The Impact of Compiler-Based Performance Optimizations on Security

Abstract

The security impacts of compiler-based software optimizations are typically not considered during their design and implementation. As a result, a number of well-intentioned compiler optimizations have been shown to introduce security weaknesses into programs despite maintaining the semantic correctness of the corresponding source code. These weaknesses are particularly troubling because they are not the result of programmer errors that can be identified in source code using industry standard techniques such as static code analysis. In this lecture, I will first highlight prior work focused on identifying an mitigating these weaknesses in compiler optimizations. I will then present the results of a study conducted at GTRI that explores the mechanisms by which compiler optimizations can introduce useful code reuse gadgets into the program binaries they produce. Finally, I will introduce potential solutions and mitigations for this problem and an analysis of their potential performance drawbacks.