Dangerous Optimizations and the Loss of Causality in C and C++ Programming

Explore the impact of compiler optimizations on software security in this 45-minute conference talk from AppSec EU 2017. Delve into how compiler writers leverage undefined behaviors in C and C++ to enhance optimizations, potentially compromising developers' ability to perform cause-effect analysis. Examine common optimizations, their potential to introduce software vulnerabilities, and learn practical mitigation strategies. Cover topics such as constant folding, bounds checking, algebraic simplification, and critical undefined behaviors. Gain insights into GCC details, strict overflow settings, and recommendations for maintaining software causality and reducing the risk of faults, defects, and vulnerabilities in C and C++ programming.

Intro
Premise
Vulnerability Notes Database
Compiler Optimizations
Implementation Strategies
Constant Folding
Unexpected Results
Bounds Checking
Algebraic Simplification Applied
Mitigation
Another Algebraic Simplification
GCC Details
Wstrict-overflow=n
Definitions
Requirements
Critical Undefined Behaviors
Recommendations
Summary