Two alternatives of C: Cyclone and Vault

1
Two alternatives of CCyclone and Vault

• Keami HungFebruary 01, 2007

2
Cited Sources

• T.Jim, G.Morrisett, D.Grossman, M.Hicks, J.Cheney
  and Y.Wang. Cyclone A Safe Dialect of C.
  Usenix Annual Technical Conference, pages
  275-288, Monterey, CA, June 2002.
• R.DeLine and M.Fahnrich. Vault A Programming
  Language for Reliable Systems.lthttp//research.m
  icrosoft.com/projects/Vault/gt
• T.Jim, G.Morrisett, D.Grossman, M.Hicks, J.Cheney
  and Y.Wang. Cyclone. lthttp//cyclone.thelangua
  ge.org/gt.
• Wikipedia. C Programming Language.lthttp//en.w
  ikipedia.org/wiki/C_(programming_language)gt.
• Wikipedia. Northeast Blackout of 2003 -
  Causes.lthttp//en.wikipedia.org/wiki/2003_North_
  America_blackoutCausesgt.

3
C Programming Language

• Since its first appearance 1972, C has become one
  of the most widely used programming languages in
  the world.
• More lines has been written in C than in any
  other languages, perhaps except Fortran.(and
  maybe Java in the next 10-20 years?)
• Influenced languages like C, C, Java and D.

4
C Programming Language

• Low-level imperative language, with simple and
  elegant coding and syntax.
• Give programmers maximum control of hardware,
  memory management, and data layout over stack and
  heap.
• Highly efficient. Low-overhead runtime.
• Critical in computer infrastructure like OS,
  servers, networking software, database and
  distributed systems.

5
C Programming Language

• Pointer
• the most fundamental feature which helps data
  layout and dynamic memory allocation
• the most vulnerable feature from which many
  security hazards emerge
• Dangling references
• Null-pointer dereferences
• Illegal data type accesses
• Memory leaks
• ......

6
C Programming Language

• From these vulnerabilities in language structure
  and syntax, security loopholes are exploited for
  malicious purpose.
• Out-of-bound access--gt buffer/stack/array
  overflow
• Illegal memory addressing and access
• Weak typing--gt illegal type assignment
• Format Strings Attack
• ......

7
An Example

• Remember the massive-scale blackout throughout
  northeast US and eastern Canada in August 2003?
• The ultimate causeof the whole accidentis a
  race condition bugin one of the controlcenters
  Unix-basedOS in the GE EnergyXA/21 system,
  whichstalls the electricityalarming system.

8
Is Java a good alternative?

• Java eliminates most of the vulnerabilities as
  well as the features essential for low-level
  programming (e.g. pointers).
• Programmer has no direct control over data layout
  and memory allocation. Everything is handled by
  the JVM.
• Java program is interpreted and run on JVM,
  making it comparatively inefficient to C,
  especially in OS and networking infrastructures.

9
Goal

• To create a safe and secure programming language
  while maintaining the syntax, semantics, features
  and low-level accessibility of C, if possible.

10
Checkers / Dialects of C

• D
• SCC (Safe C Compiler)
• Fail-Safe C
• CCured
• Cyclone
• Vault

• LINT
• LCLint
• SLAM
• Metal

11
Cyclone

• A safe dialect of C
• A design from the ground up to prevent buffer
  overflows, format string attacks, memory
  management errorsthat are common in C programs,
  while retaining Cs syntax and semantics.
• Safety is guaranteed and default rather than
  additive.
• When control is required, it will be given as
  needed.

12
Cyclone Structure
GNUgcc
StaticAnalyzer
TranslatortoANSI C
Cyclonecode
exe
Parser
MSVisualC
13
Cyclone Pointers

• To prevent buffer overflow vulnerability,
  null-pointer and pointer arithmetic are
  restricted.
• Three types of pointers
• typical pointer Pointer arithmetic is
  prohibited NULL checks enabled
• _at_ Never-NULL pointer Pointer arithmetic is
  prohibited NULL checks disabled (since
  guaranteed to be initialized)
• ? Bound Check pointer Pointer arithmetic
  allowed A fat pointer which can determine
  the size of array / data.

14
Cyclone Region Analysis

• To prevent dangling pointers and illegal data
  access from pointer variables, Cyclones analyzer
  performs region analysis to detect dereference of
  a pointer to a region of data that is already
  deallocated.
• A region is a segment of memory that is
  deallocated together. (e.g. local variables in a
  function)
• If violation is detected, a compile-time error is
  reported.
• With this, functions like strcpy, strcat can no
  longer be overwritten to create buffer overflows.

