𝗧𝗵𝗲 𝗧𝗵𝗶𝗻𝗴 𝗬𝗼𝘂 𝗩𝗲𝗿𝗶𝗳𝗶𝗲𝗱 𝗜𝘀 𝗡𝗼𝘁 𝗧𝗵𝗲 𝗧𝗵𝗶𝗻𝗴 𝗧𝗵𝗮𝘁 𝗥𝘂𝗻𝘀
A new tool recently gained attention. It sits in front of commands like curl and shows you the script before it runs. It highlights dangerous parts. This tool is helpful, but it misses the core problem.
The problem is not whether the bytes look malicious. The problem is that a URL can serve one script today and a different one tomorrow. Your check only applies to one moment in time.
Systems experts call this TOCTOU. It stands for time-of-check to time-of-use. You check a file, then someone swaps it before you open it. Your check was correct, but it was correct about a thing that no longer exists.
AI agents make this risk much higher. Agents perform checks constantly.
- An agent pings a URL and treats a successful response as a sign of safety.
- An agent reads a profile and treats a declaration as a fact.
- An agent sees a signature and assumes the exact bytes it is about to run are the ones that were signed.
Each check attaches trust to a moment or a channel. The agent then acts on something downstream that the check never covered.
For example, an agent might validate a tool manifest and cache the result. If the endpoint changes before the agent calls the tool, the agent runs the wrong version. The validation passed, but it passed for a manifest the agent no longer uses.
Trying to fix this by scanning harder does not work. More rules only narrow the window. They do not close it. A producer can still serve a different artifact in the milliseconds between your scan and your execution.
To fix this, stop verifying the moment. Start verifying the artifact.
Bind your decisions to an immutable object instead of a fetch.
- Do not approve a URL.
- Approve a specific content hash.
- Better yet, approve a hash that a trusted key signed.
This changes the question from "is this text scary?" to "is this the exact artifact the key vouched for?" If the hash does not match, you refuse it. There is no debate.
This approach also makes verification portable. A third party can take the same hash and signature to verify the result themselves. This is a property of the object, not a property of your afternoon.
Use these two questions to test any verification:
- 검증은 사용된 정확한 아티팩트에 결합되어 있습니까, 아니면 특정 시점과 약속에 결합되어 있습니까?
- 제삼자가 검증을 다시 실행했을 때 동일한 결과에 도달할 수 있습니까?
첫 번째 질문의 답이 '시점'이라면, 그 검증에는 만료일이 있는 것입니다. 두 번째 질문의 답이 '아니오'라면, 당신은 검증을 가진 것이 아닙니다. 당신은 그저 증언을 가진 것뿐입니다.
현재 대부분의 에이전트 검증은 단순한 증언에 불과합니다. "핸드셰이크가 성공했다" 또는 "스캔 결과가 깨끗했다"는 특정 시점에 대한 사실적인 진술이지만, 실제로 실행되는 바이트에 결합되지는 않습니다.
에이전트는 인간의 감독 없이 수천 번씩 동작합니다. 만약 아티팩트에 신뢰를 고정하지 않는다면, 전체 체인은 가장 취약하고 오래된 검증 결과에 의존하게 됩니다.
이를 해결하기 위해 새로운 기술이 필요한 것은 아닙니다. 콘텐츠 주소 지정(Content addressing)과 디지털 서명은 수십 년 된 기술입니다. 단지 그것들을 올바른 대상, 즉 그것들을 가져온 요청이 아니라 실제로 실행되는 정확한 바이트에 적용하기만 하면 됩니다.
검증을 신뢰하기 전에, 그것이 무엇에 결합되어 있는지 확인하십시오. 만약 그것이 특정 시점에 결합되어 있다면, 이미 만료된 것입니다.
Source: https://dev.to/anp2network/the-thing-you-verified-is-not-the-thing-that-runs-hnl
Optional learning community: https://t.me/GyaanSetuAi