Prevention of vulnerabilities arising from optimization of code with Undefined Behavior
-
Published:2021
Issue:4
Volume:33
Page:195-210
-
ISSN:2079-8156
-
Container-title:Proceedings of the Institute for System Programming of the RAS
-
language:
-
Short-container-title:Proceedings of ISP RAS
Author:
Baev Roman VyacheslavovichORCID,
Skvortsov Leonid VladlenovichORCID,
Kudryashov Evgeny AlekseevichORCID,
Buchatskiy Ruben ArturovichORCID,
Zhuykov Roman AleksandrovichORCID
Abstract
Aggressive optimization in modern compilers may uncover vulnerabilities in program code that did not lead to bugs prior to optimization. The source of these vulnerabilities is in code with undefined behavior. Programmers use such constructs relying on some particular behavior these constructs showed before in their experience, but the compiler is not obliged to stick to that behavior and may change the behavior if it’s needed for optimization since the behavior is undefined by language standard. This article describes approaches to detection and elimination of vulnerabilities arising from optimization in the case when source code is available but its modification is undesirable or impossible. Concept of a safe compiler (i.e. compiler that ensures no vulnerability is added to the program during optimization) is presented and implementation of such a compiler on top of GCC compiler is described. Implementation of safe compiler’s functionality is divided into three security levels whose applicability is discussed in the article. Feasibility of using the safe compiler on real-world codebases is demonstrated and possible performance losses are estimated.
Publisher
Institute for System Programming of the Russian Academy of Sciences
Subject
Electrical and Electronic Engineering,Building and Construction
Cited by
1 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献