Sleeping with the /*Enemy*/ Compiler: Software Vulnerabilities Caused by Optimizations presented at ekopartySecurityConference 2018

by Daniel Gutson,

Summary : There are some techniques to avoid vulnerabilities, such as zeroing buffers placed in the stack before leaving functions; however, modern optimization techniques such as Death Store Elimination may lead the compiler think that the call is not necessary, thus removing it. In this talk I will present well known security-related software examples where compiler optimizations led to software vulnerabilities; I will also show a live toy example of exploiting a vulnerability caused by a compiler optimization; then I will show common workarounds such as OS-provided functions and other techniques; finally, I will introduce some compiler internals and invite people to contribute to mainstream compilers to avoid these situations with some ideas, such as enhanced diagnostics and code generation.