May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer

Slides:

Advertisements

Similar presentations

HardBound: Architectural Support for Spatial Safety of the C Programming Language Joe Devietti *, Colin Blundell, Milo Martin, Steve Zdancewic * University.

Advertisements

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Things to Remember When Developing 64-bit Software OOO "Program Verification Systems"

Programming Languages and Paradigms The C Programming Language.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.

Chapter 7:: Data Types Programming Language Pragmatics

This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

Kernighan/Ritchie: Kelley/Pohl:

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Compiler Construction

SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

. Compilation / Pointers Debugging 101. Compilation in C/C++ hello.c Preprocessor Compiler stdio.h tmpXQ.i (C code) hello.o (object file)

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Run-Time Error Handling Wes Weimer, George Necula.

Java Review 2 – Errors, Exceptions, Debugging Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.

CCured in the Real World Jeremy ConditMatthew Harren Scott McPeakGeorge Necula Westley Weimer OSQ Retreat May 14, 2003.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.

Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim.

Arrays and Pointers in C Alan L. Cox

Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.

Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

EECE 310: Software Engineering Lecture 2: Understanding Objects in Java and Types.

University of Maryland Bug Driven Bug Finding Chadd Williams.

C# Overview and Features. Content I.History of C# II.Architecture III.How to install IV.Features V.Code Sample VI.Microsoft.NET Platform VII.Why use C#

Presentation of Failure- Oblivious Computing vs. Rx OS Seminar, winter 2005 by Lauge Wullf and Jacob Munk-Stander January 4 th, 2006.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 12: Pointers continued, C strings.

Pointers and Arrays Beyond Chapter Pointers and Arrays What are the real differences? Pointer Holds the address of a variable Can be pointed.

CSC 2400 Computer Systems I Lecture 5 Pointers and Arrays.

CSE 425: Data Types I Data and Data Types Data may be more abstract than their representation –E.g., integer (unbounded) vs. 64-bit int (bounded) A language.

Dynamic Memory Allocation. Domain A subset of the total domain name space. A domain represents a level of the hierarchy in the Domain Name Space, and.

Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.

Scott Kohn with Tammy Dahlgren, Tom Epperly, and Gary Kumfert Center for Applied Scientific Computing Lawrence Livermore National Laboratory October 2,

The Fail-Safe C to Java translator Yuhki Kamijima (Tohoku Univ.)

An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.

Topic 3: C Basics CSE 30: Computer Organization and Systems Programming Winter 2011 Prof. Ryan Kastner Dept. of Computer Science and Engineering University.

Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.

Computer Organization and Design Pointers, Arrays and Strings in C Montek Singh Sep 18, 2015 Lab 5 supplement.

Debugging via Run-Time Type Checking Title Page Alexey Loginov, Suan Yong, Susan Horwitz, Thomas Reps University of Wisconsin - Madison.

1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.

How to execute Program structure Variables name, keywords, binding, scope, lifetime Data types – type system – primitives, strings, arrays, hashes – pointers/references.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3 programs; now we'll see them in C. Pointer Address.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

Dr. M. Al-Mulhem Introduction 1 Chapter 6 Type Systems.

Language-Based Security: Overview of Types Deepak Garg Foundations of Security and Privacy October 27, 2009.

Dynamic Allocation in C

Content Coverity Static Analysis Use cases of Coverity Examples

Semantic Analysis Type Checking

High Coverage Detection of Input-Related Security Faults

SUDS: An Infrastructure for Creating Bug Detection Tools

Runtime Monitoring of C Programs for Security and Correctness

Pointers, Dynamic Data, and Reference Types

Code-Pointer Integrity

Introduction to Static Analyzer

point when a program element is bound to a characteristic or property

Suan Hsi Yong University of Wisconsin – Madison

SPL – PS2 C++ Memory Handling.

