
Getting compilers right: a reliable foundation for secure software - matt_d
https://www.microsoft.com/en-us/research/blog/getting-compilers-right-secure-software/
======
pcwalton
For C and C++, the cost of proving a compiler correct seems hugely out of
proportion to the actual benefit gained from doing so. Most critical security
bugs in C++ code are found in code that _the compiler had no obligations
whatsoever to compile "properly"_, because they are the result of undefined
behavior (use after free, buffer overflows, stray writes, etc.) A perfect,
proven-correct C++ compiler would do nothing to protect against any of the
famous vulnerabilities you've heard of. Even the famous "null check eliminated
by a GCC optimization" Linux kernel bug would be unaffected, as that was a
_valid_ optimization per the language definition.

By contrast, I think JavaScript VMs are the target of miscompilation attacks
many of orders of magnitude more often than C++ compilers are. They actually
have to compile untrusted and hostile code. A miscompilation can be
disastrous, and in fact actual browser vulnerabilities have traced back to
incorrect JS compilation. So I feel this impressive research might have a more
practical impact if applied to JS (or Web Assembly!)

~~~
ot
If you look at the actual papers [1, 2] they don't mention security even once.
I believe the security angle was just a PR spin added to the blog post.

This is a tool for compiler writers to reason about the correctness of
optimizations, and as such I believe it is useful to unlock more and more
sophisticated optimization techniques. I agree that this has no impact on
secure code.

[1]
[https://www.cs.utah.edu/~regehr/papers/pldi15.pdf](https://www.cs.utah.edu/~regehr/papers/pldi15.pdf)

[2] [https://www.microsoft.com/en-us/research/wp-
content/uploads/...](https://www.microsoft.com/en-us/research/wp-
content/uploads/2017/06/undef-pldi17.pdf)

~~~
pcwalton
Yeah, as a testcase generator that sounds useful to help compiler developers
move faster.

------
nickpsecurity
CompCert, CakeML, Simpl/C, VeLLVM, and SPARK Ada are the related reading for
those interested in this sort of thing. The others naturally fit the topic
with SPARK being a mature tool for verifying imperative algorithms.

