Lab 1 - TOCTOU

Introduction

The purpose of this assignment is to explore time of check to time of use (TOCTOU) vulnerabilities and its protection methods.

In this lab, you will write a Java application using a buggy API. After exploiting that application, you will suggest a fix.

Part 0: The scenario and base program

You have to write a frontend for a command line shopping cart. The application (called ShoppingCart.java) has to:

  1. print the current balance of the user
  2. print the product list and their prices
  3. ask a product to buy
  4. check if the amount of credits is enough, if not stop the execution.
  5. otherwise, withdraw the price of the product from the wallet.
  6. add the name of the product to the pocket file.
  7. print the new balance.
  8. exit normally.

This is an example:

$ java ShoppingCart
Your balance: 30000 credits
pen     40
car     30000
candies 1
book    100
What you want to buy?: <insert a product name, e.g. pen>
Your new balance is: 29960 credits

$ cat pocket.txt
book
pen

$ cat wallet.txt
29960
We provide the backend here (the API is documented in the source code), which includes:

Part 1: Exploit your program

The goal is to attack the program and exploit a race condition in this system. Can you get a car but paying less than its value? Obviously, it is not allowed to modify the files pocket.txt nor wallet.txt other than through the APIs.

Hint: it is allowed to artificially delay actions or to set break points to make the attack work reliably.

Part 2: Fix the API

The goal is to fix the API to avoid the vulnerability.

Report

Please, submit a report that includes in addition to your answers to the questions above:

Submissions with poor discussion of countermeasures will be rejected.