G+_Neil Sedlak Posted November 21, 2013 Share Posted November 21, 2013 Regarding the discussion of compilers optimizing out security checks, I think Steve and Leo took it a little too far. This is problem of poorly written application code, not specifically an issue with compilers. Rather than removing valid security checks in the code, such as if pointer is NULL then generate an error, instead what is happening is the compiler is optimizing out poorly written code, which is written is such a way that it is classified as undefined behavior. Basically, if a coder did something really, really weird or overly clever that wasn't to standards, there is no defined behavior in the language specification for what the compiler should do with that code. Some compilers were ignoring the code because it wasn't written to the language specification. On the positive side, there is a nice tool written (http://css.csail.mit.edu/stack/) that you can run against your code to find where you were being too smart for your own good. http://www.itworld.com/security/380406/how-your-compiler-may-be-compromising-application-security http://www.itworld.com/security/380406/how-your-compiler-may-be-compromising-application-security Link to comment Share on other sites More sharing options...
Recommended Posts