Finding Bugs Compiler Knows but Doesn't Tell You: Dissecting Undefined Behavior Optimizations in LLVM

Conference:  BlackHat EU 2020



The presentation discusses the utilization of undefined behavior paths to find vulnerabilities in software and provides suggestions for programmers, compiler developers, and fund hunters.
  • Undefined behavior paths can be utilized to find vulnerabilities in software
  • Suggestions for programmers include understanding and defending against undefined behavior and utilizing defined behavioral warnings
  • Compiler developers should provide more accurate and useful undefined behavioral warnings
  • Fund hunters can benefit from defined behavioral information
  • An anecdote is provided to illustrate the point of utilizing undefined behavior paths
  • The presentation concludes with suggestions for programmers, compiler developers, and fund hunters
The presentation provides an example of utilizing undefined behavior paths to achieve remote code execution on a Chrome browser with a single undefined behavior. The vulnerability was found in the IDB open DB request object, which allowed for control of the value of EAX reduction and ultimately control of EIP. The presentation also discusses the use of Git to produce a few volumes and the encoding of XOR and EX instructions in shell code.


"Undefined Behavior", like signed integer overflow or accessing null pointer, is an erroneous action that makes programs unpredictable. There are no rules on how to generate code for "Undefined Behavior." Compiler writers can treat "Undefined Behavior" as "nasal demons" and do anything they choose.We try to figure out how LLVM optimizes "Undefined Behavior" by digging into LLVM internals. We find most of "Undefined Behavior" can be recognized by compilers. But compilers prefer to optimize out "Undefined Behavior" rather than throw a warning. It may make "Undefined Behavior" bugs hide in the programs or even make bugs more powerful during optimizations.We developed tools to look for the hidden "Undefined Behavior" bugs. We scanned Chrome and Android AOSP and found several security bugs. One of them is originally a negligible "Null pointer deference" bug in chrome, which, however, can be used to compromise Chrome renderer. In this talk, we will share our exploitation techniques.



Post a comment

Related work