SlideShare a Scribd company logo

Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)

Patricia Aas, profile picture
Patricia Aas

This document summarizes Patricia Aas' presentation on secure programming practices in C++. It introduces Patricia and her background programming mainly in C++. The presentation covers topics like undefined behavior, compiler optimizations, and examples of insecure code. It provides code samples to demonstrate undefined behavior and how compilers can remove code meant to clear buffers due to optimizations. It recommends using functions like memset_s or SecureZeroMemory to clear sensitive information instead.

Software
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
@pati_gallardo
Secure Programming Practices in C++ @pati_gallardo Patricia Aas NDC { Oslo } 2018
Patricia Aas - Vivaldi Browser Programmer - mainly in C++ Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo Photos: pixabay.com - CC0
Undefined Behavior Compiler Optimizations @pati_gallardo
@pati_gallardo Undefined Behaviour
undefined behavior “Examples of undefined behavior are memory accesses outside of array bounds, signed integer overflow, null pointer dereference, modification of the same scalar more than once in an expression without sequence points, access to an object through a pointer of a different type, etc. Compilers are not required to diagnose undefined behavior (although many simple situations are diagnosed), and the compiled program is not required to do anything meaningful.” http://en.cppreference.com/w/cpp/language/ub @pati_gallardo
- Don’t reason about undefined behaviour - Assume that it crashes or is never executed - Changing compiler, compiler version or optimization level can break your application Undefined Behaviour
Infinite Loop (Undefined Behavior) #include <iostream> #include <complex> using namespace std; int main(void) { complex<int> delta; complex<int> mc[4] = {0}; for(int di = 0; di < 4; di++, delta = mc[di]) { cout << di << endl; } } @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug Undefined Behavior!
Infinite Loop (Undefined Behavior) Can we run it? https://godbolt.org/g/TDjM8h @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug
@pati_gallardo Compiler Optimization
@pati_gallardo The Case Of The Disappearing Memset
0) CWE-14: Compiler Removal of Code to Clear Buffers void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); // <- Removed by the optimizer } @pati_gallardo SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources
0) CWE-14: Compiler Removal of Code to Clear Buffers Should we Godbolt this? https://godbolt.org/g/FpEsht @pati_gallardo SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources
Memset_s : Zeroing Memory // Compliant Solution (C11) memset_s(pwd, 0, sizeof(pwd)); // Windows Solution SecureZeroMemory(pwd, sizeof(pwd)); @pati_gallardo SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources
Code is on GitHub: https://github.com/patricia-gallardo/insecure-coding-examples @pati_gallardo
@pati_gallardo

More Related Content

PDF
I love Automation
Takayuki Miyauchi
 
PDF
How to send gzipped requests with boto3
Luciano Mammino
 
PDF
clara-rules
Ikuru Kanuma
 
PDF
V8 javascript engine for フロントエンドデベロッパー
Taketoshi 青野健利
 
PDF
QCon São Paulo 2018
Augusto Afonso Borges Branquinho
 
PDF
Locarise,reagent and JavaScript Libraries
Ikuru Kanuma
 
PDF
Android 触って AWS 触って TV のお知らせ
Tomoo Amano
 
PDF
Traefik on google kubernetes engine
Manuel Zapf
 
I love Automation
Takayuki Miyauchi
 
How to send gzipped requests with boto3
Luciano Mammino
 
clara-rules
Ikuru Kanuma
 
V8 javascript engine for フロントエンドデベロッパー
Taketoshi 青野健利
 
QCon São Paulo 2018
Augusto Afonso Borges Branquinho
 
Locarise,reagent and JavaScript Libraries
Ikuru Kanuma
 
Android 触って AWS 触って TV のお知らせ
Tomoo Amano
 
Traefik on google kubernetes engine
Manuel Zapf
 

Similar to Undefined Behavior and Compiler Optimizations (NDC Oslo 2018) (20)

PDF
C++ The Principles of Most Surprise
Patricia Aas
 
PDF
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 
PDF
Finding target for hacking on internet is now easier
David Thomas
 
PPTX
Developing with the Go client for Apache Kafka
Joe Stein
 
PDF
Middy.js - A powerful Node.js middleware framework for your lambdas​
Luciano Mammino
 
PDF
Docker and Django Meet For A Tango - London Meetup
frentrup
 
PDF
Letswift18 워크숍#1 스위프트 클린코드와 코드리뷰
Jung Kim
 
PDF
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Adrian Cockcroft
 
PDF
Querying 1.8 billion reddit comments with python
Daniel Rodriguez
 
PPTX
drupal ci cd concept cornel univercity.pptx
rukuntravel
 
ZIP
Google Developer Fest 2010
Chris Ramsdale
 
PDF
#MBLTdev: Разработка первоклассных SDK для Android (Twitter)
e-Legion
 
PPTX
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP
 
PPTX
Azure from scratch part 4
Girish Kalamati
 
PDF
Cleaning your architecture with android architecture components
Debora Gomez Bertoli
 
