Safety in the C programming Language

Safety in the C programming
Language
Peter Wihl
May 26th, 2005
CS 297 Security and Programming
Languages
Overall Issue: Safety in C
• Best feature of C:
– Gives programmer access to the lowest levels
of the machine
• Worst feature of C:
– Gives programmer access to the lowest levels
of the machine
The Problem of Memory
Manipulation
• Bad Pointer Arithmetic
• Defining the end of a string, the NULL
termination
• Trespassing: When a pointer goes out of
its bounds
• “The design of the C programming
language encourages programming at the
edge of safety.” –A1
The Band Aid Approach
• Create guidelines for the use of the existing
language
• Examples:
– DECOS: Dependable Embedded Components and
Systems used in Europe and designed by comity
– DOE-STD-1172-2003: Safety Software Quality
guidelines for Nuclear Facilities
– NASA C Programming Style Guide: From Goddard
Space Flight Center
– MISRA: Motor Industry Software Reliability
Association
The Next Approach
• Create a modification of the C language
– Cyclone
– CCured
Cyclone
• Automatically insert run-time NULL checks
when pointers are used
• Defined two new types of pointers:
– Never-NULL pointer
• ‘@’ instead of ‘*’
– Fat pointer
• ‘?’ instead of ‘*’
• permits pointer arithmetic
• ?-pointer represented by an address + bounds
Cyclone
• Uninitialized pointers: Static analysis to detect
them
• Dangling pointers: to prevent dereferencing of a
dangling pointer it performs a “region analysis”
on the code.
• Freeing memory:
– “growable regions” lives on the heap and are
accessed though handles.
• Tagged Unions: used to control type-varying
arguments, the tags distinguish the cases of the
unions to know which types are being used in a
particular call.
CCured
•
•
•
•
Deals only with pointers
Classifies them in two groups:
Statically typed pointers
Dynamically-typed pointers
CCured
• Defines two types classes of pointers: Static and
dynamic
• CCured does not allow these two pointer
conditions.
– Cannot have both a dynamically-typed and a statically
typed pointer pointing to the same location
– Cannot have a statically type pointer stored in an area
pointed to by a dynamic pointer
• Deallocation is handled though built in garbage
collection
CCured: Statically Typed Pointer
• The SEQ (“sequence”) pointer
– Can be used in pointer arithmetic but are
required to carry bounds
• The SAFE pointer
– Can be NULL but does not allow for pointer
arithmetic
CCured: Dynamically Typed Pointer
• DYN pointer
• Contains two fields, the base and the
pointer field
• Base field points to the start of a
dynamically typed area that is processed
by a length and followed by tag bits
Possible Problems With These
Solutions
• Application level programming vs. system
level programming
• Manually setting the address of a data
pointer
• Needed for Memory mapped I/O
• Separating regions of code in systems
with no OS
An example
• You are writing code for an embedded
system with no OS and limited run time
environment
• System architecture has two memory
maps, boot time and run time.
• Build two separate execution regions:
• Boot and Main
Example (continued)
•
•
•
•
…..
void *Jump(void);
Jump = 0;
Jump();
• What am I doing here?!?! This is evil code!
• (it was written by Justin R. Cutler )
Example (continued)
• This is a soft reset that jumps out of Boot
code and goes to the start of Main that is
now at address location 0x000000
• Would this be allowed by Cyclone or
CCured? Something to talk about or
maybe not.
References
• Software Safety Home Page:
– http://www.softwaresafety.net/Guidelines/

Download Report