Time-Of-Check To Time-Of-Use Flaw¶

Prime #: 1241
Origin domain: Computer Science & Software Engineering
Subdomain: security and concurrency → Computer Science & Software Engineering
Aliases: Toctou, Tocttou

Core Idea¶

A time-of-check to time-of-use flaw is the structural pattern in which a precondition is verified at one instant, the action it authorizes is taken at a later instant, and between the two the relevant state changes, making the original verification false at the moment of action. The verification itself was sound; the action it authorized is, by the time it executes, no longer authorized. The defect lives in the gap between the check and the use — not in either operation in isolation.

The structure has three load-bearing ingredients: a check that consults state \(S\) at time \(t_1\), an action that depends on \(S\) at time \(t_2\), and a possibility that \(S\) changes between \(t_1\) and \(t_2\). When the gap is non-zero and the state is mutable, the verification's verdict is no longer load-bearing at the moment of action — it is a stale authorization. The essential commitment is to treat the temporal binding between verification and action as a first-class object, separate from the correctness of the check and the correctness of the action. Both can be individually flawless and the system still fails, because nothing re-anchored the action's preconditions to the moment of execution. A sharp consequence follows immediately: adding more or stricter checks at \(t_1\) does nothing to fix this class of failure. The issue is the gap, not the rigor of the check. The remedy lives instead on a continuum of binding strength, from re-checking atomically at use (strongest), through leasing with expiry and re-validating if elapsed, to checking once and hoping (weakest).

How would you explain it like I'm…

Someone Took The Chair

Imagine you check that a chair is empty, then walk across the room to sit down — but while you were walking, someone else sat in it. Your check was right when you made it, but by the time you sat, it was wrong. The problem is the time in between, when things could change.

The Gap In Between

Suppose you look at a parking spot and see it is open, then drive around the block to come park in it. While you were driving, another car took the spot. You were not wrong to look, and you were not wrong to park — the trouble is the gap between looking and parking, when the spot could change. Checking even more carefully when you first looked would not help at all, because the issue is the wait, not how good your look was. The fix is to check again right when you park, or to claim the spot so no one can take it.

Stale-Permission Gap

A Time-Of-Check To Time-Of-Use Flaw is the pattern where a precondition is verified at one instant, the action it authorizes happens at a later instant, and the relevant state changes in between, making the original check false by the time of action. The check itself was sound; the action it allowed is simply no longer authorized when it runs. The defect lives in the gap — not in the check and not in the action, either of which can be individually flawless. The key move is to treat the timing link between verifying and acting as its own thing, separate from whether the check and the action are correct. A sharp consequence: adding stricter checks at the start does nothing to fix this, because the problem is the gap, not the rigor. The cure lies on a scale of binding strength, from re-checking atomically at the moment of use, to leasing with an expiry, down to checking once and hoping.

A Time-Of-Check To Time-Of-Use Flaw is the structural pattern in which a precondition is verified at one instant, the action it authorizes is taken at a later instant, and between the two the relevant state changes, making the original verification false at the moment of action. The verification itself was sound; the action it authorized is, by the time it executes, no longer authorized. The defect lives in the gap between check and use — not in either operation in isolation. Three ingredients are load-bearing: a check that consults state S at time t1, an action depending on S at time t2, and the possibility that S changes between t1 and t2. When the gap is non-zero and the state is mutable, the verification's verdict is stale authorization at the moment of action. The essential commitment is to treat the temporal binding between verification and action as a first-class object, separate from the correctness of either; both can be flawless and the system still fails because nothing re-anchored the action's preconditions to execution time. A sharp consequence follows: adding more or stricter checks at t1 does nothing — the issue is the gap, not the rigor. The remedy lives on a continuum of binding strength, from re-checking atomically at use (strongest), through leasing with expiry and re-validating, to checking once and hoping (weakest).

