U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Compiler Checks

Published: September 27, 2005 | Last revised: May 10, 2013

Author(s): Robert C. Seacord Maturity Levels and Audience Indicators: L3  / D/P L  SDLC Life Cycles: Implementation Copyright: Copyright © 2005, 2008 Pearson Education, Inc.

Abstract

In a perfect world, C and C++ compilers would identify the potential for exceptional conditions to occur at runtime and provide a mechanism (such as an exception, trap, or signal handler) for applications to handle these events. Unfortunately, the world we live in is far from perfect. This article provides a brief description of some of the compiler capabilities that exist today.

Development Context

Integer operations

Technology Context

C, C++, IA-32, Win32, UNIX

Attacks

Attacker executes arbitrary code on machine with permissions of compromised process or changes the behavior of the program.

Risk

Integers in C and C++ are susceptible to overflow, sign, and truncation errors that can lead to exploitable vulnerabilities.

Description

Existing C and C++ compilers have limited capabilities for identifying and reporting potential exceptional conditions at compile and runtime.

Visual C++

The Visual C++ .NET 2003 compiler generates a compiler warning (C4244) when an integer is assigned to a smaller integer type. At warning level 1, a warning will be issued if a value of type __int64 is assigned to a variable of type unsigned int. At warning level 3 and 4, a “possible loss of data” warning is issued if an integer type is converted to a smaller integer type. For example, the assignment in the following example is flagged at warning level 4:

  int b = 0, c = 0;
  short a = b + c; // C4244

Visual C++ .NET 2003 also provides runtime error checks that are enabled by the /RTC flag. The /RTCc compiler flag provides a similar function to compiler warning C4244 by reporting when a value assigned to a smaller data type results in a loss of data. Visual C++ also includes a runtime_checks pragma that disables or restores the /RTC settings, but does not include flags for catching other runtime errors such as overflows. Visual C++ 2005 adds the ability to catch overflows in operator::new (and is on by default).

Runtime error checks are not valid in a release (optimized) build for performance reasons [Microsoft 03].

GCC

The GCC and g++ compilers include an -ftrapv compiler option that provides limited support for detecting signed integer exceptions at runtime. According to the GCC man page, this option “generates traps for signed overflow on addition, subtraction, and multiplication operations.” In practice, this means that the GCC compiler generates calls to existing library functions rather than generating assembler instructions to perform these arithmetic operations on signed integers. If you use this feature, make sure you are using GCC version 3.4 or later because the checks implemented by the runtime system before this version do not adequately detect all overflows and should not be trusted [Seacord 04].

References

[Microsoft 03]

Visual C++ Compiler Options, /RTC (Run-Time Error Checks), Visual Studio .NET help system.

[Seacord 04]

Seacord, Robert C. “libgcc contains multiple flaws that allow integer type range vulnerabilities to occur at runtime” (US-CERT Vulnerability Note VU#540517). April, 2004.


Back to Top