TV. The problem is then that even though the malicious image M contains the clmeta.dat file
with category of Game, it is not reread by the TV upon installation because it is in the TV’s
memory, thanks to its block caching functionality. The researchers got around this by making
the size of the clemeta.dat file in the Cache application greater than 260 MB (by padding it
with extra spaces). This exhausts the RAM allocated to block caches and makes the TV reread
clmeta.dat, which is now of category Game.
This attack succeeds because the TV only checks the category of the clmeta.dat file initially
and not when it is reread (therefore the name: Time-of-Check-to-Time-of-Use). Here is the
output of g_file_storage.ko as this attack is played out:
1 TOCTTOU (DIR)
2 CLMETA.DAT (471b) [/TOCTTOU]
3 CLMETA.DAT -> read completed!
4 CACHE (DIR)
5 CLMETA.DAT (272630223b) [/CACHE]
6 CLMETA.DAT -> read completed! [device switched!]
7 CACHE.BMP (843758b) [/CACHE]
8 CACHE.BMP -> read completed!
9 TOCTTOU (DIR)
10 TOCTTOU.BMP (490734b) [/TOCTTOU]
11 TOCTTOU.BMP -> read completed!
12 TELNETD (1745016b) [/TOCTTOU]
13 TELNETD -> read completed!
14 TOCTTOU.SO (4608b) [/TOCTTOU]
15 TOCTTOU.SO -> read completed!
16 CLMETA.DAT (471b) [/TOCTTOU]
17 CLMETA.DAT -> read completed!When the Gumstix board is first plugged into the TV, g_file_storage.ko serves up files from
image “B.” The TV reads the clmeta.dat files and makes sure they are not categorized as
Game. Notice that the Cache application’s clmedta.dat file is about 270 MB, which fills up the
cache memory allocation in the TV. This will make the TV reread previously cached files from
the Gumstix board. At this point, the g_file_storage.ko utility switches to image M (signified by
device switched! in line 6). The TV is satisfied that none of the applications is of type Game
and allows the user to pick an application to install. The user selects the TOCTTOU applica-
tion, and the TV copies all files in the TOCTTOU directory to its local storage, including an
additional binary for the Telnet service (telnetd).
Notice that the TV rereads the clmeta.dat file in step 16, which is served from image M
and is categorized as Game. Since the TV doesn’t double-check the categorization upon
rereading the file, the application is copied onto local storage and executed by exeDSP with
root privileges. In this way, the researchers were was able to trick the TV into running a
shared library application with the highest privileges. In this case, they used the Game_Main
function in tocttou.so to invoke the telnetd binary. Assuming this binary is modified not to ask
128 CHAPTER 5: THE IDIOT BOX—ATTACKING “SMART” TELEVISIONS