Divergent Representations: When Compiler Optimizations Enable Exploitation

Abstract

Compiler optimizations can introduce unexpected security weaknesses in programs. In this paper, we introduce a newly discovered form of optimization-introduced security weakness that can benefit attackers, called divergent representations. We show that when divergent representations appear near vulnerabilities, they can enable attackers to create more powerful exploits. We provide a case study of a publicly disclosed SQLite CVE that becomes exploitable because of a divergent representation. We show that divergent representations are prevalent in software by searching for code patterns that may produce divergent representations, and found candidate patterns in 44 % of scanned repositories.