Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Programming Operating Systems Security Software

How Your Compiler Can Compromise Application Security 470

Posted by Soulskill from the my-compiler-levels-me-out dept.
jfruh writes "Most day-to-day programmers have only a general idea of how compilers transform human-readable code into the machine language that actually powers computers. In an attempt to streamline applications, many compilers actually remove code that it perceives to be undefined or unstable — and, as a research group at MIT has found, in doing so can make applications less secure. The good news is the researchers have developed a model and a static checker for identifying unstable code. Their checker is called STACK, and it currently works for checking C/C++ code. The idea is that it will warn programmers about unstable code in their applications, so they can fix it, rather than have the compiler simply leave it out. They also hope it will encourage compiler writers to rethink how they can optimize code in more secure ways. STACK was run against a number of systems written in C/C++ and it found 160 new bugs in the systems tested, including the Linux kernel (32 bugs found), Mozilla (3), Postgres (9) and Python (5). They also found that, of the 8,575 packages in the Debian Wheezy archive that contained C/C++ code, STACK detected at least one instance of unstable code in 3,471 of them, which, as the researchers write (PDF), 'suggests that unstable code is a widespread problem.'"
This discussion has been archived. No new comments can be posted.

How Your Compiler Can Compromise Application Security More

How Your Compiler Can Compromise Application Security

Comments Filter:

  • Re:News flash (Score:5, Funny)

    by Mitchell314 ( 1576581 ) on Tuesday October 29, 2013 @07:49PM (#45274775)
    Code with a finite half-life. Sometimes radiates when it decays. The byproducts tend to be hazardous to health, and most cause symptoms such as headaches, tremors, Carpal Tunnel Syndrome, and Acute Induced Tourette Syndrome. Handle with care. The Daily WTF has an emergency hotline if you or somebody you know has been exposed to unsafe levels of unstable code.

  • Really small EXE mystery solved (Score:5, Funny)

    by Tablizer ( 95088 ) on Tuesday October 29, 2013 @07:52PM (#45274797) Journal

    many compilers actually remove code that it perceives to be undefined or unstable

    No wonder my app came out with 0 bytes.

  • Re:News flash (Score:5, Funny)

    by Cryacin ( 657549 ) on Tuesday October 29, 2013 @07:54PM (#45274811)
    So that's why you have to restart your computer. Gets rid of dangerous radiation from weapons grade baloneyum decay.

  • Meanwhile, THEIR code is sketchy (Score:4, Funny)

    by belphegore ( 66832 ) on Tuesday October 29, 2013 @08:48PM (#45275207)

    Checked out their git repo and did a build. They have a couple sketchy-looking warnings in their own code. A reference to an undefined variable; storing a 35-bit value in a 32-bit variable...

    lglib.c:6896:7: warning: variable 'res' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
    lglib.c:6967:10: note: uninitialized use occurs here
    plingeling.c:456:17: warning: signed shift result (0x300000000) requires 35 bits to represent, but 'int' only has 32 bits [-Wshift-overflow]

  • Re:TFA does a poor job of defining what's happenin (Score:5, Funny)

    by lgw ( 121541 ) on Tuesday October 29, 2013 @08:57PM (#45275291) Journal

    No, the compiler is allowed to to anything it damn well pleases wherever the standard calls behaviou "undefined". One of my favorite quotes ever from a standards discussion:

    When the compiler encounters [a given undefined construct] it is legal for it to make demons fly out of your nose

    Nasal demons can cause code instability.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close