Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages.

Slides:

Advertisements

Similar presentations

Dynamic Memory Management

Advertisements

Topic 10 Java Memory Management. 1-2 Memory Allocation in Java When a program is being executed, separate areas of memory are allocated for each class.

Lecture 10: Heap Management CS 540 GMU Spring 2009.

Two alternatives of C: Cyclone and Vault Keami Hung February 01, 2007.

5. Memory Management From: Chapter 5, Modern Compiler Design, by Dick Grunt et al.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Garbage Collection CSCI 2720 Spring Static vs. Dynamic Allocation Early versions of Fortran –All memory was static C –Mix of static and dynamic.

Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

The Java Language. Topics of this Course  Introduction to Java  The Java Language  Object Oriented Programming in Java  Exceptions Handling  Threads.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.

Run time vs. Compile time

C and Data Structures Baojian Hua

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.

Memory Layout C and Data Structures Baojian Hua

Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#

JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Programming Languages and Paradigms Object-Oriented Programming.

1 Chapter 5: Names, Bindings and Scopes Lionel Williams Jr. and Victoria Yan CSci 210, Advanced Software Paradigms September 26, 2010.

Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

CSC 253 Lecture 2. Some differences between Java and C  Compiled C code is machine specific, whereas Java compiles for a virt. machine.  Virtual machines.

Basic Semantics Associating meaning with language entities.

Runtime Environments. Support of Execution  Activation Tree  Control Stack  Scope  Binding of Names –Data object (values in storage) –Environment.

1 Records Record aggregate of data elements –Possibly heterogeneous –Elements/slots are identified by names –Elements in same fixed order in all records.

1 Dynamic Memory Allocation –The need –malloc/free –Memory Leaks –Dangling Pointers and Garbage Collection Today’s Material.

Dynamic Memory Allocation. Domain A subset of the total domain name space. A domain represents a level of the hierarchy in the Domain Name Space, and.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

We will talking about story of JAVA language. By Kristsada Songpartom.

COMP3190: Principle of Programming Languages

Types(1). Lecture 52 Type(1)  A type is a collection of values and operations on those values. Integer type  values..., -2, -1, 0, 1, 2,...  operations.

Pointers in C Computer Organization I 1 August 2009 © McQuain, Feng & Ribbens Memory and Addresses Memory is just a sequence of byte-sized.

Computer Organization and Design Pointers, Arrays and Strings in C Montek Singh Sep 18, 2015 Lab 5 supplement.

1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.

Runtime Environments Chapter 7. Support of Execution  Activation Tree  Control Stack  Scope  Binding of Names –Data object (values in storage) –Environment.

Records type city is record -- Ada Name: String (1..10); Country : String (1..20); Population: integer; Capital : Boolean; end record; struct city { --

Data Types Chapter 6: Data Types Lectures # 13. Topics Chapter 6: Data Types 2 Introduction Primitive Data Types Character String Types Array Types Associative.

Dynamic Allocation in C

Secure Coding Rules for C++ Copyright © 2016 Curt Hill

Secure Programming Dr. X

Object Lifetime and Pointers

Data Types In Text: Chapter 6.

Protecting Memory What is there to protect in memory?

From Monoprogramming to multiprogramming with swapping

Chapter 6 – Data Types CSCE 343.

CSE 374 Programming Concepts & Tools

Secure Programming Dr. X

Module 30 (Unix/Linux Security Issues II)

CS 326 Programming Languages, Concepts and Implementation

Concepts of programming languages

Checking Memory Management

Secure Coding Rules for C++ Copyright © Curt Hill

Chapter 15 Pointers, Dynamic Data, and Reference Types

Memory Allocation CS 217.

Binding Times Binding is an association between two things Examples:

Cyclone: A safe dialect of C

Programming Languages

CETS: Compiler-Enforced Temporal Safety for C

Dynamic Memory.

Run-time environments

SPL – PS2 C++ Memory Handling.

Presentation transcript:

Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages

Overall Issue: Safety in C Best feature of C: –Gives programmer access to the lowest levels of the machine Worst feature of C: –Gives programmer access to the lowest levels of the machine

The Problem of Memory Manipulation Bad Pointer Arithmetic Defining the end of a string, the NULL termination Trespassing: When a pointer goes out of its bounds “The design of the C programming language encourages programming at the edge of safety.” –A1

The Band Aid Approach Create guidelines for the use of the existing language Examples: –DECOS: Dependable Embedded Components and Systems used in Europe and designed by comity –DOE-STD : Safety Software Quality guidelines for Nuclear Facilities –NASA C Programming Style Guide: From Goddard Space Flight Center –MISRA: Motor Industry Software Reliability Association

The Next Approach Create a modification of the C language –Cyclone –CCured

Cyclone Automatically insert run-time NULL checks when pointers are used Defined two new types of pointers: –Never-NULL pointer instead of ‘*’ –Fat pointer ‘?’ instead of ‘*’ permits pointer arithmetic ?-pointer represented by an address + bounds

Cyclone Uninitialized pointers: Static analysis to detect them Dangling pointers: to prevent dereferencing of a dangling pointer it performs a “region analysis” on the code. Freeing memory: –“growable regions” lives on the heap and are accessed though handles. Tagged Unions: used to control type-varying arguments, the tags distinguish the cases of the unions to know which types are being used in a particular call.

CCured Deals only with pointers Classifies them in two groups: Statically typed pointers Dynamically-typed pointers

CCured Defines two types classes of pointers: Static and dynamic CCured does not allow these two pointer conditions. –Cannot have both a dynamically-typed and a statically typed pointer pointing to the same location –Cannot have a statically type pointer stored in an area pointed to by a dynamic pointer Deallocation is handled though built in garbage collection

CCured: Statically Typed Pointer The SEQ (“sequence”) pointer –Can be used in pointer arithmetic but are required to carry bounds The SAFE pointer –Can be NULL but does not allow for pointer arithmetic

CCured: Dynamically Typed Pointer DYN pointer Contains two fields, the base and the pointer field Base field points to the start of a dynamically typed area that is processed by a length and followed by tag bits

Possible Problems With These Solutions Application level programming vs. system level programming Manually setting the address of a data pointer Needed for Memory mapped I/O Separating regions of code in systems with no OS

An example You are writing code for an embedded system with no OS and limited run time environment System architecture has two memory maps, boot time and run time. Build two separate execution regions: Boot and Main

Example (continued) ….. void *Jump(void); Jump = 0; Jump(); What am I doing here?!?! This is evil code! (it was written by Justin R. Cutler )

Example (continued) This is a soft reset that jumps out of Boot code and goes to the start of Main that is now at address location 0x Would this be allowed by Cyclone or CCured? Something to talk about or maybe not.

References Software Safety Home Page: –