Finding Bugs Compiler Knows but Doesn't Tell You: Dissecting Undefined Behavior Optimizations in LLVM

Presented at Black Hat Europe 2020 Virtual, Dec. 9, 2020, 10:20 a.m. (40 minutes).

"Undefined Behavior", like signed integer overflow or accessing null pointer, is an erroneous action that makes programs unpredictable. There are no rules on how to generate code for "Undefined Behavior." Compiler writers can treat "Undefined Behavior" as "nasal demons" and do anything they choose.

We try to figure out how LLVM optimizes "Undefined Behavior" by digging into LLVM internals. We find most of "Undefined Behavior" can be recognized by compilers. But compilers prefer to optimize out "Undefined Behavior" rather than throw a warning. It may make "Undefined Behavior" bugs hide in the programs or even make bugs more powerful during optimizations.

We developed tools to look for the hidden "Undefined Behavior" bugs. We scanned Chrome and Android AOSP and found several security bugs. One of them is originally a negligible "Null pointer deference" bug in chrome, which, however, can be used to compromise Chrome renderer. In this talk, we will share our exploitation techniques.


Presenters:

  • Zekai Wu - Security Researcher, Tencent Security Xuanwu Lab
    Zekai Wu is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Chrome Security.
  • Wei Liu - Security Researcher, Tencent Security Xuanwu Lab
    Wei Liu is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Chrome Security and Android Security.
  • Mingyue Liang - Security Researcher, Tencent Security Xuanwu Lab
    Mingyue Liang (@MoonL1ang) is a security researcher at Tencent Security Xuanwu Lab. He has been focusing on browser security for three years. He was the Edge winner of the TianFu Cup 2018 and 2019 and ranked #12 in the 2019 MSRC Most Valuable Security Researchers.
  • Kai Song - Senior Security Researcher, Tencent Security Xuanwu Lab.
    Kai Song (@exp-sky) is a senior security researcher at Tencent Security Xuanwu Lab. He is experienced in software vulnerability exploitation and vulnerability discovery. He is also the winner of Edge Browser category in Pwn2Own 2017 and Tianfu Cup 2018, 2019. He has been recognized by Microsoft MSRC as the world's most valuable security researcher for five consecutive years, and his highest ranking was 12th. Since 2015, he has won Microsoft Edge Bounty and Mitigation Bypass Bounty Program several times. He has presented his security research at many security conferences such as AsiaSecWest, HITCON, and China Internet Security Conference.

Links: