Secure coding is a big topic of conversation these days. A lot of developers are learning (or re-learning) how to write secure application code. So far, so good.
Here’s something to ponder: What if you put security into your code but your compiler took it out without you realizing it? That’s exactly what’s happening when you use most compilers on the market, according to researchers at MIT as disclosed in a paper they presented earlier this month – it is very good reading for coders.
The compiler isn’t trying to be nefarious – just efficient. You see, the compiler is trying to help you by applying optimization principles designed to remove inefficient or unused code from its compiled output. And it’s doing so according the recognized standards.
Here is a good example from the paper:
To understand unstable code, consider the pointer over-flow check buf + len < buf shown in Figure 1, where buf is a pointer and len is a positive integer.
The programmer’s intention is to catch the case when len is so large that buf + len wraps around and bypasses the first check in Figure 1. We have found similar checks in a number of systems, including the Chromium browser, the Linux kernel, and the Python interpreter:
While this check appears to work with a flat address space, it fails on a segmented architecture. Therefore, the C standard states that an overflowed pointer is undefined, which allows gcc to simply assume that no pointer overflow ever occurs on any architecture.
Under this assumption, buf + len must be larger than buf and thus the “overflow” check always evaluates to false. Consequently, gcc removes the check, paving the way for an attack to the system.
Unfortunately this means the compiler sees some security operations — like null pointer checks, buffer overflow safeguards, and similar code — as being unnecessary, and it removes those checks. The result is “C compliant” compiled code that is also unstable, insecure object code.
Optimization-Unstable Code and How to Check for It
The term for this phenomenon is “optimization-unstable code” because the code itself isn’t the problem – the issues arise from the compiler’s optimization during the compilation process. The researchers estimate that a large percentage of applications are inadvertently less secure due to these compiler optimizations:
We estimate that unstable code exists in 40% of the 8,575 Debian Wheezy packages that contain C/C++ code. We also show that compilers are increasingly taking advantage of undefined behavior for optimizations, leading to more vulnerabilities related to unstable code.
The example above specifically mentions gcc, but the authors tested 12 popular compilers and found that all of them had issues – you can find that data in the research paper. The good news is the authors of the paper have also created a free tool to help you determine if your code (or code you rely on) has this issue. The tool is called “STACK,” it’s available now, and you can find out more about it from the authors’ web site at MIT. You can also grab the latest version from github.
git clone git://github.com/xiw/stack
Don’t let your compiler undermine your security – check out STACK.
- The Means and Motivations Behind Backdoor Hardware Attacks
- Top Five Hacker Tools Every CISO Should Understand
- Five More Hacker Tools Every CISO Should Understand
- Security Response Part 1: Don’t Shoot the Messenger
P.S. Have you met John Powers, supernatural CISO?