (Accessed Jan. 2008)."},{"key":"e_1_2_1_23_1","unstructured":"Man openat(2). 2006. Linux programmer's manual. http:\/\/www.kernel.org\/doc\/man-pages\/online\/pages\/man2\/openat.2.html. (Accessed Jan. 2008).  Man openat(2). 2006. Linux programmer's manual. http:\/\/www.kernel.org\/doc\/man-pages\/online\/pages\/man2\/openat.2.html. (Accessed Jan. 2008)."},{"key":"e_1_2_1_24_1","volume-title":"Proceedings of the 6th IEEE Workshop on Hot Topics in Operating Systems (HOTOS), 56--61","author":"Mazi\u00e9res D."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1147\/sj.133.0230"},{"key":"e_1_2_1_26_1","unstructured":"NVD. 2008. National vulnerability database. http:\/\/nvd.nist.gov\/. (Accessed Jan. 2008).  NVD. 2008. National vulnerability database. http:\/\/nvd.nist.gov\/. (Accessed Jan. 2008)."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30541-5_68"},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the 1st IEEE International Symposium on Secure Software Engineering (ISSSE).","author":"Pu C."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/121132.121171"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.39"},{"key":"e_1_2_1_31_1","unstructured":"Sirainen T. 2002--2004. fdpass.c\u2014File descriptor passing between processes via UNIX sockets. http:\/\/code.softwarefreedom.org\/projects\/backports\/browser\/external\/standalone\/dovecot\/current\/src\/lib\/fdpass.c. (Accessed Dec. 2007).  Sirainen T. 2002--2004. fdpass.c\u2014File descriptor passing between processes via UNIX sockets. http:\/\/code.softwarefreedom.org\/projects\/backports\/browser\/external\/standalone\/dovecot\/current\/src\/lib\/fdpass.c. (Accessed Dec. 2007)."},{"key":"e_1_2_1_32_1","unstructured":"Stevens W. R. and Fenner B. 2003. UNIX Network Programming Volume 1: The Sockets Networking API 3rd ed. Addison Wesley Section 15.7.   Stevens W. R. and Fenner B. 2003. UNIX Network Programming Volume 1: The Sockets Networking API 3rd ed. Addison Wesley Section 15.7."},{"key":"e_1_2_1_33_1","doi-asserted-by":"crossref","unstructured":"Stevens W. R. Thomas M. Nordmark E. and Jinmei T. 2003. RFC 3542\u2014Advanced sockets application program interface (API) for IPv6. http:\/\/www.faqs.org\/rfcs\/rfc3542.html. (Accessed Dec. 2007).   Stevens W. R. Thomas M. Nordmark E. and Jinmei T. 2003. RFC 3542\u2014Advanced sockets application program interface (API) for IPv6. http:\/\/www.faqs.org\/rfcs\/rfc3542.html. (Accessed Dec. 2007).","DOI":"10.17487\/rfc3542"},{"key":"e_1_2_1_34_1","first-page":"3","article-title":"The murky issue of changing process identity: Revising \u201csetuid demystified","volume":"33","author":"Tsafrir D.","year":"2008","journal-title":". USENIX ;login"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the 12th USENIX Security Symposium, 243--256","author":"Tsyrklevich E."},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1066677.1066758"},{"key":"e_1_2_1_38_1","unstructured":"US-CERT. 2005. United States computer emergency readiness team: Vulnerability notes database. http:\/\/www.kb.cert.org\/vuls. (Accessed Jan. 2008).  US-CERT. 2005. United States computer emergency readiness team: Vulnerability notes database. http:\/\/www.kb.cert.org\/vuls. (Accessed Jan. 2008)."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.5555\/784591.784731"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2007.67"},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the 4th USENIX Conference on File and Storage Technologies (FAST), 155--167","author":"Wei J."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242520.1242521"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SFCS.1982.95"},{"key":"e_1_2_1_44_1","unstructured":"Zeilenga K. Chu H. and Masarati P. 2000--2007. libraries\/libutil\/getpeereuid.c. OpenLDAP source code. http:\/\/www.openldap.org\/devel\/cvsweb.cgi. (Accessed Dec. 2007).  Zeilenga K. Chu H. and Masarati P. 2000--2007. libraries\/libutil\/getpeereuid.c. OpenLDAP source code. http:\/\/www.openldap.org\/devel\/cvsweb.cgi. (Accessed Dec. 2007)."}],"container-title":["ACM Transactions on Storage"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1416944.1416948","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,29]],"date-time":"2022-12-29T07:52:29Z","timestamp":1672300349000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1416944.1416948"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,11]]},"references-count":42,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2008,11]]}},"alternative-id":["10.1145\/1416944.1416948"],"URL":"https:\/\/doi.org\/10.1145\/1416944.1416948","relation":{},"ISSN":["1553-3077","1553-3093"],"issn-type":[{"value":"1553-3077","type":"print"},{"value":"1553-3093","type":"electronic"}],"subject":[],"published":{"date-parts":[[2008,11]]},"assertion":[{"value":"2008-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-11-24","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}