Prevention of vulnerabilities arising from optimization of code with Undefined Behavior

Aggressive optimization in modern compilers may uncover vulnerabilities in program code that did not lead to bugs prior to optimization. The source of these vulnerabilities is in code with undefined behavior. Programmers use such constructs relying on some particular behavior these constructs showed before in their experience, but the compiler is not obliged to stick to that behavior and may change the behavior if it’s needed for optimization since the behavior is undefined by language standard. This article describes approaches to detection and elimination of vulnerabilities arising from optimization in the case when source code is available but its modification is undesirable or impossible. Concept of a safe compiler (i.e. compiler that ensures no vulnerability is added to the program during optimization) is presented and implementation of such a compiler on top of GCC compiler is described. Implementation of safe compiler’s functionality is divided into three security levels whose applicability is discussed in the article. Feasibility of using the safe compiler on real-world codebases is demonstrated and possible performance losses are estimated.

1. Wang X., Chen H. et al. Undefined behavior: what happened to my code? In Proc. of the Asia-Pacific Workshop on Systems, 2012, pp. 1-7.

2. Wang X., Zeldovich N. et al. Towards optimization-safe systems: Analyzing the impact of undefined behavior. In Proc. of the Twenty-Fourth ACM Symposium on Operating Systems Principles, 2013, pp. 260-275.

3. C11 Standard ISO/IEC 9899:2011, Programming languages – C. ISO/IEC, 2011.

4. STACK. Available at https://css.csail.mit.edu/stack/, accessed 25.08.2021.

5. Undefined Behavior Sanitizer. Available at https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html, accessed 25.08.2021.

6. Address Sanitizer. Available at https://clang.llvm.org/docs/AddressSanitizer.html, accessed 25.08.2021.

7. Tis-interpreter. Available at https://github.com/TrustInSoft/tis-interpreter, accessed 25.08.2021.

8. Serebryany K. Sanitize, Fuzz, and Harden Your C++ Code. In Proc. of the USENIX ENIGMA Conference, 2006, 35 p.

9. Cadar C., Dunbar D., and Engler D. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proc. of the 8th USENIX Conference on Operating Systems Design and Implementation, 2008, pp. 209-224.

10. Field Experience with Annex K – Bounds Checking Interfaces. Available at http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm, accessed 25.08.2021.

11. Hathhorn C., Ellison C., and Roşu G. Defining the undefinedness of C. ACM SIGPLAN Notices, vol. 50, issue 6, 2015, pp. 336–345.

12. RV-Match. Available at https://runtimeverification.com/match/, accessed 25.08.2021.

13. Guth D., Hathhorn C. et al. Rv-match: Practical semantics-based program analysis. Lecture Notes in Computer Science, vol. 9779, 2016, pp. 447-453

14. MISRA. Available at https://www.misra.org.uk/, accessed 25.08.2021.

15. SEI CERT C Coding Standard. Available at https://wiki.sei.cmu.edu/confluence/display/c, accessed 25.08.2021.

16. FORTIFY_SOURCE. Available at https://access.redhat.com/blogs/766093/posts/3606481, accessed 25.08.2021.

17. Stack Smashing Protector. Available at https://www.linuxfromscratch.org/hints/downloads/files/ssp.txt, accessed 25.08.2021.

18. Address Space Layout Randomization. Available at https://docs.oracle.com/en/operating-systems/oracle-linux/6/security/ol_aslr_sec.html, accessed 25.08.2021.

19. /10/11/12 Regression] "clobbered by longjmp" warning ignores the data flow. Bug 21161, GCC, 2005. Available at https://gcc.gnu.org/bugzilla/show_bug.cgi?id=21161, accessed 25.08.2021.

20. P1705R1 Enumerating Core Undefined Behavior. Available at http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1705r1.html, accessed 25.08.2021.

21. CRUX. Available at https://crux.nu/, accessed 25.08.2021.

22. GNU Go. Available at https://www.gnu.org/software/gnugo/, accessed 25.08.2021.

23. SPEC’s Benchmarks. Available at https://www.spec.org/benchmarks.html, accessed 25.08.2021.

24. The LAME Project. Available at https://lame.sourceforge.io/, accessed 25.08.2021.

25. Phoronix Test Suite. Available at https://www.phoronix-test-suite.com/, accessed 25.08.2021.

26. The Computer Language Benchmarks Game. Available at https://benchmarksgame-team.pages.debian.net/benchmarksgame/index.html, accessed 25.08.2021.

27. x264. Available at http://www.videolan.org/developers/x264.html, accessed 25.08.2021.

28. Zlib. Available at http://www.zlib.net/, accessed 25.08.2021.

29. Song D., Lettner J. et al. SoK: Sanitizing for Security. In Proc. of the IEEE Symposium on Security and Privacy (SP), 2019, pp. 1275-1295.