Structural Signature¶

a check consulting state at one instant — an authorizing verdict with a temporal life — an action depending on that state at a later instant — a gap between check and use — a mutator able to change the state within the gap — a stale-authorization invariant: stricter checks at the first instant cannot fix it

The pattern is present when each of the following holds:

A check on state. A verification consults some state at time t1 and renders a verdict about whether an action is permitted.
An authorizing verdict. The verdict carries a temporal life — it is sound at t1, but its validity is not automatically preserved past that instant.
A dependent action. An action that consumes the verdict executes at a later time t2, relying on the state the check examined.
A non-zero gap. A separation between t1 and t2 during which the verdict is held rather than re-anchored.
A mutator. Some process — an attacker's swap, a concurrent write, a vehicle entering, a new medication — can change the relevant state within the gap.
A stale-authorization invariant. When the gap is non-zero and the state is mutable, the verdict is no longer load-bearing at t2; crucially, adding more or stricter checks at t1 does nothing, because the defect is the gap, not the rigor of the check.

The components compose so that the temporal binding between verification and action becomes a first-class object, separate from the correctness of either operation: the structure forces the question "by what mechanism is the precondition re-anchored to the moment of execution?" and arrays the remedies along a continuum of binding strength.

What It Is Not¶

Not failed verification. verification asks whether a check is correct; the TOCTOU flaw arises when a check that was correct becomes stale — the defect is the temporal gap, not the rigor of the check.
Not failed validation. validation asks whether the right thing was built or measured; TOCTOU is about a sound verdict losing its force between issuance and use.
Not a fail-safe gap. fail_safe concerns what happens when a component fails; TOCTOU concerns a successful check whose conclusion expires before the dependent action runs.
Not loose engineering tolerances. engineering_tolerances set allowable variation in a quantity; TOCTOU is a temporal binding failure, not a tolerance-band one — present even with perfect tolerances.
Not calibration drift. calibration aligns an instrument to a reference; TOCTOU is the gap between checking state and acting on it, not the accuracy of the instrument that checked.
Common misclassification. Responding to a stale-authorization failure by hardening the check (more permission bits, stricter rules). Catch it by asking whether the fix re-anchors the action to state at the moment of use; if it only improves the verdict at check time, it cannot close a gap defect.

Broad Use¶

The mechanism recurs wherever a decision is taken on recorded rather than concurrent state. In computer security and concurrency — its original setting — a process checks that a file is owned by the user and then opens it, and an attacker swaps the file for a symlink in between; a web app confirms an account is unblocked and then issues a refund the account was frozen against a millisecond earlier. In aviation a runway is checked clear and a takeoff clearance issued, and a vehicle enters before the roll begins. In medicine pre-operative labs and consent are obtained on Monday for surgery on Wednesday, and the patient's coagulation has shifted, or consent has been revoked, or a new medication added. In law a warrant issued on affidavits true at the time is executed weeks later under materially changed circumstances. In finance a credit check approves a loan that disburses a month later, by which time employment, balance, or fraud flags have changed. In industrial safety a lockout-tagout verification confirms a system de-energized, and energization occurs before the worker reaches inside; a confined-space atmospheric test taken at entry degrades over the hour spent inside. In logistics a cargo manifest verified at origin no longer binds the goods that were swapped or removed by destination. In each, state \(S\) verified at \(t_1\) mutates before \(t_2\), and the verdict no longer applies.

Clarity¶

The concept makes a class of failures auditable that would otherwise look like bad luck. It re-localizes the defect from "the check missed it" or "the action was wrong" to "the temporal binding between check and action was not enforced." That relocation is the clarifying act: it names the gap as the object of concern, where the unaided analyst sees only a correct check followed by a correct action and concludes, wrongly, that nothing was at fault.

It also forces a specific question that ordinary reasoning omits: by what mechanism is the action's precondition re-anchored to the moment of execution? Separating what was true from what is true now exposes that a verification carries a verdict with a temporal life, and that the verdict can expire. The clarifying payoff is that it pre-empts the natural but useless response — adding more checks at \(t_1\) — and redirects effort to closing or binding the gap. By framing the design choice as a position on a binding-strength continuum, it converts a vague unease about timing into a clean engineering and governance decision with named alternatives.

Manages Complexity¶

A protocol designer can audit any check-then-act sequence by asking three questions: what state was relied on at the check, what operations could mutate that state between check and act, and what mechanism binds the act to the state actually present at execution. That three-question scan compresses a large concurrency or operational-safety review into a single pattern-match, replacing an open-ended search for "what could go wrong" with a structured interrogation of one gap.

