Cyclone: A safe dialect of C Trevor Jim Greg Morrisett Dan Grossman Michael Hicks James Cheney Yanling Wang

Overview Introduction From C to Cyclone Implementation Design History Conclusion/Questions

Introduction “Common errors that cause vulnerabilities — buffer overflows, poor handling of unexpected types and amounts of data — are well understood. Unfortunately, features still seem to be valued more highly among manufacturers than reliability.” When dealing with security it is common to see this quote . The quote leads us to believe violations can be prevented by changing priorities But many reasons safety violations occur so often in C is more than poor training it is due to the roots to the design of C itself We learn about buffer overflows in all programming classes yet this is still a huge issue. There are fundamental reasons for this that have to do with the design of C. The next slide will name a few common practices that can cause vulnerabilities.

Introduction Safety violations that occur in C Buffer overflows in C can be caused by bad pointer arithmetic C uses Null-terminating strings Out-of-bounds pointers are commonplace in C An off by one error can cause a buffer overflow and its hard to train people to completely eliminate off by one errors Null terminating strings are important for efficiency, but the null terminator can be overwritten and this could cause a buffer overflow Out of bound pointers occur quite frequently when working with arrays We determine the end of an array by placing the pointer right past the end. Since this is common it is expected that occasionally it will be dereferenced or assigned.

Introduction Cyclone allows for safety while retaining C’s syntax and semantics Has been in development for 2 years Designed from the ground up for: Prevention of buffer overflows Format string attacks Memory management errors 110,000 lines 35,000 for the compiler 15,000 for supporting libraries Looking at safety violations enabled by C and how Cyclone avoids them Cyclone allows for safety without giving up C’s control of data representation and memory management It allows for developers to not have to switch to a high level language Developing cyclone to have the safety guarantee of Java while keeping C’s syntax, semantics, and idioms intact. Cyclone is freely available. The compiler and accompanying tools are licensed under GNU Now we will look at how Cyclone was developed

From C to Cyclone Similarities Differences It uses C processor Follows C’s lexical convention and grammar Same data representation as C Differences Cyclone performs a static analysis on code Inserts run-time checks Rejects some programs that C might compile Similarities arrays, pointers, enumerations, unions, structures Differences the run time checks into the compiled output at places where the analysis can’t determine that an operation is safe some safe programs will be rejected during this process

From C to Cyclone Restrictions Null checks are inserted to prevent segmentation faults Pointer arithmetic is restricted Dangling pointers are prevented through region analysis and limitations on free Only “safe casts’ and unions are allowed Setjmp and longjmp are not supported Switch labels in different scopes are disallowed These are just some of the restrictions that are imposed to c to preserve safety. The best results are to use more than one technique. Other projects have also tried applying add-ons to C so they are seldom used in production. Cyclone makes safety the default.

From C to Cyclone Extensions Never-Null pointers do not require Null checks Tagged unions support type-varying arguments Injections help automate the use of tagged unions for programmers Polymorphism replaces some use of void * Exceptions replace some uses of setjmp and longjmp These are some of the extensions that are imposed in Cyclone to make C safer

From C to Cyclone The free function in C can create dangling pointers The following is a code example Region h { int *x = rmalloc(h.sizeof(int)); int ?y = rnew(h) {1, 2, 3}; char ?z = rprintf(h, “hello”); } The article gives multiple examples, but we will just go over Free To prevent this Cyclone uses growable regions the following code is an example of how the regions are created Also this way cyclone can deallocate the entire region at one time when exiting The regions are also growable that way the memory doesn’t run out In the example x is initiallized as a pointer to an int size of memory Rnew creates an array y in the region x Rprintf creates buffer pointed to by z to store information

From C to Cyclone Rmalloc – works like malloc but allocates into a region of the handle Rnew – allocates and initializes a single step Rprintf – creates a buffer then prints formatted information to that buffer Handles can be passes to library functions Cyclone is one of the few programming languages that has safe memory management without using a garbage collector

Implementation Cyclone compiler implemented 35,000 lines of Cyclone Consists of a parser Static analysis phase And a simple translator Uses gcc as a backend Have built in utilities Memory profiler Another tool that was built in also includes documentation generation

Implementation Benchmarks Ease of Porting Table shows that much of a significant difference between C and Cyclone Ease of Porting Created cyclone so existing C code can be easily ported Fewer than 10% of the lines needed to be changed to port the benchmarks

Implementation Performance Safety Non-web benchmarks Mean and median same Standard deviation was at most 2% of the mean Near zero over-head for I/O bound applications Factor of three slower than C for computationally-intensive benchmarks Safety Found array bound violations in three benchmarks when C was ported to Cyclone Also have seen a slow down of a factor of six for operations involving pointer arithmetic

Design History Began as an offshoot of TAL Designed Popcorn to use with it Cyclone a rework of Popcorn From learning’s made some notable mistakes and changes Supported arrays with a type array<t> not a fat pointer Didn’t understand the importance of Null-terminated strings TAL- Typed Assembly Language ensured safety at the machine code level. Popcorn was a C like language that was used as the front end and built a compiler to translate it. They did this with an two agendas to further understand low-level safety and to gain outside adopters Converting C code to use array<t> was painful, so abandoned it and started using fat pointers. This made it easier to port C code requiring only a few changes. Came to understand how important Nul is to efficiency (memory reuse). So changed string library to match C’s

Conclusion Questions ? Cyclone a dialect of C that provides safety Cyclone uses static analysis and run-time checks to prevent safety violations Tries to accommodate C’s style of low-level programming Questions ?