latest version of any software installed, and be aware of any known
               security vulnerabilities. Because each security model, and each

               security policy, is different, you must ensure that the software you
               execute does not exceed the authority you allow. Writing secure code
               is difficult, but it’s certainly possible. Make sure all programs you use
               are designed to address security concerns. Please see Chapter 15 for
               more information on code review and testing.


               Timing, State Changes, and Communication

               Disconnects

               Computer systems perform tasks with rigid precision. Computers excel
               at repeatable tasks. Attackers can develop attacks based on the
               predictability of task execution. The common sequence of events for

               an algorithm is to check that a resource is available and then access it
               if you are permitted. The time of check (TOC) is the time at which the
               subject checks on the status of the object. There may be several
               decisions to make before returning to the object to access it. When the
               decision is made to access the object, the procedure accesses it at the
               time of use (TOU). The difference between the TOC and the TOU is

               sometimes large enough for an attacker to replace the original object
               with another object that suits their own needs. Time of check to time
               of use (TOCTOU) attacks are often called race conditions because the
               attacker is racing with the legitimate process to replace the object
               before it is used.

               A classic example of a TOCTTOU attack is replacing a data file after its
               identity has been verified but before data is read. By replacing one

               authentic data file with another file of the attacker’s choosing and
               design, an attacker can potentially direct the actions of a program in
               many ways. Of course, the attacker would have to have in-depth
               knowledge of the program and system under attack.

               Likewise, attackers can attempt to take action between two known
               states when the state of a resource or the entire system changes.

               Communication disconnects also provide small windows that an
               attacker might seek to exploit. Anytime a status check of a resource
               precedes action on the resource, a window of opportunity exists for a
               potential attack in the brief interval between check and action. These