Software bugs introduce security vulnerabilities into our computer systems. To understand and mitigate an increasing number of bugs, practitioners categorize them into classes, such as buffer overflow or SQL injection, and handle each class separately. This talk introduces a new class of bugs called unstable code: code that is unexpectedly discarded by compiler optimizations due to undefined behavior in the program. I will discuss its prevalence and security impact in systems, and present a systematic approach for reasoning about unstable code, as well as a static checker called Stack that implements this approach to precisely identify unstable code in real systems. Applying Stack to widely used software has uncovered 160 new bugs that have been confirmed and fixed by developers. It has also been adopted by several companies to scan their code bases.
Xi Wang is a PhD candidate in Computer Science at MIT, advised by M. Frans Kaashoek and Nickolai Zeldovich. His research interests are in building secure and reliable systems. He was awarded a Best Paper Award at SOSP 2013, a Best Student Paper Award at EuroSys 2008, and an MIT Jacobs Presidential Fellowship in 2008.