Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Your Compiler Can Compromise Application Security

Posted by Soulskill on from the my-compiler-levels-me-out dept.

jfruh writes "Most day-to-day programmers have only a general idea of how compilers transform human-readable code into the machine language that actually powers computers. In an attempt to streamline applications, many compilers actually remove code that it perceives to be undefined or unstable — and, as a research group at MIT has found, in doing so can make applications less secure. The good news is the researchers have developed a model and a static checker for identifying unstable code. Their checker is called STACK, and it currently works for checking C/C++ code. The idea is that it will warn programmers about unstable code in their applications, so they can fix it, rather than have the compiler simply leave it out. They also hope it will encourage compiler writers to rethink how they can optimize code in more secure ways. STACK was run against a number of systems written in C/C++ and it found 160 new bugs in the systems tested, including the Linux kernel (32 bugs found), Mozilla (3), Postgres (9) and Python (5). They also found that, of the 8,575 packages in the Debian Wheezy archive that contained C/C++ code, STACK detected at least one instance of unstable code in 3,471 of them, which, as the researchers write (PDF), 'suggests that unstable code is a widespread problem.'"

7 of 470 comments (clear)

  1. TFA does a poor job of defining what's happening by istartedi · · Score: 4, Insightful

    If my C code contains *foo=2, the compiler can't just leave that out. If my code contains if (foo) { *foo=2 } else { return EDUFUS; } it can verify that my code is checking for NULL pointers. That's nice; but the questions remain:

    What is "unstable code" and how can a compiler leave it out? If the compiler can leave it out, it's unreachable code and/or code that is devoid of semantics. No sane compiler can alter the semantics of your code, at least no compiler I would want to use. I'd rather set -Wall and get a warning.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  2. Re:Null pointer detection at compile time by Zero__Kelvin · · Score: 4, Insightful

    "For example, if a pointer is passed to a function, is the function allowed to dereference it without first checking it for NULL?"

    Of course it is, and it is supposed to be able to do so. If you were an embedded systems programmer you would know that, and also know why. Next you'll be complaining that languages allow infinite loops (again, a very useful thing to be able to do). C doesn't protect the programmer from himself, and that's by design. Compilers have switches for a reason. If they don't know how it is being built or what the purpose of the code is then they can't possibly determine with another program if the code is "unstable".

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. -Wall by Spazmania · · Score: 2, Insightful

    If I set -Wall and the compiler fails to warn me that it optimized out a piece of my code then the compiler is wrong. Period. Full stop.

    I don't care what "unstable" justification its authors gleaned from the standard, don't mess with my code without telling me you did so.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:-Wall by Anonymous Coward · · Score: 3, Insightful

      If the compiler finds two constants it can combine then I've usually made a mistake in my code...

      Or it inlined a function for you. Or you indexed at a constant index (perhaps 0) into a global array. Or any number of other things that can arise naturally and implicitly.

      The compiler has a setting where it doesn't "mess with your code" -- it's called -O0.

  4. Re:PC Lint anyone? by EvanED · · Score: 4, Insightful

    Don't worry, the authors know what they're doing.

    Just because PC Lint could find a small number of potential bugs doesn't mean it's a solved problem by any means. Program analysis is still pretty crappy in general, and they made another improvement, just like tons of people before them, PC Lint before them, and tons of people before PC Lint.

  5. Re:Fix the C standard to not be so silly by seebs · · Score: 3, Insightful

    Pretty sure the embedded systems guys wouldn't be super supportive of this, and they're by far the largest market for C.

    And I just don't think these are big sources of trouble most of the time. If people would just go read Spencer's 10 Commandments for C Programmers, this would be pretty much solved.

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
  6. Re:TFA does a poor job of defining what's happenin by Old+Wolf · · Score: 4, Insightful

    >The dereference is undefined, and therefore

    Stop right here. Once undefined behaviour occurs, "all bets are off" as they say; the remaining code may have any behaviour whatsoever. C works like this on purpose , and it's something I agree with. It means the compiler doesn't have to insert screeds of extra checks , both at compile-time and run-time.

    There are plenty of other languages you can use if you want a different language definition :)