Evaluation of compiler-induced vulnerabilities

Michael J. Hohnka, Jodi A. Miller, Kenrick M. Dacumos, Timothy J. Fritton, Julia D. Erdley, Lyle N. Long

Research output: Contribution to journalArticle

Abstract

This paper explores computer security vulnerabilities that are generated inadvertently by a compiler. By using a novel approach of examining the assembly language and other intermediate files generated by the compilation process, it has been successfully demonstrated that the compiler’s processing of the high-level source code can create a vulnerable end product. Proper software assurance is intended to provide confidence that software is free from vulnerabilities, and compiler-induced vulnerabilities reduce this confidence level. The discovered vulnerabilities can be related to standard vulnerability classes, side channel attacks, undefined behavior, and persistent state violations. Additionally, the research revealed that the executable machine code generated by the compiler can differ in structure from the original source code due to simplifications and optimizations performed during the compilation process that cannot be disabled. This research examined both the open-source GNU C compiler and the Microsoft C/C++ compiler that is part of the Microsoft Visual Studio package. Both of these compilers are widely used and represent typical compilers in use today.

Original languageEnglish (US)
Pages (from-to)409-426
Number of pages18
JournalJournal of Aerospace Information Systems
Volume16
Issue number10
DOIs
StatePublished - Jan 1 2019

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Aerospace Engineering
  • Computer Science Applications
  • Electrical and Electronic Engineering

Cite this

Hohnka, M. J., Miller, J. A., Dacumos, K. M., Fritton, T. J., Erdley, J. D., & Long, L. N. (2019). Evaluation of compiler-induced vulnerabilities. Journal of Aerospace Information Systems, 16(10), 409-426. https://doi.org/10.2514/1.I010699