from Hacker News

Low-Level Software Security for Compiler Developers

by struct on 2/18/23, 11:07 AM with 22 comments

  • by JonChesterfield on 2/18/23, 1:49 PM

    There's a tension here.

    Emitting 'secure' code almost always means emitting 'slower' code, and one of the few things compilers are assessed on is the performance of the code they generate.

    Compilers are built as a series of transformation passes. Normalisation is a big deal - if you can simplify N different patterns to the same thing, you only have to match that one canonical form later in the pipeline.

    So if one pass makes code slower/secure, later passes are apt to undo that transform and/or to miss other optimisations because the code no longer looks as expected.

    So while it is useful to know various make-it-secure transforms, which this book seems to cover, it's not at all obvious how to implement them without collateral damage.

    On a final note, compiler transforms are really easy to get wrong, so one should expect the implementation of these guards to be somewhat buggy, and those bugs themselves may introduce vulnerabilities.

  • by staunton on 2/18/23, 2:17 PM

    The vast majority of businesses choose speed over security and avoid investing in security since they can offload the cost of incidents to their users. One of the main reasons such "more secure tools" projects are interesting for users is that they provide an easy and cheap avenue towards claiming an effort towards security was made and avoiding liability. On one hand, such tools actually help make things secure, on the other hand, speed and ease of use (not security) being the top priorities, the effect is probably limited. People who care much more about security than average would not start a new project in C/C++ to begin with and where legacy code is involved, dealing with it is hard enough already without trying to "make it secure".

    The only way to really improve the level of security in the industry is to assign responsibility and damages to those who fail to implement it. So far, it seems all market participants are content with 90% of security concerns being addressed by security theater.

  • by tptacek on 2/18/23, 5:54 PM

    This is pretty great; they've done the work to produce useful capsule summaries of a bunch of memory safety topics (like forward- and backward-edge CFI, JOP, and PAC). Looking forward to seeing how far they can take it. The assembler snippets are useful and could be fleshed out more.

  • by vonimo on 2/18/23, 2:59 PM

    That was an excellent read. I look forward to enjoying their section on JIT compiler vulnerabilities, a whole fascinating topic in itself, when it is completed.

  • by _a_a_a_ on 2/18/23, 2:25 PM

    Compilers are an interest of mine so I'll read the article later, but I'm curious whether this is talking about C variety compilers which are generally unsafe, or compilers for managed languages which should never emit code allowing attacks (for some definition of 'never'). Which of these is this article/book discussing?