Automatically Detecting and Surviving Exploitable Compiler Bugs

Lead Research Organisation: Imperial College London
Department Name: Dept of Computing

Abstract

The focus of this proposal is on the detection and survival of wrong code compiler defects, which we argue present a cyber-security threat that has been largely ignored to date. First, incorrectly compiled code can introduce exploitable vulnerabilities that are not visible at the source code level, and thus cannot be detected by source-level static analysers. Second, incorrectly compiled code can undermine the reliability of the application, which can have dramatic repercussions in the context of safety-critical systems. Third, wrong code compiler defects can also be the target of some of the most insidious security attacks. A crafty attacker posing as an open source developer can introduce a compiler-bug-based backdoor into a security-critical application by adding a patch that looks perfectly innocent but which, when compiled with a certain compiler, yields binary code that allows the attacker to compromise the software.

In this project, we aim to explore automated techniques that can detect and prevent such problems. In particular, we plan to investigate techniques for automatically finding compiler-induced vulnerabilities in real software, approaches for understanding the extent to which an attacker could maliciously modify an application to create a compiler-induced vulnerability, and methods for preventing against such vulnerabilities at runtime.

Planned Impact

The project has high potential for industrial impact, with associated economic and societal benefits, by improving the quality of developer tools and enabling more rapid development of reliable software on which businesses and end-users depend. Industrial beneficiaries include companies specialising in compiler development, such as Codeplay and PGI Compilers & Tools; suppliers of compiler test suites, including Solid Sands, NULLSTONE and Plum Hall; larger corporations that undertake significant compiler development work, such as AdaCore, AMD, Apple, ARM, Google, Imagination Technologies, Intel, Microsoft, NVIDIA, Oracle, Qualcomm, Xilinx; and companies that build high-assurance software or software analysis tools that in turn depend upon reliable compilers, such as AbsInt, Altran and TrustInSoft. Many of these companies, including Codeplay, ARM, Imagination Technologies, Google, Microsoft and Oracle, have strong bases in the UK. More broadly, our impact on the Clang and GCC infrastructures---which we propose to study in detail during the project---will have significant benefits for the large communities of associated users.

Our pathways to impact, detailed in a separate document, include (1) technology transfer to industry via direct engagement with industrial project partners Altran and Codeplay, (2) visiting other potential industrial beneficiaries such as ARM, Imagination Technologies, AdaCore, Google and Microsoft, (3) open sourcing our prototypes and applying them to large open-source code bases, (4) participating in industry-focused events, (5) writing developer-focused articles and recording research videos to reach a broader audience, (6) incorporating our case studies in our undergraduate teaching and Master's projects, (7) communicating our research to the public via outreach activities and (8) applying for funding to support impact activities from schemes designed to support impact activities.

Publications

10 25 50
 
Description Recent years has seen significant research on automatic techniques for finding compiler defects. However, their practical impact has barely been assessed. We have conducted an empirical study examining the compilation of more than 11 million lines of C/C++ code from 318 Debian packages, using 45 historical bugs in the Clang/LLVM compiler, either found using four distinct fuzzers or the Alive formal verification tool. Preliminary results show that almost half of the fuzzer-found bugs propagate to the generated binaries for some packages, but never cause application test suite failures, suggesting that more research is needed to understand the impact of these bugs in practice.
Exploitation Route Our results could be used by the developers of techniques for finding compiler defects to improve their techniques, and by practitioners to understand the impact of compiler bugs on their software products.
Sectors Digital/Communication/Information Technologies (including Software)