Sanitizers' Blind Spots: Invisible Undefined Behaviors

Sanitizers, including tools like AddressSanitizer and MemorySanitizer, play a crucial role in detecting security vulnerabilities in C/C++ applications. These vulnerabilities arise from undefined behaviors (UB) such as buffer overflow, use after free, integer overflow, and more. Powered by fuzzing, sanitizers have proven highly effective, with the Google OSS-Fuzz service alone identifying over 20,000 bugs.

However, our latest research indicates that many undefined behaviors can elude sanitizers’ detection. In this talk, I will shed light on the primary reasons for these omissions: (1) inherent design limitations of sanitizers, (2) aggressive compiler optimizations, and (3) bugs in sanitizer implementations. Furthermore, I will introduce our latest research endeavors aimed at rectifying these blind spots.

Shaohua Li is a last-year Ph.D. student at ETH Zurich, advised by Prof. Zhendong Su. He is generally interested in fuzzing, security, and compilers. His current research focuses on detecting undefined behaviors, solidifying sanitizer implementations, and compiler testing. His research has discovered over 100 unknown bugs in mature compilers including GCC and LLVM. His research on finding sanitizer bugs has won the 2022 Meta Security Research RFP award.