Safety in the C programming Language Peter Wihl

Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages

Overall Issue: Safety in C • Best feature of C: – Gives programmer access to the lowest levels of the machine • Worst feature of C: – Gives programmer access to the lowest levels of the machine

The Problem of Memory Manipulation • Bad Pointer Arithmetic • Defining the end of a string, the NULL termination • Trespassing: When a pointer goes out of its bounds • “The design of the C programming language encourages programming at the edge of safety. ” –A 1

The Band Aid Approach • Create guidelines for the use of the existing language • Examples: – DECOS: Dependable Embedded Components and Systems used in Europe and designed by comity – DOE-STD-1172 -2003: Safety Software Quality guidelines for Nuclear Facilities – NASA C Programming Style Guide: From Goddard Space Flight Center – MISRA: Motor Industry Software Reliability Association

The Next Approach • Create a modification of the C language – Cyclone – CCured

Cyclone • Automatically insert run-time NULL checks when pointers are used • Defined two new types of pointers: – Never-NULL pointer • ‘@’ instead of ‘*’ – Fat pointer • ‘? ’ instead of ‘*’ • permits pointer arithmetic • ? -pointer represented by an address + bounds

Cyclone • Uninitialized pointers: Static analysis to detect them • Dangling pointers: to prevent dereferencing of a dangling pointer it performs a “region analysis” on the code. • Freeing memory: – “growable regions” lives on the heap and are accessed though handles. • Tagged Unions: used to control type-varying arguments, the tags distinguish the cases of the unions to know which types are being used in a particular call.

CCured • • Deals only with pointers Classifies them in two groups: Statically typed pointers Dynamically-typed pointers

CCured • Defines two types classes of pointers: Static and dynamic • CCured does not allow these two pointer conditions. – Cannot have both a dynamically-typed and a statically typed pointer pointing to the same location – Cannot have a statically type pointer stored in an area pointed to by a dynamic pointer • Deallocation is handled though built in garbage collection

CCured: Statically Typed Pointer • The SEQ (“sequence”) pointer – Can be used in pointer arithmetic but are required to carry bounds • The SAFE pointer – Can be NULL but does not allow for pointer arithmetic

CCured: Dynamically Typed Pointer • DYN pointer • Contains two fields, the base and the pointer field • Base field points to the start of a dynamically typed area that is processed by a length and followed by tag bits

Possible Problems With These Solutions • Application level programming vs. system level programming • Manually setting the address of a data pointer • Needed for Memory mapped I/O • Separating regions of code in systems with no OS

An example • You are writing code for an embedded system with no OS and limited run time environment • System architecture has two memory maps, boot time and run time. • Build two separate execution regions: • Boot and Main

Example (continued) • • …. . void *Jump(void); Jump = 0; Jump(); • What am I doing here? !? ! This is evil code! • (it was written by Justin R. Cutler )

Example (continued) • This is a soft reset that jumps out of Boot code and goes to the start of Main that is now at address location 0 x 000000 • Would this be allowed by Cyclone or CCured? Something to talk about or maybe not.

References • Software Safety Home Page: – http: //www. softwaresafety. net/Guidelines/