The compression also produces a sorted family of interventions, each a different way of strengthening the temporal binding. Atomic check-and-act — locked or transactional operations, a surgical time-out immediately before incision, a clearance read-back at the threshold. Lease with explicit expiry — token TTLs, warrant shelf life, lab-result staleness windows, rate-lock expiry. Re-validation at use — a final intra-operative check, a balance re-check at fund release, a taxiway re-confirmation before crossing. Bind the verification to a stable substrate — a file descriptor rather than a path, a biometric rather than a badge, a sealed package rather than a manifest. Shrink the window — pull check and act closer in time, or reduce the set of mutators that can act in the interval. Detect change since check — versioning, optimistic concurrency, re-photograph, recount. Having the structure in hand is what lets a designer choose deliberately among these rather than reaching for the reflexive and futile "check harder."

Abstract Reasoning¶

Holding the flaw as a unit licenses the reasoning move of treating the temporal binding between verification and action as first-class. Most reasoners ask whether a check is correct; the pattern forces the further question of whether the check is still correct when its result is used. That move generalizes to any system where decisions are taken on the basis of recorded rather than concurrent state, which is an enormous class.

The abstraction also yields a sharp design tool: a continuum of binding strength. At one end, re-check atomically at use, so the verdict and the action are indivisible. In the middle, lease with expiry and re-validate if the lease has elapsed. At the other end, check once and trust, accepting exposure proportional to the gap and the mutation rate. Choosing a position on this continuum is a clean, transferable decision, and the abstraction makes the trade-off explicit: stronger binding costs coordination or latency, weaker binding costs exposure to stale authorization. Reasoning from the pattern, an analyst can predict where a check-then-act system is vulnerable (precisely in the gap, scaled by which mutators can act in it), why tightening the check will not help, and which binding-strength remedy fits the cost structure — inferences unavailable to anyone treating the failure as an isolated mishap.

Knowledge Transfer¶

The structural roles map across substrates, and with them the interventions transfer directly. The checked state corresponds to the file's ownership, the account's standing, the runway's clearance, the patient's labs, the cargo's contents; the authorizing verdict to the pass/fail result of the check; the action that consumes the verdict to the open, the refund, the takeoff, the incision; the check-act gap to the elapsed interval; the intervening mutator to the attacker's swap, the fraud-team freeze, the vehicle on the runway, the new medication; the binding strength to the design parameter governing how tightly the action is re-anchored. Because the roles correspond, a practitioner who has closed the gap in one domain recognizes it in another without retranslation.

The interventions inherit that portability, and the mappings are exact. A database compare-and-swap is structurally the same move as a pre-incision surgical time-out: both rebind the action to the state present at the moment of action. A token TTL, a warrant's shelf life, and a financial rate-lock expiry are one intervention — leasing a verdict with an explicit expiry — realized in three substrates. A re-validation at use is the same whether it is a final intra-operative re-check, a balance re-check at fund release, or a taxiway re-confirmation before crossing. Binding the verification to a stable substrate — a file descriptor over a path, a biometric over a badge, a sealed package over a manifest — recurs identically across security, identity, and logistics. The transfer is reliable because the gap-between-check-and-use structure is purely relational and temporal: the security vocabulary (TOCTOU, CWE-367) is local, but the pattern is regularly rediscovered under domain names — surgical time-out, aviation read-back, financial rate-lock expiry, legal staleness of information — each of which a reader recognizes as the same structure once the binding is named.

Examples¶

Formal/abstract¶

The canonical formal instance is the file-access race in operating-system security. A privileged process wants to write to a file only if the invoking user owns it. It executes access(path) at time \(t_1\), which consults the filesystem state \(S\) — the inode that path resolves to — and returns "permitted." Then at \(t_2\) it executes open(path) and writes. The check consults state via the path, an indirection that can be re-pointed: between \(t_1\) and \(t_2\) an attacker (the mutator) replaces path with a symbolic link to a sensitive system file. The verdict rendered at \(t_1\) was sound for the inode path then named, but the action at \(t_2\) operates on a different inode, so the stale authorization grants a write the check never approved. The structure exhibits every element: a check on \(S\) at \(t_1\), a verdict with a temporal life, a dependent action at \(t_2\), a non-zero gap, a mutator able to act in the gap. The stale-authorization invariant is exact and counterintuitive: hardening access — more permission bits, stricter ownership rules — cannot help, because the defect is the gap, not the check's rigor. The remedy lies on the binding-strength continuum: bind the verification to a stable substrate by opening the file first to obtain a file descriptor, then checking permissions on the descriptor (fstat) — an atomic check-and-act on an object that cannot be re-pointed.

