Finding Bugs Compiler Knows but Doesn't Tell You: Dissecting Undefined Behavior Optimizations in LLVM presented at BlackHatEurope 2020

by Wei Liu, Zekai Wu, Mingyue Liang, Kai Song,

Summary : "Undefined Behavior", like signed integer overflow or accessing null pointer, is an erroneous action that makes programs unpredictable. There are no rules on how to generate code for "Undefined Behavior." Compiler writers can treat "Undefined Behavior" as "nasal demons" and do anything they choose.We try to figure out how LLVM optimizes "Undefined Behavior" by digging into LLVM internals. We find most of "Undefined Behavior" can be recognized by compilers. But compilers prefer to optimize out "Undefined Behavior" rather than throw a warning. It may make "Undefined Behavior" bugs hide in the programs or even make bugs more powerful during optimizations.We developed tools to look for the hidden "Undefined Behavior" bugs. We scanned Chrome and Android AOSP and found several security bugs. One of them is originally a negligible "Null pointer deference" bug in chrome, which, however, can be used to compromise Chrome renderer. In this talk, we will share our exploitation techniques.