Open Source GCC 4.8 Compiler Including Address Sanitizer Security

From the ‘GNU? What’s New?’ files:

GCC has been around for 26 years and it remains one of the most important and widely used open source GNU GCCefforts of all time.

This week, the latest incarnation of GCC should be released with GCC 4.8. As with every GCC release, performance optimizations are to be found throughout, improving compilation speed and output.

What stands out to me with GCC 4.8 though are the new security related enhancements. In particular those that go after use-after-free memory errors. Use-after-free errors, in my opinion, remain the dominant risk in many apps today – all you need to do is look at bug/security reports in WebKit or Mozilla Firefox and you’ll see why.

To that end GCC 4.8 is including the Google AddressSanitizer technology.

AddressSanitizer     , a fast memory error detector, has been added and can be     enabled via -fsanitize=address. Memory access     instructions will be instrumented to detect heap-, stack-, and     global-buffer overflow as well as use-after-free bugs. To get     nicer stacktraces, use -fno-omit-frame-pointer.

I’ve written on AddressSanitizer many times before, but typically in the context of Google Chrome updates. Google and its cadre of security researcher tend to find *lots* of flaws with this tool. Having this built-in/integrated with GCC is a HUGE win for the security of the bazillion developers (accurate number) that use GCC.

Google’s ThreadSanitizer which can find data races, is also being backed in – which should help to mitigate the risk of race conditions in compiled code.

GCC 4.8 is currently at the release candidate stage, with the final release expected out later this week.

Sean Michael Kerner is a senior editor at, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

News Around the Web