Dangerous Optimizations
Robert C. Seacord
11:30-13:00, Friday, 4th April 2025
Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This presentation describes some common optimizations, describes how these can lead to software vulnerabilities, and identifies applicable and practical mitigation strategies.
Robert C. Seacord
Robert C. Seacord is standardization lead at Woven Planet, where he helps standardize software development practices. Robert is an expert on ISO/IEC JTC1/SC22/WG14, the international standardization working group for the C programming language. He is the author of seven books, including Effective C (No Starch, 2020), The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014), Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). He has also published more than 50 papers on software security, component-based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development.