Increasing the Hamming distance for defense programming may be optimized by the compiler.

Question

Increasing the Hamming distance for defense programming may be optimized by the compiler.

zhou-shan opened this issue 9 months ago · comments

The code that caused the error is as follows:(test.c)

enum {
  TEST_XXX_ENABLED = 0x5AA55AA5,
  TEST_XXX_DISABLED = 0xA55AA55A,
};
static unsigned int g_test_xxx_flag = TEST_XXX_DISABLED;

bool test_xxx_is_enable(void)
{
  return g_test_xxx_flag == TEST_XXX_ENABLED;
}

vold test_xxx_enable(void)
{
  g_test_xxx_flag = TEST_XXX_ENABLED;
}

The optimization level is Os.
Problem Description:

The function works normally, but the secure programming design (increasing the Hamming distance) is optimized by the compiler. In the final generated executable program:

The size of g_test_xxx_flag is reduced from 4 bytes to 1 byte.
The operations of assigning and comparing g_test_xxx_flag are both replaced with 0/1.

We expect to generate the following assembly instruction sequence:

The current verification results show that this optimization does not exist in GCC. We hope to have a separate option in CLANG-LLVM to control the switch of this optimization.

周珊 · Answer 1 · Wed Dec 20 2023 10:51:29 GMT+0800 (China Standard Time)

Currently, we add "volatile" when defining variables to prevent optimization.

Volodymyr Turanskyy · Answer 2 · Wed Dec 20 2023 17:19:18 GMT+0800 (China Standard Time)

Hi,

Thank you for reporting this issue! I am afraid, different compilers can have different optimizations and heuristics, thus differ in generated code, however as long as it honours the language standard, it is a valid optimization.

You are correct, volatile is one of the options to request the compiler to avoid unwanted optimizations.

You may read more about possible optimization issues in regard to security in https://github.com/llsoftsec/llsoftsecbook