Efficient Memory Safety for TinyOS 2.1 Yang Chen, Nathan Cooprider, Will Archer, Eric Eide, David Gay§, John Regehr School of Computing, University of Utah §Intel Research, Berkeley {chenyang, coop, warcher, eeide, regehr}@cs.utah.edu david.e.gay@intel.com Wireless Sensor Network Safe TinyOS Tool Chain Wireless Sensor Network Annotate Safe TinyOS code run modified nesC compiler enforce safety using Deputy compress error messages app Modify TinyOS to work with Deputy Enforce Deputy’s safety model Reduce overhead Introduction Background The Benefits of Safety Reliable sensor network software is difficult to create: applications are concurrent and distributed hardware-based memory protection is unavailable severe resource constraints necessitate the use of unsafe, low-level languages. TinyOS. TinyOS 2 is the dominant system for programming wireless sensor network devices. A programmer writes a few custom components and links them with components from the TinyOS library. Components are written in nesC, a dialect of C. for (i = 0; i < NUM_BUFFERS; i++) { if (m_pool[i].msg == NULL) break; } if (m_pool[i].msg == NULL) { m_pool[i].msg = _msg; Array Out-of-bounds Deputy. Deputy is a source-to-source compiler for ensuring type and memory safety for c code. A programmer must inform the compiler of this previously implicit information using type annotations. Code compiled by Deputy relies on a mix of compile- and run-time checks to ensure that these annotations are respected, and hence that type and memory safety are respected. Bug Confirmed! Array Out-of-bounds Reboot Normal TinyOS Safe Rebuild Soft state Normal TinyOS: 0% average availability Safe TinyOS: 95% average Array Out-of-bounds Practical Safety for TinyOS interface ReadStream<val_t> { command error_t postBuffer(val_t* buf, uint16_t n); command error_t read(uint32_t usPeriod); event void bufferDone(error_t result, val_t* buf, uint16_t n); event void readDone(error_t result, uint32_t usActualPeriod); } /* code from TinyOS 2.1 */ Null Pointer Dereference Our Goal: Catch all pointer and array bounds errors before they corrupt states; Put wireless sensor network software development on a solid foundation make mica2 safe Increased Availability! Conclusion and Future Work interface ReadStream<val_t> { command error_t postBuffer(val_t* COUNT_NOK(n) buf, uint16_t n); command error_t read(uint32_t usPeriod); event void bufferDone(error_t result, val_t* COUNT_NOK(n) buf, uint16_t n); event void readDone(error_t result, uint32_t usActualPeriod); } /* annotated code */ Our effort shows that Safe TinyOS is a practical system for the development of reliable sensor network software We are currently deploying and actively working on Safe TinyOS. In the near future we plan to: Support platforms other than Mica2, Micaz, and TelosB Integrate Safe TinyOS with a stack depth analysis tool to avoid stack overflows Solve the problem of unsafe accesses to pointers to dead stack frames – these are not covered by Deputy and make safe execution the default for TinyOS Our contributions: extending the nesC language and compiler to support safety annotations; finding previously unknown bugs; and showing that safety can be exploited to increase the availability of sensor networks applications even when memory errors are left unfixed. Visit Safe TinyOS homepage to know more information! Acknowledgments This material is based upon work supported by the National Science Foundation under Grant Nos. 0448047, 0410285, and 0615367.  Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. http://www.cs.utah.edu/~coop/safetinyos