Two alternatives of C: Cyclone and Vault Keami Hung February 01, 2007

Cited Sources T.Jim, G.Morrisett, D.Grossman, M.Hicks, J.Cheney and Y.Wang. “Cyclone: A Safe Dialect of C”. Usenix Annual Technical Conference, pages , Monterey, CA, June R.DeLine and M.Fahnrich. “Vault: A Programming Language for Reliable Systems”. T.Jim, G.Morrisett, D.Grossman, M.Hicks, J.Cheney and Y.Wang. “Cyclone”.. Wikipedia. “C Programming Language”.. Wikipedia. “Northeast Blackout of Causes”..

C Programming Language Since its first appearance 1972, C has become one of the most widely used programming languages in the world. More lines has been written in C than in any other languages, perhaps except Fortran. (and maybe Java in the next years?) Influenced languages like C++, C#, Java and D.

C Programming Language Low-level imperative language, with simple and elegant coding and syntax. Give programmers maximum control of hardware, memory management, and data layout over stack and heap. Highly efficient. Low-overhead runtime. Critical in computer infrastructure like OS, servers, networking software, database and distributed systems.

C Programming Language Pointer  the most fundamental feature which helps data layout and dynamic memory allocation  the most vulnerable feature from which many security hazards emerge Dangling references Null-pointer dereferences Illegal data type accesses Memory leaks......

C Programming Language From these vulnerabilities in language structure and syntax, security loopholes are exploited for malicious purpose.  Out-of-bound access --> buffer/stack/array overflow  Illegal memory addressing and access  Weak typing --> illegal type assignment  Format Strings Attack ......

An Example Remember the massive-scale blackout throughout northeast US and eastern Canada in August 2003? The ultimate cause of the whole accident is a race condition bug in one of the control centers’ Unix-based OS in the GE Energy XA/21 system, which stalls the electricity alarming system.

Is Java a good alternative? Java eliminates most of the vulnerabilities as well as the features essential for low-level programming (e.g. pointers). Programmer has no direct control over data layout and memory allocation. Everything is handled by the JVM. Java program is interpreted and run on JVM, making it comparatively inefficient to C, especially in OS and networking infrastructures.

Goal To create a safe and secure programming language while maintaining the syntax, semantics, features and low-level accessibility of C, if possible.

Checkers / Dialects of C D SCC (Safe C Compiler) Fail-Safe C CCured Cyclone Vault LINT LCLint SLAM Metal

Cyclone A safe dialect of C “A design from the ground up to prevent buffer overflows, format string attacks, memory management errors that are common in C programs, while retaining C’s syntax and semantics.” Safety is guaranteed and default rather than additive. When control is required, it will be given as needed.

Cyclone Structure Parser Static Analyzer Translator to ANSI C GNU gcc MS Visual C++ Cyclone code exe

Cyclone Pointers To prevent buffer overflow vulnerability, null-pointer and pointer arithmetic are restricted. Three types of pointers:  * : typical pointer Pointer arithmetic is prohibited NULL checks enabled : Never-NULL pointer Pointer arithmetic is prohibited NULL checks disabled (since guaranteed to be initialized)  ? : Bound Check pointer Pointer arithmetic allowed A “fat pointer” which can determine the size of array / data.

Cyclone Region Analysis To prevent dangling pointers and illegal data access from pointer variables, Cyclone’s analyzer performs region analysis to detect dereference of a pointer to a region of data that is already deallocated. A region is a segment of memory that is deallocated together. (e.g. local variables in a function) If violation is detected, a compile-time error is reported. With this, functions like strcpy, strcat can no longer be overwritten to create buffer overflows.

Cyclone Growable Regions In C, free is a function that does the opposite of malloc – deallocate the variable and free up the memory space currently pointed by the stack pointer. free is too dangerous as an operation, since it can create dangling references, segmentation fault and even root compromises (if it’s accidentally used to free up the same block of memory twice). In Cyclone, free is a no-op. Then how can we reclaim heap-allocated data?