15
Cyclone Growable Regions

• In C, free is a function that does the opposite
  of malloc deallocate the variable and free up
  the memory space currently pointed by the stack
  pointer.
• free is too dangerous as an operation, since it
  can create dangling references, segmentation
  fault and even root compromises (if its
  accidentally used to free up the same block of
  memory twice).
• In Cyclone, free is a no-op.
• Then how can we reclaim heap-allocated data?

16
Cyclone Growable Regions

• A growable region is used to keep track of the
  variables declared and allocated within it.
• Each variable declared within the region is given
  a handle of the region to keep track of which
  region it points to.
• Upon exit of the region, the variables will be
  deallocated altogether and memory space freed.
• A safe version of arena-style memory management.

17
Cyclone Tagged Unions

• To prevent format string attack, a tagged union
  feature is used to ensure the correct type and
  format of input data to a function (like
  printf).
• A C union is a structure that multiple data types
  of variable share the same memory space.
• For convenience, automatic tag injection is
  provided for common C functions like printf,
  scanf, fcntl, ioctl, signal, bind, connect etc.

18
Cyclones Other Special Features

• To prevent dangling references, a goto function
  that jumps to a scope other than its own will be
  detected and reported as compile-time error
• Other features include
• Restrictions of void return type
• Restrictions of bad casting
• Restrictions of improper unions
• Compulsory return statements
• Exceptions in place of setjmp and longjmp

19
Cyclone Performance

• In general, Cyclone gives a decent performance
  compared to C, given its highly improved safety
  and occasional, but not frequency, overheads.
• The benchmark test show that the difference of
  lines of code between C and Cyclone is little.
  Cyclone has very slighly more codes than C.
• During the compilation, even some safety
  violations are discovered among three benchmarks
  that are widely used in system programming, and
  subsequently fixed.

20
Cyclone Performance

• Even with garbage collector option and bound
  check option enabled, in general, Cyclone did not
  incur much runtime overhead on benchmarks.
• In most benchmarks, the Cyclone program shows
  slightly slower result than those in C. The
  greatest slowdown is a factor of 3.
• The slowest benchmarks are those with
  computationally-intensive operations involving
  frequent bound checks and ? (the fat) pointers.

21
Example 1

• void func (char str)
• char buffer16
• strcpy (buffer, str) // ERROR!
• void main()
• char large_string256
• int i
• for (i0 i lt 255 i)
• large_stringi 'A'
• func (large_string)

22
Example 2

• void func (int a, int b, int c)
• char buffer15
• char buffer210
• int ret // Get the address of the word
  containing the return address.
• ret buffer1 12 // Make it skip an entire
  instruction.
• (ret) 8 // ERROR!
• void main()
• int x x 0
• func (1,2,3)
• x 1 // This will be skipped.
• printf ("d\n", x) // Prints 0

23
Vault

• A safe version of the C programming language,
  being developed at Microsoft Research, which
  provides the same level of safety as languages
  like C, but allows a programmer to retain
  control over data layout and lifetime.

24
Vault Features

• Unlike Cyclone, which target on certain features
  that cause the common security attacks, Vault
  modified a wide range of features.
• Most of the modifications are higher level,
  concerning functions, constructs, variants and
  aggregate types.
• Vault also brought in some concepts of object
  oriented programming, like modules and generics.

25
Vault Features

• Every variable must be initialized when declared.
• Compared to C, Vault is a type-safe language, and
  prohibit casts between arbitrary types.

26
Vault Aggregation

• Tuple(bool, int, string) mytuple (false, 3,
  "hello")
• Inner struct, outer struct, and flatstruct inner
  int i float fstruct outer char
  c flat inner s

27
Vault Module and Interface

• The most important and frequent feature in Vault.
• A collection of type, variable, and function
  definitions.
• Declaration of inner and outer modules like
  structs.
• Resemble a simple class object.
• Encapsulation by using the static keyword when
  declaring variables or functions inside the
  module.

28
Vault Interface

• Provides encapsulation and information hiding,
  like what a C header file does.
• Acts as a contract between a module
  implementation and a module client.
• A module can than claim (or adopt) an interface
  and implement the details.

29
Advantages of Cyclone

• Improved Security
• Easy to learn, port and use
• Fast and efficient in general
• Translatable back to C code
• Fewer modifications over all language features

30
Disadvantages of Cyclone

• Pointer operation, involving three pointers, can
  be very confusing and difficult to master.
• Considerable slowdown on some computationally-inte
  nsive programs.
• Some common practices for C programmers, like
  pointer arithmetic, are much restricted. (But
  usually other ways are available)

31
Advantages of Vault

• Improved Security.
• Modularization ? Helpful to large scale
  programming / Software development.
• Take advantage of object oriented programming
  paradigm thru generics, modules and interfaces.

32
Disadvantages of Vault

• Less focused on prevailing security issues.
• Less focused on low-level programming.
• Much more complicated than Cyclone, with lots of
  new features and keywords.

33
The End