diff --git a/TSW/backg.tex b/TSW/backg.tex index a7acc404d76..219a0fc72b3 100644 --- a/TSW/backg.tex +++ b/TSW/backg.tex @@ -14,8 +14,8 @@ UBs: division by zero, oversized shift, signed integer overflow, out-of-bounds pointer, null pointer dereference, type-punned pointer dereference and uninitialized read. The consequences of these optimizations range from unexpected code -generation~\cite{chen_2014,fermat_ub} to real-life -vulnerabilities~\cite{mitre_ub}. +generation~\cite{chen2014,fermatub} to real-life +vulnerabilities~\cite{mitreub}. To address these issues the research community created solutions that tackle the problem from different angles. One approach was to introduce diff --git a/TSW/bib.bib b/TSW/bib.bib index b70a4b49cf9..d13c76287fc 100644 --- a/TSW/bib.bib +++ b/TSW/bib.bib @@ -7,7 +7,7 @@ and Zeldovich, Nickolai and Kaashoek, M Frans}, year={2012} } -@misc{checks_2008, +@misc{checks2008, title={CERT/CC Vulnerability note vu162289}, url={https://www.kb.cert.org/vuls/id/162289/}, journal={VU162289 - C compilers may silently discard some wraparound @@ -35,7 +35,7 @@ Systems Principles}, year={2003} } -@misc{google_2015, title={BORINGCC}, +@misc{google2015, title={BORINGCC}, url={https://groups.google.com/g/boring-crypto/c/48qa1kWignU/m/o8GGp2K1DAAJ}, journal={Google}, publisher={Google}, year={2015}, month={Dec}} @@ -48,7 +48,7 @@ Programmierung (KPS 2015)}, year={2015} } -@misc{regehr_2014, +@misc{regehr2014, title={Proposal for a Friendly Dialect of C}, url={https://blog.regehr.org/archives/1180}, journal={Embedded in Academia}, @@ -57,7 +57,7 @@ Programmierung (KPS 2015)}, month={Aug} } -@misc{chen_2014, +@misc{chen2014, title={Undefined behavior can result in time travel}, url={https://devblogs.microsoft.com/oldnewthing/20140627-00/?p=633}, journal={The Old New Thing}, @@ -66,7 +66,7 @@ Programmierung (KPS 2015)}, month={June} } -@misc{mitre_ub, +@misc{mitreub, title={CVE Records on Undefined Behavior Vulnerabilities}, url={https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=undefined+behavior}, year={2022} @@ -121,13 +121,20 @@ Programming Language Design and Implementation}, publisher={Wiley Online Library} } -@misc{fermat_ub, +@misc{fermatub, title={Undefined Behavior and Fermat's Last Theorem}, url={https://web.archive.org/web/20201108094235/https://kukuruku.co/post/undefined-behavior-and-fermats-last-theorem/}, year={2015}, month={March} } +@misc{fnodeletelinux, + title={Add -fno-delete-null-pointer-checks to gcc CFLAGS}, + url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a3ca86aea507904148870946d599e07a340b39bf}, + year={2009}, + month={July} +} + @article{lee2017taming, title={Taming undefined behavior in LLVM}, author={Lee, Juneyoung and Kim, Yoonseung and Song, Youngju and Hur, diff --git a/TSW/contr.tex b/TSW/contr.tex index 496a7134d06..19fa7c3309c 100644 --- a/TSW/contr.tex +++ b/TSW/contr.tex @@ -2,10 +2,41 @@ Given the little research done in the field of analying the performance of UB optimizations, this study aims to provide insights of the -performance on a specific class of software applications, i.e. operating -systems. +performance of these optimizations on a specific class of software +applications, i.e. operating systems. -We take a self-contained operating system with focus on robustness and +The first step of our work is to filter out all UB instances +presented in the standard and focus on the UBs that present a potential +for being used in compiler optimizations. Our filtering strategy is +based on the assumption that all UBs that conflict with the +intentionality of the progammer shall not be used to issue code +optimizations. + +Then we modify the compiler implementation to turn off these +optimizatoins. A preliminary list of such UB extracted from the standard +is: +\begin{itemize} +\item An arithmetic operation is invalid (such as division or modulus by +0) or produces a result that cannot be represented in the space provided +(such as overflow or underflow) (\$3.3). +\item An invalid array reference, null pointer reference, or reference +to an object declared with automatic storage duration in a terminated +block occurs (\$3.3.3.2). +\item A pointer is converted to other than an integral or pointer type +(\$3.3.4). +\end{itemize} + +\todo{talk here or somewhere else about the pratical consequences of UB +optimizations} +The first UB could lead to code being eliminated if the compiler detects +that the arithmetic operation is incompatible with the +standard~\cite{wang2012undefined}. The second UB could discard security +checks for NULL pointers~\cite{fnodeletelinux} and the third UB could +break manual optimizatoins on floating point +numbers~\cite{lomont2003fast}. + +To analyze the role of these optimizations in real-life software, we +take a self-contained operating system with focus on robustness and security, i.e. OpenBSD, and compile it on one hand with UB optimizations turned on and on the other hand with UB optimizations turned off. After this stage, the result will be two comparison canditates which will be diff --git a/TSW/intro.tex b/TSW/intro.tex index df47fec9ee0..0c834b4b696 100644 --- a/TSW/intro.tex +++ b/TSW/intro.tex @@ -10,9 +10,9 @@ suddenly broken in newer versions because the standard imposes no requirements on undefined behavior. This has created serious security problems throughout the -years~\cite{wang2012undefined,checks_2008}. A number of initiatives to +years~\cite{wang2012undefined,checks2008}. A number of initiatives to solve this problem were started from different -parties~\cite{google_2015,regehr_2014,wang2013towards} however the +parties~\cite{google2015,regehr2014,wang2013towards} however the problem still persists. The primary open source developer groups have seized the unsteady definition of undefined behavior to justify dangerous slient code transformations that break the intention of the diff --git a/TSW/main.tex b/TSW/main.tex index 346658c71f9..ca0a9c75177 100644 --- a/TSW/main.tex +++ b/TSW/main.tex @@ -6,6 +6,7 @@ \usepackage{textcomp} \usepackage{xcolor} \usepackage{listings} +\usepackage{url} \def\BibTeX{{\rm B\kern-.05em{\sc i\kern-.025em b}\kern-.08em T\kern-.1667em\lower.7ex\hbox{E}\kern-.125emX}}