Abstract
Sanitizers are widely used compiler features that detect undefined behavior and resulting vulnerabilities by injecting runtime checks into programs. For better performance, sanitizers are often used in conjunction with optimization passes. But doing so combines two compiler features with conflicting objectives. While sanitizers want to expose undefined behavior, optimizers often exploit these same properties for performance. In this paper, we show that this clash can have serious consequences: optimizations can remove sanitizer failures, thereby hiding the presence of bugs or even introducing new ones. We present LookUB, a differential-Testing based framework for finding optimizer transformations that elide sanitizer failures. We used our method to find 17 such sanitizer-eliding optimizations in Clang. Next, we used static analysis and fuzzing to search for bugs in open-source projects that were previously hidden due to sanitizer-eliding optimizations. This led us to discover 20 new bugs in Linux Containers, libmpeg2, NTFS-3G, and WINE. Finally, we present an effective mitigation strategy based on a customization of the Clang optimizer with an overhead increase of 4%.
| Original language | English |
|---|---|
| Article number | 143 |
| Pages (from-to) | 907-927 |
| Number of pages | 21 |
| Journal | Proceedings of the ACM on Programming Languages |
| Volume | 7 |
| Issue number | PLDI |
| DOIs | |
| Publication status | Published - 6 Jun 2023 |
Bibliographical note
Publisher Copyright:© 2023 Owner/Author.
Funding
This work was supported by EKZ through the AVR Memo project, by Intel Corporation through the Allocamelus project, and by NWO through projects Theseus, INTERSECT, and Vulcan.
| Funders | Funder number |
|---|---|
| Nederlandse Organisatie voor Wetenschappelijk Onderzoek | Theseus, INTERSECT, Vulcan (VI.Veni.202.212) |
Keywords
- Fuzzing
- Optimizations
- Sanitizers