Definition
Plain language
A security gap where something is verified at one moment but actually used later, and an attacker slips in between.
As stated in the literature
TOCTOU — a race-condition class where a resource's state is validated and then used at different times, letting it change in between; in FloatDoor, the gap between auditing a model on one platform and deploying it on another.
Also called: TOCTOU, time-of-check, time-of-use
Why it matters: It shows that checking and using a resource at different moments leaves a window an attacker can exploit, including auditing a model on one chip and running it on another.
For example, a file is approved as safe and then swapped for a malicious one in the instant before it's actually opened.
Heard on the show
“The paper has a name for that window, borrowed from classic computer security: a time-of-check, time-of-use gap.”Episode 158 — How Floating-Point Rounding Lets a Model Tell Which Chip It's On — And Misbehave