CERT
search  


 
Historical Documents CERT Coordination Center CERT/CC Blog Vulnerability Notes Database Vulnerability Disclosure Policy Courses Build Security In Link to US-CERT cylab
 

Secure C Compiler Research

Static analysis tools can be used to detect security flaws during testing and maintenance that can result in vulnerabilities. These products provide some assistance with preventing buffer overflows, but none provide certification that all buffer overflows are detected and prevented. However, these products do much more than check for buffer overflows; they detect bugs, catch other security problems, and enforce coding standards. For example, LDRA and other static analysis tool vendors have implemented code checkers to diagnose violations of these guidelines in C and C++ source code.

For any solution to make a significant difference in the reliability of the software infrastructure, the methods must be incorporated into tools that working programmers are using to build their applications.

Compiler producers constitute a segment of the software production supply chain, one that is quite different from the quality-tools producers. Each hardware company typically maintains some number of compiler groups, as do several of the large software producers. There are several specialized compiler producers. In addition, there is a significant community of individuals and companies that support the open-source GNU Compiler Collection (GCC). Adding these various groups together, we estimate that there are well over 100 compiler vendors.

Safe Secure C/C++ (SSCC) was designed to eliminate several important classes of vulnerabilities, including writing outside the bounds of an object (e.g., buffer overflow), reading outside the bounds of an object, and arbitrary reads/writes (e.g., wild-pointer stores). The buffer overflow problem, for example, is solved using static analysis for issues that can be resolved at compile and link time and dynamic analysis using highly optimized code sequences for issues that can be resolved only at runtime.

To encourage adoption of the SSCC methods into working compilers, the CERT Secure Coding Initiative proposes extending ROSE to perform the SSCC analysis methods and produce an advice file for the platform-dependent compiler. The structure of such a tool was first proposed as a method for providing optimization advice from a front-end source analysis tool to a platform-dependent back-end compiler. For example, the modified ROSE tool can advise the back-end compilers to “verify that pointer p is less than a+1000, just before the expression at line 21 token 7” or “insert 5 elements of padding after the array a declared at line 31 token 3.”

Along with the ROSE Advisor, a pre-linker is also required to read and process the full collection of bounds-data files from all components of the application being compiled and linked. The resulting system is illustrated below.

ROSE Advisor Design

ROSE Advisor Design

 
Last updated April 1, 2010