TOCTOU (Time-of-Check to Time-of-Use)
TOCTOU is the race condition where a resource's state changes between a security check and the operation that depended on it.
Definition
Time-of-Check to Time-of-Use (TOCTOU) is the specific shape of race condition in which a program checks a security-relevant property of a resource and then performs an action on the resource that assumes the property still holds. Between the check and the use, the resource's state changes — either through concurrent action by the same program, or because an attacker arranged the change.
TOCTOU is best known from the file-system literature but applies anywhere there is a non-atomic check-and-use pattern. Modern cloud examples include "check IAM policy, then perform action" where the policy changes mid-flight, and "check certificate, then dial connection" where DNS rebinding redirects the second step to a different host.
How it works
See "Race Condition" — TOCTOU is the security-relevant variant. The defining structure is two steps: a check that validates the resource is safe, and a use that operates on the resource. Atomicity between the two is the fix.
Impact
Privilege escalation, authorisation bypass, data corruption.
Mitigation
Use atomic operations: open file descriptors and check their properties via `fstat`, not paths via `stat`. Use database row locks or optimistic concurrency tokens. In distributed systems, prefer compare-and-swap primitives over read-modify-write.
Examples
- CVE-2008-0166 — Debian OpenSSL TOCTOU was unrelated; the more relevant Linux TOCTOU class includes the symlink-race family.