How to create a software platform that provides modern information technologies with special reliability? A group of researchers from the Faculty of Computer Science and Information Technologies is very interested in this. The creation of a secure compiler has become the topic of their scientific development.
The heads and coordinators of the project are Sergei Mironov, Dean of the Faculty, Inna Batrayeva, Chair of the Department of Programming Technologies, Dmitrii Petrov, Associate Professor of the Department of System Analysis and Automatic Control. Master's student Pavel Dunayev and students Artemii Granat and Artyom Senkevich work in tandem with them.
Since 2022, this university team has been cooperating with the Institute of System Programming of the Russian Academy of Sciences in the field of research on the creation of secure software, as well as with a direct customer – SVD Embedded Systems LLC from St. Petersburg. All of them are interested in the reliability of real-time operating systems being developed, all are concerned about the topic of a secure compiler that does not skip program code containing errors and prevents optimizations that can lead to unpredictable program behavior or contribute to data leakage processed by this program.
If you explain it in a popular way, then a compiler is a program that translates text written in a programming language into a set of machine codes. With the help of compilers, computers can understand different programming languages. In fact, it is a comprehensive "translator" that builds or compiles a program into an executable file. An executable file is a set of instructions for a computer that it understands and can execute. Many compilers have been developed for different programming languages.
Sergei Mironov:
"The software we use necessarily goes through the compilation stage. New programming languages and systems are constantly emerging, and compilers often have to be created for new operating systems, for new technical requirements, so this process will never stop. Actually, as well as technical progress. And since new compilers are constantly being born, they all need to be checked for safety."
Inna Batrayeva:
"Learning the basics of compiler development theory is included in the curricula of students, and Pavel Dunaev decided to apply this knowledge in an educational project. The work turned out well, and our colleague Dmitry Yuryevich Petrov established contacts with the St. Petersburg company SVD Embedded Systems and the Institute of System Programming of the Russian Academy of Sciences named after V.P. Ivannikov. They are actively engaged in the development of systems in the field of compiler security and are very interested in our research.
When the compiler translates text into machine code, it checks for syntax errors. But there are also semantic errors that lead to distortion of the text and a completely unexpected result of the work. Regular compilers do not track such errors, so an unsafe situation may result. A classic example: in mathematics, you can't divide by zero, but if we do it on a computer, it all depends on the compiler: one catches an error and the program stops working; the other compiler outputs division by zero as infinity and uses it further. And now imagine that infinity has gone into accounting – either an endless debt, or an endless salary. And if all this is, for example, inside the autopilot? A safe compiler should have functionality that will definitely catch this error.
The Institute of System Programming of the Russian Academy of Sciences is actively engaged in this. His staff is developing software to test existing software for security, and they plan to develop their own secure compiler. Throughout the spring, our team has been actively working on creating their own ways of researching programs for security, and our colleagues from St. Petersburg suggested that we investigate the compiler for security, which they themselves developed. The guys did this job, sent them a report, and the customers were very satisfied. Now we are waiting for the next tasks from them.
In my practice, I have been engaged in testing to find various error variants that, in principle, cannot happen, but still happen, and I can say that this is hard, painstaking work, there is no beautiful interface here. The guys coped and are very proud of it. And we are proud of them too!"
Pavel Dunayev, a 2nd-year master's degree student:
"All my years of study, I was interested in developing compilers, I had an exciting job creating a small educational compiler.
There are many programming languages, I always wanted to make my own, which is not so easy. But even if you came up with it, what's next? They need to be used somehow, and for this you need software. My term papers were devoted to working with compilers, followed by my thesis. My first serious impression was when I saw at the conference a large community of people united by the same interests as me. I felt the importance of what remains to be studied and the vast field for activity. My colleagues opened my eyes, I literally found a new way of looking at compilers as something more complex than I had imagined before."
Artemii Granat, 4th-year student taking a course in software engineering:
"I joined the project while studying in the 3rd year, because my area of interest is system programming. Before starting to search for the right solutions, I studied theoretical materials and learned a lot from them. Real-time operating systems are embedded in machine tools, autopilots, cars, airplanes, etc. I made a lot of discoveries for myself, because I had not thought about how such operating systems differ before. I'm going to associate my future with system programming, and the knowledge for a specialist in this field turned out to be very useful. Within the framework of this project, there are three security classes (incrementally from the 3rd class). I was checking whether the compiler provided to us complies with the 3rd and 2nd security classes.
The result of our work was an 80-page report. It helped me a lot in my studies, I gained additional knowledge in many subjects. Later, we were invited to a video meeting where we talked about our results, many questions were asked and topics for future research were identified."
The heated discussion of the results of the SSU project to create a secure compiler was caused by the relevance of the topic, especially taking into account the tasks of import substitution. Now in the projects of many developers – the creation of their own, Russian compilers immediately for safe functionality.
The world community has developed many compilers, they were used in different countries, and at some point it became clear that they all face the problem of unsafe vulnerabilities, in which there is always a risk of an error, an incorrect solution. I had to rewrite them. Therefore, domestic developers are aimed at this approach: if they write their own compilers, then they need to be immediately checked for reliability functionality. In the projects of our St. Petersburg and Moscow colleagues, the question stands exactly like this: while we are writing, we check so as not to violate the security functions. This is easier than rewriting a compiler that has already been put into operation in emergency mode.
Text by Tamara Korneva, photos by Dmitrii Kovshov
Translated by Lyudmila Yefremova
Publications:
I.A. Batrayeva, S.V. Mironov, P.D. Dunayev Library for Development of Compilers // Proceedings of ISP RAS. 2022. T. 34. Iss. 5. Pp. 77-88.
I.A. Batrayeva, A.M. Granat. The usage of fuzzing technology in code testing // Proceedings of the Modern Technologies and Automatisation in Production, Management, and Education 5th International Research-to-Practice Conference. 2023. T.1. Pp. 222-225.
P.D. Dunayev. Mutation-based Fuzzing of Compilers // Presenting Academic Achievements to the World 14th Research-to-Practice Conference, Saratov, SSU, April 10-11, 2023.
