CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-733: Compiler Optimization Removal or Modification of Security-critical Code

Weakness ID: 733
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The developer builds a security-critical protection mechanism into the software but the compiler optimizes the program such that the mechanism is removed or modified.
+ Applicable Platforms

Languages

C: (Often)

C++: (Often)

All Compiled Languages

+ Common Consequences
ScopeEffect
Access Control
Other

Technical Impact: Bypass protection mechanism; Other

+ Detection Methods

Black Box

This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.

White Box

This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.

+ Observed Examples
ReferenceDescription
C compiler optimization, as allowed by specifications, removes code that is used to perform checks to detect integer overflows.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class435Interaction Error
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Research Concepts1000
ChildOfCategoryCategory976SFP Secondary Cluster: Compiler
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base14Compiler Removal of Code to Clear Buffers
Development Concepts (primary)699
Research Concepts (primary)1000
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 9, "A Compiler Optimization Caveat" Page 322. 2nd Edition. Microsoft. 2002.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-10-01Internal CWE Team
new weakness-focused entry for Research view closes the gap between 14 and 435.
Modifications
Modification DateModifierOrganizationSource
2008-11-24CWE Content TeamMITREInternal
updated Detection_Factors
2009-03-10CWE Content TeamMITREInternal
updated Applicable_Platforms, Observed_Examples, Related_Attack_Patterns, Relationships
2010-02-16CWE Content TeamMITREInternal
updated References
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships
2017-01-19CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017