Your Authorization Is Lying to You (TOCTOU Explained) скачать в хорошем качестве

Your Authorization Is Lying to You (TOCTOU Explained)

TOCTOU: When Authorization Happens at the Wrong Time You wrote the perfect authorization logic. It passed code review. It passed QA. It passed your security checklist. And it’s still insecure. Because authorization isn’t just what you check. It’s when you check it. --- The Scenario At T1, the user is an admin. At T2, the admin role is removed. At T3, an export job executes. Most people expect the export to fail. But many systems allow it to succeed. Why? Authorization only happened at T1. This is **Time-of-Check vs Time-of-Use**. TOCTOU. One of the most common authorization failures in distributed systems. --- The Hidden Assumption Authorization is checked in middleware. That part is correct. But after a job is enqueued, execution happens later. Five seconds later Thirty seconds later Five minutes later The system assumes the world did not change. In production, the world always changes. Users are removed from organizations Plans are downgraded MFA expires Resource ownership changes Accounts get suspended None of this reaches the worker. The worker trusts a decision made in the past. Authorization becomes historical — not current. --- Why Common Fixes Don’t Work Checking again in middleware does not solve this. Caching less does not solve this. JWTs do not solve this. JWTs often make it worse. JWTs freeze authorization in time. The token says “admin.” The role is later revoked. The token still says “admin” until it expires. The system trusts stale data. --- Control Plane vs Data Plane The authorization decision happens in the **control plane**. Execution happens in the data plane. The gap between them is where security bugs live. --- The Three Real Solutions These are not patches. They are architectural decisions. 1. Re-Validate at Execution Time Past decisions are not trusted Policy is evaluated using fresh data Checked right before execution Strong correctness. But requires identity propagation, cross-service consistency, and adds latency. --- 2. Atomic Authorization Authorization and execution live in the same transaction If state changes mid-flight, the transaction fails Only works: Without queues Without async workers Within a single database boundary Most SaaS systems are not built this way. --- 3. Capability-Based Model Instead of rechecking roles later, mint a capability. It explicitly states: What action is allowed On which resource Until what time The worker validates the signature. Roles are no longer relevant. This is how: Presigned URLs Ephemeral keys Signed uploads actually work. Authorization becomes: Explicit. Scoped. Short-lived. Immutable. --- 0:00 Perfect Logic, Still Insecure 0:14 The Timeline Attack (T1 / T2 / T3) 0:54 Why Middleware Checks Are Not Enough 1:38 What Actually Changes in Production 1:58 Why Common Fixes Don’t Work 2:38 Control Plane vs Data Plane 2:51 There Are Three Real Solutions 2:58 Solution #1: Re-validate at Execution Time 3:20 Solution #2: Atomic Authorization 3:40 Solution #3: Capability-Based Authorization 4:12 Closing