UC San Diego

Compilers are at the foundation of software security. On the one hand, compilers are an ideal place to secure software due to their knowledge of the programs under protection and their minimal requirements of developer efforts. We designed and implemented a highly efficient compiler-based Control-Flow Integrity (CFI) scheme for C++ virtual calls. The scheme introduces minimal performance and code bloat overhead even for programs that use virtual calls heavily, which make it more likely to be deployed to real-world programs that have strict requirements on performance and code size. On the other hand, compilers can also be detrimental to software security. We explored this direction by investigating the security implications of the dead store elimination (DSE), a common compiler optimization, and the existing strategies devised to prevent DSE from affecting the security of software. We found that none of the existing strategies are both guaranteed to work and universally available and many of them are flawed, which lead to the security vulnerabilities in some of the most popular security-related programs and libraries we surveyed.