Mapped back: The file-access race instantiates every role — check on state, temporally-lived verdict, dependent action, non-zero gap, mutator — and shows the fix is to strengthen the temporal binding (descriptor over path), not the check.

Applied/industry¶

In surgical safety, pre-operative verification is performed well before incision: labs, consent, site marking, and the patient's identity are checked on the ward or the day before. The action — the incision — occurs at \(t_2\), and the relevant state can mutate in the gap: coagulation shifts, consent is revoked, a new anticoagulant is administered, or the wrong patient is wheeled in. The WHO surgical "time-out" is precisely the temporal-binding remedy: an atomic re-check of patient, site, and procedure performed immediately before incision, re-anchoring the authorization to the moment of action rather than relying on the stale ward-level verdict. The identical structure governs financial lending: a credit check at application time \(t_1\) approves a loan that disburses at \(t_2\) a month later, by which time employment, balance, or fraud flags may have changed — the remedy is a re-validation at fund release (the balance re-check) or a lease with explicit expiry (a rate-lock that forces re-approval if elapsed). And in aviation ground operations, a runway is checked clear and a takeoff clearance issued at \(t_1\), but a vehicle can enter before the roll begins at \(t_2\); the read-back-and-reconfirm protocol at the threshold is the atomic re-check that rebinds the clearance to the state present at the moment of action.

Mapped back: Across surgery, lending, and aviation the same roles recur — a check on mutable state, a temporally-lived verdict, a later dependent action, and a gap a mutator can exploit — and the same intervention family transports: strengthen the temporal binding by re-checking atomically at use, leasing with expiry, or binding to a stable substrate, never by merely checking harder at \(t_1\).

Structural Tensions¶

T1 — Gap versus Check Rigor (scopal). The prime's sharp claim is that stricter checks at \(t_1\) cannot fix a gap defect — the rigor of the check is the wrong dimension. The failure mode is check-hardening reflex: responding to a stale-authorization failure by adding permission bits or stricter verification, which leaves the gap untouched. This is the load-bearing tension. Diagnostic: would the fix re-anchor the action to state at \(t_2\), or only improve the verdict at \(t_1\)? If the latter, it cannot address a gap, however rigorous.

T2 — Binding Strength versus Coordination Cost (coupling). The binding-strength continuum trades exposure against cost — atomic re-check is strongest but costs latency and coordination, while check-once is cheapest but maximally exposed. The failure mode is over-binding: imposing atomic transactional re-checks everywhere, paying coordination cost where the mutation rate was negligible. Boundary with unevenness_waste. Diagnostic: what is the mutation rate in the gap, and what does stronger binding cost? The optimal position depends on both; defaulting to maximum binding wastes coordination where exposure was minimal.

T3 — Shrink the Window versus Eliminate the Gap (temporal). Shrinking the check-act gap reduces exposure but cannot eliminate it — any non-zero gap with a mutator remains vulnerable, so window-shrinking is mitigation, not a fix. The failure mode is small-gap complacency: assuming a tight window is safe when a fast mutator can still act in it. Diagnostic: can any mutator act within the shrunken window? A race condition with a microsecond gap is still a race condition; only atomic binding closes it, and shrinking merely lowers the probability.

T4 — Stable Substrate versus Indirection Convenience (scopal). Binding to a stable substrate (file descriptor over path, biometric over badge) defeats re-pointing, but the indirection being removed often existed for flexibility — paths, names, and manifests are convenient precisely because they can be re-resolved. The failure mode is flexibility loss: binding so tightly to a stable handle that legitimate re-resolution (a renamed file, a reissued credential) breaks. Diagnostic: was the indirection a vulnerability or a feature? Removing it closes the TOCTOU gap but may break workflows that depended on late binding.

T5 — Lease Expiry versus Revalidation Cost (temporal). Leasing a verdict with explicit expiry is the middle of the continuum, but the expiry must be tuned to the mutation rate — too long and stale authorizations slip through, too short and the system thrashes re-validating. The failure mode is mistuned TTL: a lease longer than the mutation timescale (stale grants) or shorter than the action cadence (constant re-checking). Boundary with washout_failure's interval-versus-decay ratio. Diagnostic: is the TTL set against the actual mutation rate, or a round number? The lease is only as safe as the ratio of its expiry to the rate of change.

