<P> In the case of BSD 4.3 mail utility and mktemp (), the attacker can simply keep launching mail utility in one process, and keep guessing the temporary file names and keep making symlinks in another process . The attack can usually succeed in less than one minute . </P> <P> Techniques for single - stepping a victim program include file system mazes and algorithmic complexity attacks . In both cases, the attacker manipulates the OS state to control scheduling of the victim . </P> <P> File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk . Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names . The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up . </P> <P> Despite conceptual simplicity, TOCTTOU race conditions are difficult to avoid and eliminate . One general technique is to use exception handling instead of checking, under the philosophy of EAFP "It is easier to ask for forgiveness than permission" rather than LBYL "look before you leap"--in this case there is no check, and failure of assumptions to hold are detected at use time, by an exception . </P>

How to solve time-of-check and time of use toctou