Overeager Compilers Can Open Security Holes In Your Code

jfruh writes: "Creators of compilers are in an arms race to improve performance. But according to a presentation at this week's annual USENIX conference, those performance boosts can undermine your code's security. For instance, a compiler might find a subroutine that checks a huge bound of memory beyond what's allocated to the program, decide it's an error, and eliminate it from the compiled machine code — even though it's a necessary defense against buffer overflow attacks."

old news from decades ago

[iggymanz]

well known for decades that optimizing compilers can produce bugs, security holes, code that doesn't work at all, etc.

Re:old news from decades ago

[NoNonAlphaCharsHere]

That's why I always use a pessimizing compiler.

Re:old news from decades ago

[KiloByte]

Or rather, that optimizing compilers can expose bugs in buggy code that weren't revealed by naive translation.

Re:old news from decades ago

[Marillion]

Right. The other part of the issue is why didn't anyone write a test to verify that the buffer overflow detection code actually detects when you overflow buffers?

Re:old news from decades ago

[AuMatar]

Because it worked in debug mode (which generally has optimizations off)?
Because it was tested on a compiler without this bug? The people writing the memory library is usually not the people writing the app that uses it.
Similarly, it was tested on the same compiler, but with different compiler flags?
Because that optimization didn't exist in the version of the compiler it was tested on?
Because the test app had some code that made the compiler decide not to apply the optimzation?
Life is messy. Testing doesn't catch everything.

Re:old news from decades ago

[itzly]

That's an example of a programmer not understanding the rules of a conforming C/C++ compiler. It should be fixed in the source, not in the compiler.

Re:old news from decades ago

[K.+S.+Kyosuke]

I'd personally rather work in languages that are safe by default with optional (but available) extra performance/lower safety where explicitly instructed (the way Common Lisp does it, for example), rather than the other way around. I've come to the impression that most codebases would have fewer overrides in the former case rather than the latter. If you think the latter is preferable, what about all those bugs and security vulnerabilities we got "thanks" to that approach? Was it actually worth it?

Unsable Code, again

This is just as poorly written up as last time. These are truly bugs in the programs using undefined parts of the language. It's silly to blame the compiler.

UNISEX conference

[Mdk754]

Wow, you know you're ready to go home when it's Friday afternoon and you read:

But according to a presentation at this week's annual UNISEX conference

Complete nonsense....

Any code removal by the compiler can be prevented by correctly
coding the code with volatile (in C) or its equivalent.

Bad summary is bad

[werepants]

This is not really about the existence of bad compiler optimization - it is about a tool called Stack that can be used to detect this, which is known as "unstable" code, and has been used to find lots of vulnerabilities already.

Old news

I know that at least GCC will get rid of overflow checks if they rely on checking the value after overflow (without any warning), because C defines that overflow on signed integers is undefined. This is even documented. If anything is declared by the language specification as being undefined, expect trouble.

Functionally correct, but insecure

[Smerta]

The classic example of a compiler interfering with intention, opening security holes, is failure to wipe memory.

On a typical embedded system - if there is such a thing (no virtual memory, no paging, no L3 cache, no "secure memory" or vault or whatnot) - you might declare some local (stack-based) storage for plaintext, keys, etc. Then you do your business in the routine, and you return.

The problem is that even though the stack frame has been "destroyed" upon return, the contents of the stack frame are still in memory, they're just not easily accessible. But any college freshman studying computer architecture knows how to get to this memory.

So the routine is modified to wipe the local variables (e.g. array of uint8_t holding a key or whatever...) The problem is that the compiler is smart, and sees that no one reads back from the array after the wiping, so it decides that the observable behavior won't be affected if the wiping operation is elided.

My making these local variables volatile, the compiler will not optimize away the wiping operations.

The point is simply that there are plenty of ways code can be completely "correct" from a functional perspective, but nonetheless terribly insecure. And often the same source code, compiled with different optimization options, has different vulnerabilities.

Re:Simple.

[Desler]

C became popular because it was vastly more portable and performant than its predecessors. It still is today. None of those "better" languages that came before it or after it can beat that. And yes, extreme portability does matter when you have 100s of millions if not billions of devices that can't run anything but assembly or C. It's why the people saying that OpenSSL should be written in Java or C# are morons. Care to tell me how that's going to run on a, for example, Linksys WRT54G with only 8 or 16 MB of RAM, 2 to 4 MB of Flash storage and a 125 to 240 mhz MIPS CPU? Yeah, it's not.

Re:Simple.

[Desler]

Well I'd be pretty pissed as well if my pet language was relegated to the graveyard of obscurity by a language that was usable for real work. Dennis Ritchie was a pragmatist who got shit done not some guy wanking over the greatness and purity of the language he created. People to this day are still jealous of that.