[Cryptography] How programming language design can help us write secure crypto code
Ray Dillinger
bear at sonic.net
Thu Oct 22 21:28:25 EDT 2015
On 10/22/2015 01:27 AM, Michael Kjörling wrote:
> In your mind, particularly in practice, what is the difference between
> "the behavior is undefined if..." and "the result will be an undefined
> value if..."? Do you have an example of any compiler the behavior of
> which doesn't fall into the latter category already when faced with a
> situation like this?
> Yes, _technically_ "the behavior of Operation X is undefined in case
> of ABC" means the compiler is free to do absolutely whatever it
> pleases in that situation. _In practice_, there are only a few
> possible outcomes, largely depending on what exactly Operation X and
> the condion ABC is.
>
Okay, I'm going to use an illustration that has already been talked
about on this list. In C, the meaning of a signed integer addition
where the sum is greater (or less) than the signed integer type can
represent is unspecified. And it matters whether your compiler treats
unspecified as meaning literally "behavior doesn't matter at all" or
unspecified as meaning literally "doesn't specify the return value
of the expression."
If you have code that adds two positive numbers and then checks for a
negative result intending it as a check for overflow, like this:
if (y < 0 || z < 0 ) halt(1);
z = x + y; /* undefined in case of overflow */
if (z < 0){
printf("overflow at line %d\n", __LINE__);
halt(1);
}
printf("positive result is %d\n", z);
In the case of gcc, the compiler goes through saying "I don't
have to care what the code DOES in case of undefined behavior." It
doesn't even generate the check for z < 0 because that check can
never succeed in any case where behavior is fully defined. That
leaves the consequent as dead code and the whole check and response
get stripped. At runtime your code may say "positive result is -32760,"
because undefined behavior did in fact give z a negative value, but
it will never check for that negative number or halt, because the code
that would perform that check and that call to halt has been stripped.
In the case of MSVC, the compiler goes through saying instead,
"I don't have to care what VALUE an expression returns if the
expression invokes undefined behavior." The addition result may
be undefined but the addition will have a result. That result
will either be greater or less than 0, and the check could turn
out to succeed if an undefined result was returned. So in that
case the test and the consequent are not meaningless and code to
do those things will be in there. Your code may (or may not)
detect a negative result and halt, but it will never print
"positive result is -32760".
And that's the essential difference between the "undefined value gets
returned" and the "undefined behavior if" schools of how the compiler
treats code whose exact meaning is not specified by the standard.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151022/0aff2478/attachment.sig>
More information about the cryptography
mailing list