Open Source GCC 4.8 Compiler Including Address Sanitizer Security
From the 'GNU? What's New?' files:
GCC has been around for 26 years and it remains one of the most important and widely used open source efforts of all time.
This week, the latest incarnation of GCC should be released with GCC 4.8. As with every GCC release, performance optimizations are to be found throughout, improving compilation speed and output.
What stands out to me with GCC 4.8 though are the new security related enhancements. In particular those that go after use-after-free memory errors. Use-after-free errors, in my opinion, remain the dominant risk in many apps today - all you need to do is look at bug/security reports in WebKit or Mozilla Firefox and you'll see why.
To that end GCC 4.8 is including the Google AddressSanitizer technology.
AddressSanitizer , a fast memory error detector, has been added and can be enabled via -fsanitize=address. Memory access instructions will be instrumented to detect heap-, stack-, and global-buffer overflow as well as use-after-free bugs. To get nicer stacktraces, use -fno-omit-frame-pointer.
I've written on AddressSanitizer many times before, but typically in the context of Google Chrome updates. Google and its cadre of security researcher tend to find *lots* of flaws with this tool. Having this built-in/integrated with GCC is a HUGE win for the security of the bazillion developers (accurate number) that use GCC.
Google's ThreadSanitizer which can find data races, is also being backed in - which should help to mitigate the risk of race conditions in compiled code.
GCC 4.8 is currently at the release candidate stage, with the final release expected out later this week.