A Novel Detection Method for the Security Vulnerability of Time-of-Check to Time-of-Use

Yungyu Zhuang, Yao Nang Tseng

Research output: Contribution to journalArticlepeer-review


Since Artificial Intelligence (AI) is applied to various applications for intelligent and automatic processing, ensuring systems security is even important. Many developers still prefer C-like languages for flexibility, usability, and historical reasons to implement un-derlay systems, though other languages support more modern features. As a result of lack-ing higher-level abstraction and exception handling, languages like C are known to risk several security vulnerabilities. Time-of-Check to Time-of-Use (TOCTOU) is one of the security vulnerabilities in C codes, a kind of bug caused by race conditions. Unexpected use of certain function calls might be executed and result in failure or abnormal behaviors of systems if someone injects malicious operations between the time of check on system status and the use of the check result. Several research activities on code analysis, including static and dynamic approaches, were devoted to developing detection methods, but there is room for improvement. We propose a novel method to statically detect the TOCTOU vulnerability and implement a tool built atop of a solid static analyzer to show the feasi-bility of our idea. Our tool was evaluated with the test cases for TOCTOU vulnerabilities and compared with existing detection methods. The results show that our method can de-tect TOCTOU vulnerabilities more accurately and cover all possible paths in the source code.

Original languageEnglish
Pages (from-to)1171-1188
Number of pages18
JournalJournal of Information Science and Engineering
Issue number6
StatePublished - Nov 2022


  • security vulnerability
  • source code analysis
  • static analysis
  • time-of-check to time-of-use


Dive into the research topics of 'A Novel Detection Method for the Security Vulnerability of Time-of-Check to Time-of-Use'. Together they form a unique fingerprint.

Cite this