[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MIT discovered issue with gcc

Hi Andrew, hi all,

> I understand that Debian has a bunch of vulnerabilities as described in
> the following PDF.
> http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf
> Just a small quote:
> "This paper presents the first systematic approach for
> reasoning about and detecting unstable code. We implement
> this approach in a static checker called Stack, and
> use it to show that unstable code is present in a wide
> range of systems software, including the Linux kernel and
> the Postgres database. We estimate that unstable code
> exists in 40% of the 8,575 Debian Wheezy packages that
> contain C/C++ code. We also show that compilers are
> increasingly taking advantage of undefined behavior for
> optimizations, leading to more vulnerabilities related to
> unstable code."

This should be taken with a grain of salt. (I'm doing research in the area of
automated software analysis myself.) It clearly is a well-written paper with a
nice tool. Yet "unstable code" results from code that would otherwise be
considered bogus anyway (they give a nice list in Figure 3 in their paper), thus
it is not necessarily the case that compilers introduce completely new bugs -
they just might make the existing ones worse. The use of the term
"vulnerabilities" could be very misleading here: not all bugs yield security
issues - many of them might just lead to unexpected behaviour, and not be
exploitable to gain elevated privileges or the like.

Consider the fact that Debian's source packages contain more than 200 million
lines of code. If we trust Steve McConnell's "Code Complete" book, industry
average lies at 15-50 errors per 1000 lines of code, which is more than 1 in 100
lines. In a very simplified way of reasoning, I'd dare to conclude that at least
2 million further bugs remain to be discovered.

> This looks very serious indeed, but a quick search of Debian mailing
> lists didn't show anything being acknowledged for this issue.... should
> Debian users be concerned?

Probably not more than before, but as much as always: you are using code that
hasn't be proved to be correct. But with open-source software at least you know
what code you are using, and which bugs are being found.

Hope this helps,

Attachment: pgpSGA_tMgOt8.pgp
Description: PGP signature

Reply to: