I certainly do not live under the assumption that compilers or platforms are flawless, however, it is not often I think about the ways in which security vulnerabilities can be introduced via the quest for constant improvement. A researcher over at Microsoft, Nuno Lopes, wrote a fascinating article about how the important improvements may inadvertently alter the surface area of viable compilers:
Compilers are big: most major compilers consist of several million lines of code. Their development is not stale either: every year, each compiler sees thousands of changes. Their sheer size and complexity, plus the pressure to continuously improve compilers, results in bugs slipping through. These compiler bugs may in turn introduce security vulnerabilities into your program.
In response to this continuous development Microsoft has developed a paper that presents Alive, a domain-specific language for writing optimizations and for automatically and proving them correct.
Developing a system that can automatically check the veracity of a compiler gives me the feeling that I am one step away from losing my vocation.
Comments are closed.