TOCTOU(Time-of-Check-Time-of-Use)是在系統檢查資料或權限等狀態至使用的期間,遭到攻擊者入侵的一種安全漏洞。屬於競爭危害(race condition)的一類,最早文獻至少起源於1970年代[1],其包含的範圍甚廣,攻擊的方式變化萬千,本文針對其中關於Linux系統呼叫(system call)的部分進行研討。對於可能產生TOCTOU漏洞的系統呼叫配對,我們使用LLVM前端clang的靜態分析器(static analyzer),定義並且編寫我們的checker,此checker能夠讓使用者在編譯時,得到TOCTOU漏洞的相關警告,希望藉此讓使用者提升程式碼的品質,減少被駭客攻擊的機會。 A system is attacked between the time checking something such as files and privileges and the time using the result it has checked. The above is a security vulnerability called TOCTOU(Time-of-Check-Time-of-Use). TOCTOU belongs to a kind of race condition. It can be dated back to 1970s. There are many methods to attack systems with TOCTOU. This paper will focus on part of these methods that are about Linux system calls. We use clang static analyzer in LLVM front-end to define and write our checker. This checker detects system call pairs that may lead to TOCTOU while compiling. We will get warnings about TOCTOU after detecting these system call pairs. Users therefore can improve codes, reducing the probability attacked by hackers.