***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-attacks-threats-and-vulnerabilities/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``Race Conditions``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Race Conditions](#a) <br/><br/>

- [TOCTOU Attack](#b) <br/><br/>
    - [Race Condition](#c) <br/><br/>
- [January 2014](#d) <br/><br/>
    - [Mars Rover](#d) <br/><br/>
        - [``Spirit``](#d) <br/><br/>
- [2003 GE Energy Management System](#e) <br/><br/>
    - [US Northeast Blackout](#e) <br/><br/>
- [1980s - Radiation Therapy Machine](#f) <br/><br/>
    - [Therac-25](#f) 
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Race Conditions
***

In today’s modern computing environments, there are a lot of different things all happening at the same time and developers have to be aware of exactly what might happen and when. 

You do have problems that can occur though if multiple things are occurring simultaneously - not expecting them to occur simultaneously - this is called a race condition.

If you haven’t written your software to plan for these types of situations, the results can be disastrous. 

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### TOCTOU Attack
***

Attackers can take advantage of this using something called a ``Time-Of-Check`` to ``Time-Of-Use`` attack - ``TOCTOU`` - this type of attack is checking for things to occur on the system and making changes but knowing that there might be other changes occurring behind the scenes at the same time.

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### Race Condition
***

A race condition example whereby one where we’re going to take money in one account and transfer it to another account - there are two starting accounts – account A and account B - both accounts start with USD100 - also have ``User 1`` and ``User 2`` - these will both be performing these transactions at close to the same time.

![image.png](attachment:image.png)

Start with ``User 1``, who’s going to perform a check balance to see what the current balance is in both of these accounts and both account A and account B both have USD100 - after that, user two also performs a check balance and also sees that account A is USD100 and account B has USD100 as well.

![image.png](attachment:image.png)

``User 1`` is going to add USD50 to account B, which means that account A remains at USD100 and we’ve added USD50 to account B - increases to USD150. 

![image.png](attachment:image.png)

``User 2`` performs exactly the same function – adds USD50 to account B - account A, of course, still has USD100 and notice that account B has increased by USD50 to USD200.

![image.png](attachment:image.png)

Since this is a transfer of USD50 and we’ve added the USD50 to account B, we need to remove the USD50 from account A and if we remove it from that USD100 balance, account A’s balance goes down to USD50. 

![image.png](attachment:image.png)

Notice that account B is at USD200 because that’s the additional USD50 that was added by ``User 2`` - performing the same USD50 removal from account A by ``User 2``. 

``User 2`` performed a check balance and saw that account A was USD100 and has not performed another check balance, so it doesn’t know that USD50 has already been removed from account A, so it thinks that account A has USD100 - it removes 50, and that takes it down to USD50.

![image.png](attachment:image.png)

The transfer is complete on both sides - both sides were going to transfer USD50 from account A to account B but the ending value has account A at USD50 and account B at USD200 - this is a very simple example of a race condition but you can see the results of this race condition have very significant outcomes. 

It’s important that developers are taking into account every possible scenario and when those scenarios might occur.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### January 2014 - Mars Rover - Spirit
***

An example of a race condition that occurred in space was in January of 2004 in the Mars rover [ [``Spirit``](http://www.spaceref.com/news/viewsr.html?pid=23772) ]. 

The Spirit rover is designed to reboot its operating system whenever it runs into a problem that it can’t resolve and in fact, it found a problem with the file system, so it rebooted itself because of that but found that the file system was corrupted during the boot process and so it rebooted itself again, so it found itself in a reboot loop because of this race condition.

They ultimately told the rover to reboot into a limited safe mode so that they could repair the file system, reboot the system, and get back up and running.

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### 2003 GE Energy Management System - US Northeast Blackout
***

Another race condition occurred in 2003 from the GE Energy Management System that was used to monitor electrical lines. 

Three power lines failed at the same time but due to a race condition, a limited number of alerts was shown to technicians - this got quickly out of hand and caused the [ [Northeast Blackout](https://owlcation.com/humanities/The-Great-Northeast-Blackout-of-2003) ] of 2003. 

It took a week or two for power to be restored and it affected 10 million people in Ontario and 45 million people in the Northeast United States.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### 1980s - Radiation Therapy Machine - [ [Therac-25](https://www.bugsnag.com/blog/bug-day-race-condition-therac-25) ]
***

A deadly race condition occurred with a radiation therapy machine in the 1980s that used software as a security mechanism - if operators changed the software settings too quickly, the software interlocks failed and that caused a race condition that had 100 times the normal dose of radiation - this resulted in six patients being injured and three patients dying.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### Summary
***

Can see how these race conditions can be caused by many different things, so it’s important that the developers always consider every possible scenario and plan for that in their software.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

# END JUPYTER NOTEBOOK