Presentation transcript:

May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer

May 22, 2002 OSQ Retreat2 What are we doing?  Add run-time checks to C programs  Catch memory safety errors  Minimal user effort  Make C “feel” as safe as Java

May 22, 2002 OSQ Retreat3 The CCured System C Program CCured Translator Instrumented C Program Compile & Execute Halt: Memory Safety Violation Success

May 22, 2002 OSQ Retreat4 Motivation  C: Why C? It is popular; it is part of the infrastructure It is also unsafe  CURED: Why memory safety? Implicit specification Prerequisite for isolation, other properties 50% of software errors are due to pointers 50% of security errors due to buffer overruns

May 22, 2002 OSQ Retreat5 CCured Overview  Three kinds of pointers: SAFE, SEQ, DYN Spectrum of speed vs. capabilities  Run-time bookkeeping for memory safety Array bounds information Some run-time type information

May 22, 2002 OSQ Retreat6 SAFE Pointers SAFE pointer to type   ptr On use: - null check Can do: - dereference

May 22, 2002 OSQ Retreat7 SEQuence Pointers SEQ pointer to type   baseptr On use: - null check - bounds check Can do: - dereference - pointer arithmetic end

May 22, 2002 OSQ Retreat8 DYNamic Pointers DYN int homeptr DYN pointer len tags On use: - null check - bounds check - tag check/update Can do: - dereference - pointer arithmetic - arbitrary typecasts 110

May 22, 2002 OSQ Retreat9 Kinds of Pointers  Most pointers are SAFE No evil casts, no arithmetic, etc. e.g., FILE * fin = fopen(“input”, “r”); These can be represented without any extra information (just a null check when used)  This yields better performance!

May 22, 2002 OSQ Retreat10 Static Analysis & Inference  For every pointer in the program Try to infer the fastest safe representation This is like eliminating classes of run-time checks we know will never fail  Can be formulated as constraint-solving Examine casts and expressions to get constraints O(E) where E is number of casts/assignments (flow insensitive)

May 22, 2002 OSQ Retreat11 Static Analysis From 10,000 ft  See “p++”, infer p is not SAFE struct { int a; int b; } *p1, *p2; int *q = (int *)p1; // this cast is fine int **r = (int **)p2; // this one is not: // p2 and r must be DYN

May 22, 2002 OSQ Retreat12 Variable-Argument Functions  Common in C (e.g., printf, )  Note all types used for actual arguments  Record actual argument types at call-site  Inside body, check when a type is expected  Also check number of arguments requested  Special handling for printf()

May 22, 2002 OSQ Retreat13 Experiments  Instrumented Spec95, Olden, Ptrdist  2 Linux Device Drivers  9 Apache Modules  1 FTP Server  Slowdown: benchmark 50%, other 2%  Found some bugs!

May 22, 2002 OSQ Retreat14 Experimental Results LOC%Safe%Seq%DynCCured RatioPurify Ratio compress go ijpeg li bh bisort em3d ks health

May 22, 2002 OSQ Retreat15 Experimental Results (2) LOCSafeSeqDynCCured RatioChanges bc yacr WebStone (9 mods) 14940~85~ ~204 or 1% pcnet or 0.3% (ping)1.00 sbull or 2% (seeks)1.03 ftpd or 1%

May 22, 2002 OSQ Retreat16 Bugs Found  ks passes FILE* to printf, not char*  compress, ijpeg: array bound violations  go: 8 array bound violations  go: 1 uninit variable as array index  Many involve multi-dimensional arrays  Purify only found go uninit bug  ftpd buffer overrun bug

May 22, 2002 OSQ Retreat17 Other Fun Features  Special Sequences (strings)  void* is treated as a type variable  Limited polymorphism clone functions at call-site later, coalesce identical bodies  DYN function pointers

May 22, 2002 OSQ Retreat18 Future Work  ACE C++ operating system framework 2M LOC, 2000 files  Store meta-data apart from pointers better library integration  Explain inference results to user

May 22, 2002 OSQ Retreat19 Conclusion  Most C pointers are already type-safe  Static and dynamic analyses complementary  CCured is expressive enough to handle C yet precise enough to find real bugs!  Performance is good

May 22, 2002 OSQ Retreat20 Any Questions?