T6 — Single Check-Use Pair versus Chained Dependencies (scalar). The model is one check, one use, one gap, but real systems chain many check-then-act sequences, and re-anchoring one pair can leave an earlier verdict in the chain stale. The failure mode is chain-gap blindness: atomically binding the final action while an upstream authorization it depended on has already expired. This is the scalar/composition tension. Diagnostic: does the action depend only on the state re-checked at \(t_2\), or also on earlier verdicts still held stale? Closing one gap in a chain leaves the others open.

Structural–Framed Character¶

The time-of-check to time-of-use flaw sits on the structural side of the middle of the structural–framed spectrum, a mixed-structural prime with an aggregate of 0.4. Its core is a purely relational and temporal structure — a check on state at one instant, an action depending on that state at a later instant, and a mutator able to act in the gap — and that gap-between-check-and-use shape is the same wherever it appears, which holds the prime on the structural side of a vocabulary that originates in computer-security.

The diagnostics split. Evaluative weight reads zero: a check-act gap is neither good nor bad in itself, only exposed or closed, and the prime carries no normative loading until you specify the mutator and the stakes. The remaining diagnostics sit at the midpoint, and they make the grade mixed. The vocabulary half-travels: "TOCTOU" and "CWE-367" are local security terms, yet the structure is regularly re-discovered under domain-native names — the surgical time-out, the aviation read-back, the financial rate-lock expiry, the legal staleness of information — each of which a reader recognizes as the same pattern once the binding is named, so the structure travels even though the home label does not. Human-practice-bound and institutional-origin read at the midpoint because the security origin is local while the instances are mostly verification practices: the file-access race against a symlink swap is a clean machine-level instance with no human in the loop, but surgical timeouts, lending re-validation, and runway clearances are human-institutional. Invoking the prime half-imports a frame (re-anchor the action to state at the moment of use; never merely check harder) and half-recognizes a temporal binding already present.

The prime's substrate reasoning lands the grade: the three-element signature — check at \(t_1\), action at \(t_2\), mutable state — is a pure relational/temporal structure that travels cleanly, even as most of its concrete instances are verification practices that are human-institutional. That is the mixed-structural signature — a genuinely substrate-neutral temporal relation, with a clean machine-level instance, carried alongside a set of human-institutional verification practices and a security-local home vocabulary the rediscovered domain names show is inessential.

Substrate Independence¶

The time-of-check-to-time-of-use flaw is a strongly substrate-independent prime — composite 4 / 5 on the substrate-independence scale. Its domain breadth is maximal and its structural abstraction is total: the three-element signature — a precondition verified at \(t_1\), an action taken at \(t_2\), and a mutable state that changes in the gap — is a pure relational/temporal structure, recognized rather than translated when it recurs in computer security and concurrency (the file swapped for a symlink between check and open), air traffic control (a runway checked clear before a vehicle enters), medicine (pre-operative labs taken Monday for Wednesday surgery), law (a warrant true at issue but executed weeks later), finance (a credit check approving a loan that disburses a month later), industrial safety (a lockout-tagout verification before energization, a confined-space atmospheric test that degrades over the hour inside), and logistics (a manifest verified at origin no longer binding swapped goods). What holds the composite at 4 rather than 5 is the transfer-evidence component: most of the concrete instances are verification practices that are themselves human-institutional, and a faint security-local home vocabulary travels with the structure — even though the bare machine-level case (a kernel file check racing a concurrent rename) shows the temporal relation is genuinely medium-neutral. A pure temporal structure with a clean machine instance, carried alongside a set of institutional verification practices, is exactly the mixed-structural profile a composite of 4 records.

