Testing Techniques to Find the Sin

Race conditions can be difficult to find through testing, but there are some techniques to find the sin. One of the easiest is to run your test passes on a fast, multiprocessor system. If you start seeing crashes that you cant reproduce on a single-processor system, then youve almost certainly uncovered a race condition.

To find signal-handling problems, create an application to send signals closely together to the suspect application, and see if crashes can be made to occur. Do note that a single test for a race condition wont be sufficientthe problem may only show up infrequently.

In order to find temp file races, enable logging on your file system, or instrument the application to log system calls. Look closely at any file creation activity, and ask whether predictably named files are created in public directories. If you can, enable logging that will let you determine that the O_EXCL option is being correctly used when files are created in shared directories. Areas of special interest are when a file is originally created with improper permissions and subsequently tightened. The window of opportunity between the two calls can allow an attacker to exploit the program. Likewise, any reduction of privileges needed to access the file is suspect. If the attacker can cause the program to operate on a link instead of the intended file, something that should have been restricted could become accessible.