By: Robert C. Seacord

Scheduled on: June 18 at 10:00

Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This presentation describes some common optimizations, describes how these can lead to software vulnerabilities, and identifies applicable and practical mitigation strategies.