11:19:10 CACHE.BMP -> read completed!
11:19:10 TOCTTOU.BMP (490734b) [/TOCTTOU]
11:19:10 TOCTTOU.BMP -> read completed!
11:19:56 TELNETD (1745016b) [/TOCTTOU]
11:19:56 TELNETD -> read completed!
11:19:56 TOCTTOU.SO (4608b) [/TOCTTOU]
11:19:56 TOCTTOU.SO -> read completed!
In this case, the g_file_storage.ko module running on the Gumstix board plugged into the
Samsung TV included two applications in directories of their own: TOCTTOU and CACHE.
For each application, the TV requests the clmeta.dat file (at the 11:18:56 mark). The user is
then presented with the categories of applications that are available to be installed. Let’s
assume the TOCTTOU application is of type Wellness and the user selects this using the TV
remote. At this time, the entire contents of the TOCCTOU directory are copied to the TV’s
internal storage, including the bitmap image, the telnetd binary executable, and the TOCT-
TOU.SO executable. Note that applications of the Game category will not be installed by the
TV since externally coded shared library code is prohibited.
Notice that the clmeta.dat file is only read once (11:18:56). When the user installs the
TOCTTOU application, the TV does not reread the clmeta.dat file. This is because the TV runs
Linux, which includes the functionality of a block cache. File read operations can slow things
down, and the block cache functionality speeds things up by storing recently accessed file
operations into the TV’s RAM, which is faster to read than a filesystem.
The idea behind the TOCTTOU attack is to initially provide the TV with an application
directory in which the corresponding clmeta.dat is of the Wellness category. Once the TV veri-
fies this, the user is able to select the application, and the TV will copy the entire contents of
the application directory into its local storage and execute it. The TOCTTOU attack changes
the clmeta.dat category to Games after the initial verification, allowing for shared library code
to be installed. In order to do this, Mulliner and Michéle further extended the functionality of
g_file_storage.ko to be able to track how many times a file (the trigger file) has been requested
for read. Furthermore, g_file_storage.ko was extended to switch to another image once the read
count for the trigger file had reached a certain value (the trigger count).
The researchers created two filesystem images for the attack. The first image, called B (for
Benign), includes two applications, TOCTTOU and Cache. Each of these applications contains
a clmeta.dat file with a category of Wellness and corresponding files for icons and executables.
The TOCTTOU application includes the telnetd executable. The second image, called M (for
Modified), includes the exact same files, but with the clmeta.dat file in the TOCCTOU direc-
tory modified to the Game category.
The researchers then used their modified g_file_storage.ko code to attach to the TV as a
USB stick and serve the B image. When the TV reads the clmeta.dat file in the directory of the
Cache application, g_file_storage.ko switches to the M image in the background. Now, when
the user elects to install the TOCCTOU application, the files from image M are served to the
THE TOCTTOU ATTACK 127