This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Signed int overflow behaviour in the security context

Ian Lance Taylor wrote:
> Andreas Bogk <andreas@andreas.org> writes:

> I think a better way to describe your argument is that the compiler
> can remove a redundant test which would otherwise be part of a defense
> in depth.  That is true.  The thing is, most people want the compiler
> to remove redundant comparisons; most people don't want their code to
> have defense in depth, they want it to have just one layer of defense,
> because that is what will run fastest.

Exactly.  I think that Ian's approach (giving us a warning to help track
down problems in real-world code, together with an option to disable the
optimizations) is correct.  Even if the LIA-1 behavior would make GCC
magically better as a compiler for applications that have
not-quite-right security checks, it wouldn't make it better as a
compiler for lots of other applications.

I would rather hope that secure applications would define a set of
library calls for some of these frequently-occurring checks (whether, in
GLIBC, or libiberty, or some new library) so that application
programmers can use them.

(I've also been known to claim that writing secure applications in C may
provide performance advantages, but makes the security part harder.  If
someone handed me a contract to write a secure application, with a
penalty clause for security bugs, I'd sure be looking for a language
that raised exceptions on overflow, bounds-checking failures, etc.)

-- 
Mark Mitchell
CodeSourcery
mark@codesourcery.com
(650) 331-3385 x713
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]