Compiler Optimization Removal or Modification of Security-critical Code
Weakness ID: 733 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The developer builds a security-critical protection mechanism into the software but the compiler optimizes the program such that the mechanism is removed or modified.
+ Applicable Platforms

Languages

C: (Often)

C++: (Often)

All Compiled Languages

+ Detection Methods

Black Box

This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.

White Box

This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.

+ Observed Examples
ReferenceDescription
CVE-2008-1685C compiler optimization, as allowed by specifications, removes code that is used to perform checks to detect integer overflows.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class435Interaction Error
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Research Concepts1000
ParentOfWeakness BaseWeakness Base14Compiler Removal of Code to Clear Buffers
Research Concepts (primary)1000
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
8Buffer Overflow in an API Call
9Buffer Overflow in Local Command-Line Utilities
10Buffer Overflow via Environment Variables
24Filter Failure through Buffer Overflow
46Overflow Variables and Tags
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 9, "A Compiler Optimization Caveat" Page 322. 2nd Edition. Microsoft. 2002.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-10-01Internal CWE Team
new weakness-focused entry for Research view closes the gap between 14 and 435.
Modifications
Modification DateModifierOrganizationSource
2008-11-24CWE Content TeamMITREInternal
updated Detection Factors
2009-03-10CWE Content TeamMITREInternal
updated Applicable Platforms, Observed Examples, Related Attack Patterns, Relationships