ZIP
Building Web Apps Sanely - EclipseCon 2010
Chris Ramsdale
 
PDF
Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019
Paulo Clavijo
 
PPTX
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Cisco DevNet
 
PPTX
Expanding APIs beyond the Web
Tim Messerschmidt
 
PDF
Security Tips to run Docker in Production
Gianluca Arbezzano
 
C++ The Principles of Most Surprise
Patricia Aas
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 
Finding target for hacking on internet is now easier
David Thomas
 
Developing with the Go client for Apache Kafka
Joe Stein
 
Middy.js - A powerful Node.js middleware framework for your lambdas​
Luciano Mammino
 
Docker and Django Meet For A Tango - London Meetup
frentrup
 
Letswift18 워크숍#1 스위프트 클린코드와 코드리뷰
Jung Kim
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Adrian Cockcroft
 
Querying 1.8 billion reddit comments with python
Daniel Rodriguez
 
drupal ci cd concept cornel univercity.pptx
rukuntravel
 
Google Developer Fest 2010
Chris Ramsdale
 
#MBLTdev: Разработка первоклассных SDK для Android (Twitter)
e-Legion
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP
 
Azure from scratch part 4
Girish Kalamati
 
Cleaning your architecture with android architecture components
Debora Gomez Bertoli
 
Building Web Apps Sanely - EclipseCon 2010
Chris Ramsdale
 
Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019
Paulo Clavijo
 
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Cisco DevNet
 
Expanding APIs beyond the Web
Tim Messerschmidt
 
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Ad

More from Patricia Aas (20)

PDF
The fundamental misunderstanding in Team Topologies
Patricia Aas
 
PDF
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
PDF
Telling a story
Patricia Aas
 
PDF
Return Oriented Programming, an introduction
Patricia Aas
 
PDF
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas
 
PDF
Dependency Management in C++ (NDC TechTown 2021)
Patricia Aas
 
PDF
Introduction to Memory Exploitation (Meeting C++ 2021)
Patricia Aas
 
PDF
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas
 
PDF
Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas
 
PDF
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
PDF
Thoughts On Learning A New Programming Language
Patricia Aas
 
PDF
Trying to build an Open Source browser in 2020
Patricia Aas
 
PDF
Trying to build an Open Source browser in 2020
Patricia Aas
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
PDF
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas
 
PDF
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas
 
PDF
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas
 
PDF
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas
 
The fundamental misunderstanding in Team Topologies
Patricia Aas
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
Telling a story
Patricia Aas
 
Return Oriented Programming, an introduction
Patricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Thoughts On Learning A New Programming Language
Patricia Aas
 
Trying to build an Open Source browser in 2020
Patricia Aas
 
Trying to build an Open Source browser in 2020
Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas
 
Ad

Recently uploaded (20)

PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
AI in Product Development-omnex systems
omnex systems
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Introduction to Artificial Intelligence
lohedi9363
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 

Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)

  • 2. Secure Programming Practices in C++ @pati_gallardo Patricia Aas NDC { Oslo } 2018
  • 3. Patricia Aas - Vivaldi Browser Programmer - mainly in C++ Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo Photos: pixabay.com - CC0
  • 6. undefined behavior “Examples of undefined behavior are memory accesses outside of array bounds, signed integer overflow, null pointer dereference, modification of the same scalar more than once in an expression without sequence points, access to an object through a pointer of a different type, etc. Compilers are not required to diagnose undefined behavior (although many simple situations are diagnosed), and the compiled program is not required to do anything meaningful.” http://en.cppreference.com/w/cpp/language/ub @pati_gallardo
  • 7. - Don’t reason about undefined behaviour - Assume that it crashes or is never executed - Changing compiler, compiler version or optimization level can break your application Undefined Behaviour
  • 8. Infinite Loop (Undefined Behavior) #include <iostream> #include <complex> using namespace std; int main(void) { complex<int> delta; complex<int> mc[4] = {0}; for(int di = 0; di < 4; di++, delta = mc[di]) { cout << di << endl; } } @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug Undefined Behavior!
  • 9. Infinite Loop (Undefined Behavior) Can we run it? https://godbolt.org/g/TDjM8h @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug
  • 11. @pati_gallardo The Case Of The Disappearing Memset
  • 12. 0) CWE-14: Compiler Removal of Code to Clear Buffers void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); // <- Removed by the optimizer } @pati_gallardo SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources
  • 13. 0) CWE-14: Compiler Removal of Code to Clear Buffers Should we Godbolt this? https://godbolt.org/g/FpEsht @pati_gallardo SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources
  • 14. Memset_s : Zeroing Memory // Compliant Solution (C11) memset_s(pwd, 0, sizeof(pwd)); // Windows Solution SecureZeroMemory(pwd, sizeof(pwd)); @pati_gallardo SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources
  • 15. Code is on GitHub: https://github.com/patricia-gallardo/insecure-coding-examples @pati_gallardo