Skip to content



timer_create - creates a per-process timer


timer_create() is a system call used to create a per-process timer that sends a signal when it expires. It is a function that creates a timer with a specified clock (CLOCK_REALTIME, CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID, CLOCK_MONOTONIC_RAW, CLOCK_REALTIME_COARSE and CLOCK_MONOTONIC_COARSE) and it accepts a sigevent structure that has information about the signal that will be sent when the timer is triggered. The timer ID is returned in the timer_t pointer that is one of the parameters of the syscall.

The timer_create() syscall is useful for applications which need to be woken up at a particular time for a certain task. For example, a process can use timer_create() to cause a signal to be sent when a certain amount of time has passed.


  • clockid:const clockid_t[K] - identifier of the clock to be used (realtime, monotonic etc...)
  • sevp:struct sigevent*[KU] - pointer to sigevent structure which includes information about the signal that will be sent when the timer expires.
  • timer_id:timer_t[K] - pointer to the created timerĀ“s ID.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)






Trigger events when timer_create is executed

Example Use Case

For example, timer_create is used to set up asynchronous events to trigger a signal after a certain amount of time. This can be used in applications that need a certain action to be performed at a certain time, such as scheduling a task or sending an alert to the user after a certain amount of time.


The main problem with timer_create is that it is susceptible to Time of Check to Time of Use (TOCTOU) attacks. This means that the timer can be triggered before the desired time, thus allowing malicious actors to do their deed before the timer has expired.

  • timer_settime() - used to arm the timer created with timer_create().
  • timer_delete() - used to delete a timer created with timer_create().
  • timer_gettime() - used to get the remaining time of a timer created with timer_create().
  • timer_getoverrun() - used to get the number of missed occurrences of the timer created with timer_create().

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.