Cyclone Growable Regions A growable region is used to keep track of the variables declared and allocated within it. Each variable declared within the region is given a handle of the region to keep track of which region it points to. Upon exit of the region, the variables will be deallocated altogether and memory space freed. A safe version of arena-style memory management.

Cyclone Tagged Unions To prevent format string attack, a tagged union feature is used to ensure the correct type and format of input data to a function (like printf). A C union is a structure that multiple data types of variable share the same memory space. For convenience, automatic tag injection is provided for common C functions like printf, scanf, fcntl, ioctl, signal, bind, connect …… etc.

Cyclone’s Other Special Features To prevent dangling references, a goto function that jumps to a scope other than its own will be detected and reported as compile-time error Other features include:  Restrictions of void * return type  Restrictions of bad casting  Restrictions of improper unions  Compulsory return statements  Exceptions in place of setjmp and longjmp

Cyclone Performance In general, Cyclone gives a decent performance compared to C, given its highly improved safety and occasional, but not frequency, overheads. The benchmark test show that the difference of lines of code between C and Cyclone is little. Cyclone has very slighly more codes than C. During the compilation, even some safety violations are discovered among three benchmarks that are widely used in system programming, and subsequently fixed.

Cyclone Performance Even with garbage collector option and bound check option enabled, in general, Cyclone did not incur much runtime overhead on benchmarks. In most benchmarks, the Cyclone program shows slightly slower result than those in C. The greatest slowdown is a factor of 3. The slowest benchmarks are those with computationally- intensive operations involving frequent bound checks and ? (the “fat”) pointers.

Example 1 void func (char *str) { char buffer[16]; strcpy (buffer, str); // ERROR! } void main() { char large_string[256]; int i; for (i=0; i < 255; i++) large_string[i] = 'A'; func (large_string); }

Example 2 void func (int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; // Get the address of the word containing the return address. ret = buffer1 + 12; // Make it skip an entire instruction. (*ret) += 8;// ERROR! } void main() { int x; x = 0; func (1,2,3); x = 1; // This will be skipped. printf ("%d\n", x); // Prints 0 }

Vault “A safe version of the C programming language, being developed at Microsoft Research, which provides the same level of safety as languages like C#, but allows a programmer to retain control over data layout and lifetime.”

Vault Features Unlike Cyclone, which target on certain features that cause the common security attacks, Vault modified a wide range of features. Most of the modifications are higher level, concerning functions, constructs, variants and aggregate types. Vault also brought in some concepts of object oriented programming, like modules and generics.

Vault Features Every variable must be initialized when declared. Compared to C, Vault is a type-safe language, and prohibit casts between arbitrary types.

Vault Aggregation Tuple (bool, int, string) mytuple = (false, 3, "hello"); Inner struct, outer struct, and flat struct inner { int i; float f; } struct outer { char c; flat inner s; }

Vault Module and Interface The most important and frequent feature in Vault. A collection of type, variable, and function definitions. Declaration of inner and outer modules like structs. Resemble a simple class object. Encapsulation by using the static keyword when declaring variables or functions inside the module.

Vault Interface Provides encapsulation and information hiding, like what a C header file does. Acts as a contract between a module implementation and a module client. A module can than claim (or adopt) an interface and implement the details.

Advantages of Cyclone Improved Security Easy to learn, port and use Fast and efficient in general Translatable back to C code Fewer modifications over all language features

Disadvantages of Cyclone Pointer operation, involving three pointers, can be very confusing and difficult to master. Considerable slowdown on some computationally- intensive programs. Some common practices for C programmers, like pointer arithmetic, are much restricted. (But usually other ways are available)

Advantages of Vault Improved Security. Modularization  Helpful to large scale programming / Software development. Take advantage of object oriented programming paradigm thru generics, modules and interfaces.

Disadvantages of Vault Less focused on prevailing security issues. Less focused on low-level programming. Much more complicated than Cyclone, with lots of new features and keywords.

The End