Preventing Vulnerabilities Caused by Optimization of Code with Undefined Behavior

Sophisticated optimization in modern compilers can sometimes create vulnerabilities in program code as a result of optimization. The source of these vulnerabilities is in code with undefined behavior. Programmers use constructs with undefined behavior while relying on a particular behavior these con...

Full description

Saved in:
Bibliographic Details
Published in:Programming and computer software 2022-12, Vol.48 (7), p.445-454
Main Authors: Baev, R. V., Skvortsov, L. V., Kudryashov, E. A., Buchatskiy, R. A., Zhuykov, R. A.
Format: Article
Language:English
Subjects:
Artificial Intelligence
Compilers
Computer Science
Language
Linux
Operating Systems
Optimization
Software Engineering
Software Engineering/Programming and Operating Systems
Source code
Variables
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Sophisticated optimization in modern compilers can sometimes create vulnerabilities in program code as a result of optimization. The source of these vulnerabilities is in code with undefined behavior. Programmers use constructs with undefined behavior while relying on a particular behavior these constructs exhibited before in their practice. However, the compiler does not have to stick to that behavior and may change it if there is a need for code optimization because this behavior is not defined by language standards. This paper describes some approaches to the discovery and elimination of vulnerabilities caused by optimization in the case where the source code is available, but its modification is undesirable or impossible. We propose the concept of a safe compiler (i.e., a compiler that guarantees that no vulnerability is brought into a program in the process of optimization). We describe the implementation of this compiler on top of GCC. The functionality of the safe compiler is implemented at three security levels, the applicability of which is discussed in this paper. The use of the safe compiler is illustrated on real-world codebases with the estimation of possible performance losses.
ISSN:0361-7688
1608-3261
DOI:10.1134/S0361768822070027