This paper explores computer security vulnerabilities that are generated inadvertently by a compiler. By using a novel approach of examining the assembly language and other intermediate files generated by the compilation process, it has been successfully demonstrated that the compiler’s processing of the high-level source code can create a vulnerable end product. Proper software assurance is intended to provide confidence that software is free from vulnerabilities, and compiler-induced vulnerabilities reduce this confidence level. The discovered vulnerabilities can be related to standard vulnerability classes, side channel attacks, undefined behavior, and persistent state violations. Additionally, the research revealed that the executable machine code generated by the compiler can differ in structure from the original source code due to simplifications and optimizations performed during the compilation process that cannot be disabled. This research examined both the open-source GNU C compiler and the Microsoft C/C++ compiler that is part of the Microsoft Visual Studio package. Both of these compilers are widely used and represent typical compilers in use today.
All Science Journal Classification (ASJC) codes
- Aerospace Engineering
- Computer Science Applications
- Electrical and Electronic Engineering