Composite substrate independence — 4 / 5
Domain breadth — 5 / 5
Structural abstraction — 5 / 5
Transfer evidence — 4 / 5

Relationships to Other Primes¶

Parents (2) — more general patterns this builds on

Time-Of-Check To Time-Of-Use Flaw is a kind of Unverified Precondition

The file names the relation in its Structural Signature: "the time-of-check-to-time-of-use gap is the time-window-sensitive INSTANCE" of the existence-precondition pattern. Direction: unverified_precondition is the general action-presumes-referent-exists-at-commit prime; TOCTOU (real candidate slug, listed cross-ref) is its time-window special case (check drifts stale between verification and use). Medium because TOCTOU is also a well-established standalone security concept; the in-file "instance" framing nonetheless supports a parent_of edge. NOT a reparent to constraint (0.815 nearest, unrelated).
Time-Of-Check To Time-Of-Use Flaw presupposes Verification

A TOCTOU flaw presupposes a verification (a check rendering a verdict) whose result goes stale before a dependent action consumes it; the defect is the temporal binding between a sound check and its use, not the check's correctness. Built on the verify step — the file calls it 'the prime that names what verification cannot guarantee.'

Path to root: Time-Of-Check To Time-Of-Use Flaw → Verification

Neighborhood in Abstraction Space¶

Time-Of-Check To Time-Of-Use Flaw sits among the more crowded primes in the catalog (40^th percentile for distinctiveness): several abstractions describe nearly the same structure, so a description that fits it will tend to fit its neighbors too — transporting it usually means disambiguating within this family rather than landing on it exactly.

Family — Identity Matching & Lookup (10 primes)

Nearest neighbors

Computed from structural-signature embeddings · 2026-06-14

Not to Be Confused With¶

The nearest existing prime by embedding is verification, and the contrast is the entire point of the flaw. Verification is the activity of establishing that something meets a specified condition — that a check is correct, that the verdict it renders is sound for the state it examined. The TOCTOU flaw stipulates that the verification was flawless and the system still fails, because the verdict went stale in the gap before the action consumed it. The defect is not in the verification but in the temporal binding between verification and action — a dimension verification as a concept does not even address. This distinction is load-bearing and counterintuitive: it predicts that strengthening verification (more checks, stricter rules, deeper inspection at check time) cannot fix a TOCTOU failure, because the rigor of the check is orthogonal to the staleness of its verdict. A practitioner who treats a stale-authorization failure as a verification failure will reflexively "check harder" and leave the gap — the actual defect — wholly untouched. TOCTOU is, in a sense, the prime that names what verification cannot guarantee: that a sound verdict is still sound when it is used.

A second genuine confusion is with validation, which sits close to verification and is often paired with it. Validation asks whether the right thing was built, measured, or approved — whether the verdict concerns the correct property in the first place. TOCTOU is indifferent to that question: the property checked may be exactly the right one, the validation impeccable, and the failure still occurs because the state underlying the validated verdict mutates between check and use. The distinction matters because validation failures and TOCTOU failures call for opposite investigations. A validation failure is found by re-examining what was checked against what should have been checked; a TOCTOU failure is found by examining when the check was performed relative to when its result was used, and what could mutate in between. A practitioner who frames a TOCTOU race as a validation problem will audit the specification of the check when the real issue is the temporal interval the specification never mentioned.

A third confusion worth drawing is with calibration. Calibration aligns an instrument's readings to a reference standard so its measurements are accurate. The seductive overlap is that both involve a measurement that can become untrustworthy over time — a drifted instrument and a stale verdict both mislead. But calibration drift is about the instrument's accuracy degrading, while TOCTOU is about a correct measurement of a correct instrument losing relevance because the measured state itself changed after the reading. The instrument in a TOCTOU flaw may be perfectly calibrated; the problem is that what it measured at check time is no longer the state at use time. The remedies diverge sharply: calibration drift is fixed by re-calibrating the instrument against the reference; TOCTOU is fixed by re-anchoring the action to the state present at execution (atomic re-check, lease-with-expiry, binding to a stable substrate). A practitioner who diagnoses a TOCTOU failure as calibration drift will re-calibrate a fine instrument and leave the gap between check and use exactly as exposed as before.

For a practitioner, the distinctions sort by which dimension actually failed. If the check rendered a wrong verdict, it is a verification failure (check harder); if the wrong property was checked, it is a validation failure (check the right thing); if the instrument's accuracy drifted, it is calibration; and if a correct verdict on a correctly-checked, correctly-calibrated property went stale because state mutated between check and use, it is a TOCTOU flaw — the only one whose remedy is to strengthen the temporal binding, never to check harder.

Solution Archetypes¶

No catalogued solution archetypes reference this prime yet.