Cited By
View all- Li STheodoridis TSu Z(2024)Boosting Compiler Testing by Injecting Real-World CodeProceedings of the ACM on Programming Languages10.1145/36563868:PLDI(223-245)Online publication date: 20-Jun-2024
Don’t Look UB: Exposing Sanitizer-Eliding Compiler Optimizations
Authors: 
Raphael Isemann, Cristiano Giuffrida, Herbert Bos, Erik van der Kouwe, Klaus von GleissenthallAuthors Info & Claims
Article No.: 143, Pages 907 - 927
Abstract
Sanitizers are widely used compiler features that detect undefined behavior and resulting vulnerabilities by injecting runtime checks into programs. For better performance, sanitizers are often used in conjunction with optimization passes. But doing so combines two compiler features with conflicting objectives. While sanitizers want to expose undefined behavior, optimizers often exploit these same properties for performance. In this paper, we show that this clash can have serious consequences: optimizations can remove sanitizer failures, thereby hiding the presence of bugs or even introducing new ones.
We present LookUB, a differential-testing based framework for finding optimizer transformations that elide sanitizer failures. We used our method to find 17 such sanitizer-eliding optimizations in Clang. Next, we used static analysis and fuzzing to search for bugs in open-source projects that were previously hidden due to sanitizer-eliding optimizations. This led us to discover 20 new bugs in Linux Containers, libmpeg2, NTFS-3G, and WINE. Finally, we present an effective mitigation strategy based on a customization of the Clang optimizer with an overhead increase of 4%.
References
[1]
Giuseppe Antonio Di Luna, Davide Italiano, Luca Massarelli, Sebastian Österlund, Cristiano Giuffrida, and Leonardo Querzoni. 2021. Who’s Debugging the Debuggers? Exposing Debug Information Bugs in Optimized Binaries. In Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’21). Association for Computing Machinery, New York, NY, USA. 1034–1045. isbn:9781450383172 https://doi.org/10.1145/3445814.3446695
[2]
Raphael Isemann. 2023. Artifact for "Don’t Look UB". https://doi.org/10.5281/zenodo.7684001
[3]
Yuseok Jeon, WookHyun Han, Nathan Burow, and Mathias Payer. 2020. FuZZan: Efficient Sanitizer Metadata Design for Fuzzing. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 249–263. isbn:978-1-939133-14-4 https://www.usenix.org/conference/atc20/presentation/jeon
[4]
Yue Jia and Mark Harman. 2008. MILU: A Customizable, Runtime-Optimized Higher Order Mutation Testing Tool for the Full C Language. In Testing: Academic & Industrial Conference - Practice and Research Techniques (taic part 2008). 94–98. https://doi.org/10.1109/TAIC-PART.2008.18
[5]
Vu Le, Mehrdad Afshari, and Zhendong Su. 2014. Compiler validation via equivalence modulo inputs. In PLDI. https://doi.org/10.1145/2666356.2594334
[6]
Vsevolod Livinskii, Dmitry Babokin, and John Regehr. 2020. Random testing for C and C++ compilers with YARPGen. In OOPSLA. 1–25. https://doi.org/10.1145/3428264
[7]
Nicholas Nethercote and Julian Seward. 2007. Valgrind: a framework for heavyweight dynamic binary instrumentation. In PLDI. 89–100. https://doi.org/10.1145/1273442.1250746
[8]
Duy Loc Phan, Yunho Kim, and Moonzoo Kim. 2018. Music: Mutation analysis tool with high configurability and extensibility. In ICSTW. https://doi.org/10.1109/ICSTW.2018.00026
[9]
Kostya Serebryany. 2017. OSS-Fuzz - Google’ s continuous fuzzing service for open source software. USENIX Association, Vancouver, BC.
[10]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In 2012 USENIX Annual Technical Conference (USENIX ATC 12). USENIX Association, Boston, MA. 309–318. isbn:978-931971-93-5 https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryany
[11]
Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, and Michael Franz. 2019. SoK: Sanitizing for security. In IEEE S&P. 1275–1295. https://doi.org/10.1109/SP.2019.00010
[12]
Evgeniy Stepanov and Konstantin Serebryany. 2015. MemorySanitizer: fast detector of uninitialized memory use in C++. In CGO. 46–55. https://doi.org/10.1109/CGO.2015.7054186
[13]
Jonas Wagner, Volodymyr Kuznetsov, George Candea, and Johannes Kinder. 2015. High system-code security with low overhead. In IEEE S&P. 866–879. https://doi.org/10.1109/SP.2015.58
[14]
Xi Wang, Haogang Chen, Alvin Cheung, Zhihao Jia, Nickolai Zeldovich, and M Frans Kaashoek. 2012. Undefined behavior: what happened to my code? In ApSys. 1–7. https://doi.org/10.1145/2349896.2349905
[15]
Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, and Armando Solar-Lezama. 2013. Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior. In SOSP. https://doi.org/10.1145/2517349.2522728
[16]
Nicholas Wells. 2000. Busybox: A swiss army knife for linux. Linux Journal, 2000, 78es (2000), 10–es.
[17]
Zekai Wu, Wei Liu, Mingyue Liang, and Kai Song. 2020. Finding Bugs Compiler Knows but Doesn’t Tell You: Dissecting Undefined Behavior Optimizations in LLVM. BlackHat Europe
[18]
Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and understanding bugs in C compilers. In PLDI. 283–294. https://doi.org/10.1145/1993498.1993532
[19]
Jiang Zhang, Shuai Wang, Manuel Rigger, Pinjia He, and Zhendong Su. 2021. SANRAZOR: Reducing Redundant Sanitizer Checks in C/C++ Programs. In 15th USENIX Symposium on Operating Systems Design and Implementation (OSDI 21). USENIX Association, 479–494. isbn:978-1-939133-22-9 https://www.usenix.org/conference/osdi21/presentation/zhang
[20]
Yuchen Zhang, Chengbin Pang, Georgios Portokalidis, Nikos Triandopoulos, and Jun Xu. 2022. Debloating Address Sanitizer. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. 4345–4363. isbn:978-1-939133-31-1 https://www.usenix.org/conference/usenixsecurity22/presentation/zhang-yuchen
Index Terms
- Don’t Look UB: Exposing Sanitizer-Eliding Compiler Optimizations
Recommendations
The road not taken: exploring alias analysis based optimizations missed by the compiler
Context-sensitive inter-procedural alias analyses are more precise than intra-procedural alias analyses. However, context-sensitive inter-procedural alias analyses are not scalable. As a consequence, most of the production compilers sacrifice precision ...
UBFuzz: Finding Bugs in Sanitizer Implementations
ASPLOS '24: Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 1In this paper, we propose a testing framework for validating sanitizer implementations in compilers. Our core components are (1) a program generator specifically designed for producing programs containing undefined behavior (UB), and (2) a novel test ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 06 June 2023
Published in PACMPL Volume 7, Issue PLDI
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 772Total Downloads
- Downloads (Last 12 months)492
- Downloads (Last 6 weeks)70
Reflects downloads up to 16 Nov 2024
Other Metrics
Citations
Cited By
View all- Li STheodoridis TSu Z(2024)Boosting Compiler Testing by Injecting Real-World CodeProceedings of the ACM on Programming Languages10.1145/36563868:PLDI(223-245)Online publication date: 20-Jun-2024
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in