32.4.2 TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities

2025.10.06.
AI Security Blog

The gap between verifying a resource’s state and acting upon that resource is a classic security blind spot. In AI systems, where asynchronous pipelines process models, data, and configurations, this gap becomes a prime target. This is the essence of a Time-of-Check-to-Time-of-Use (TOCTOU) vulnerability—a race condition where an attacker alters a resource after it has been validated but before it is consumed.

The Anatomy of a TOCTOU Attack in AI Pipelines

TOCTOU vulnerabilities are not unique to AI, but their impact can be particularly severe in this domain. An AI system’s decision-making integrity relies on the assets it uses—models, datasets, and configurations. If these can be maliciously swapped after validation, the entire system’s behavior can be subverted. The asynchronous and distributed nature of modern MLOps pipelines often creates the necessary windows of opportunity for these attacks.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

Imagine a typical pipeline: one service validates an object (e.g., checks a model file’s signature), places it in a shared location (like a file system or object store), and adds a message to a queue. A second, downstream service consumes the message and uses the object. The vulnerability lies in the time between the object being placed in the shared location and the second service accessing it.

Diagram illustrating the TOCTOU attack window. Validator Service Shared Resource Inference Service 1. Check(resource_path) 2. Valid ATTACK WINDOW Attacker swaps resource 3. Use(resource_path) 4. Loads malicious resource

Common TOCTOU Scenarios in AI Systems

As a red teamer, you should hunt for these patterns in your target’s MLOps architecture.

Scenario Description of Vulnerability Potential Impact
Model Swapping A model management service verifies the digital signature of a model file (e.g., model.pth). After verification, the path is passed to a model loader. An attacker with filesystem access replaces model.pth with a malicious, backdoored version before it’s loaded into memory. Model poisoning, data exfiltration through the model, denial of service, or complete system compromise if the model loading process has vulnerabilities.
Input Data Manipulation A pre-processing service scans an uploaded image for malicious content and saves the “clean” image to a temporary directory. A separate inference service later reads the image from that directory by filename to perform analysis. An attacker overwrites the clean image with an adversarial example in the interim. Evasion of content filters, causing misclassification, or triggering specific adversarial behaviors in the model.
Dynamic Configuration Hijacking An AI agent’s control plane validates a configuration file (e.g., agent_policy.json) on startup. The agent is designed to reload this configuration periodically. An attacker modifies the file to grant the agent excessive permissions or change its target objectives before the next reload cycle. Privilege escalation, unauthorized actions performed by the agent, or redirection of the agent’s tasks for malicious purposes.

Exploitation and Red Teaming Techniques

Discovering and proving a TOCTOU vulnerability often requires precise timing. Your goal is to win the race against the legitimate process.

Vulnerable Code Pattern

The fundamental flaw is re-accessing a resource by its identifier (like a path) after a check, rather than using the resource that was actually checked.

# Python Pseudocode: VULNERABLE PATTERN
import os
import time

def verify_model_integrity(path):
    # Simulates checking a hash or signature of the file on disk
    print(f"[CHECK] Verifying {path}...")
    # In a real scenario, this would be a cryptographic check
    return os.path.exists(path) 

def load_model(path):
    print(f"[USE] Loading model from {path}...")
    # This is where the (potentially swapped) model is loaded
    pass

model_path = "/models/production/latest.h5"

# Time-of-Check
if verify_model_integrity(model_path):
    print("Verification successful.")
    
    # --- ATTACKER'S WINDOW OF OPPORTUNITY ---
    # A delay here, caused by network latency or other tasks,
    # makes the race easier for an attacker to win.
    time.sleep(2) 
    
    # Time-of-Use: The file is re-opened by path
    load_model(model_path)
else:
    print("Verification failed.")

Red Team Strategies

  • Filesystem Monitoring: Use tools like inotify-tools (Linux) or scripts to monitor directories where models, data, or configs are temporarily stored. Trigger alerts when files are accessed and then modified shortly after.
  • Latency Injection: In a controlled test environment, introduce artificial delays between the “check” and “use” steps of a process. This widens the attack window, making it easier to script a successful file swap and demonstrate the vulnerability’s existence.
  • Brute-Force Swapping: Write a tight loop that repeatedly attempts to overwrite a target file. Execute this script while the target application is known to be processing that file. This is a noisy but effective way to win the race.

Defensive Strategies and Mitigation

Mitigating TOCTOU requires closing the window between check and use. The most robust strategy is to ensure the checked resource is the exact same one that is used.

Secure Code Pattern

The correct approach is to check the resource in memory and then use that same in-memory object, avoiding any further filesystem interaction by name.

# Python Pseudocode: SECURE PATTERN
import hashlib

def verify_model_data(data):
    # Simulates checking the hash of the in-memory data
    print("[CHECK] Verifying model data in memory...")
    actual_hash = hashlib.sha256(data).hexdigest()
    expected_hash = "e3b0c44298fc1c149afbf4c8..." # Known-good hash
    return actual_hash == expected_hash

def load_model_from_data(data):
    print("[USE] Loading model from verified in-memory data...")
    pass

model_path = "/models/production/latest.h5"

try:
    # 1. Open the file and read its entire content into memory ONCE.
    with open(model_path, 'rb') as f:
        model_bytes = f.read()

    # 2. Time-of-Check: Perform verification on the in-memory data.
    if verify_model_data(model_bytes):
        print("Verification successful.")
        
        # 3. Time-of-Use: Use the verified in-memory data directly.
        # There is no window for an attacker to swap the file on disk.
        load_model_from_data(model_bytes)
    else:
        print("Verification failed.")
except FileNotFoundError:
    print("Model file not found.")

Other key mitigations include:

  • Use File Handles/Descriptors: Instead of paths, open a file once to get a handle. Perform checks (e.g., `fstat`) and subsequent reads using this handle. The OS ensures the handle points to the same underlying file, even if its name is changed.
  • Atomic Operations: Use filesystem or OS features that provide atomic operations for creating, renaming, or replacing files. This can prevent an attacker from interfering mid-operation.
  • Immutable Storage: Store critical assets like production models in read-only locations (e.g., read-only file mounts, immutable container layers, or version-locked object storage). If the asset cannot be modified, a TOCTOU attack is impossible.

32.4.1 Race Condition Identification

2025.10.06.

32.4.3 Queue Manipulation Attacks

2025.10.06.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist