Safety in the C programming Language

1
Safety in the C programming Language

• Peter Wihl
• May 26th, 2005
• CS 297 Security and Programming Languages

2
Overall Issue Safety in C

• Best feature of C
• Gives programmer access to the lowest levels of
  the machine
• Worst feature of C
• Gives programmer access to the lowest levels of
  the machine

3
The Problem of Memory Manipulation

• Bad Pointer Arithmetic
• Defining the end of a string, the NULL
  termination
• Trespassing When a pointer goes out of its
  bounds
• The design of the C programming language
  encourages programming at the edge of safety. A1

4
The Band Aid Approach

• Create guidelines for the use of the existing
  language
• Examples
• DECOS Dependable Embedded Components and Systems
  used in Europe and designed by comity
• DOE-STD-1172-2003 Safety Software Quality
  guidelines for Nuclear Facilities
• NASA C Programming Style Guide From Goddard
  Space Flight Center
• MISRA Motor Industry Software Reliability
  Association

5
The Next Approach

• Create a modification of the C language
• Cyclone
• CCured

6
Cyclone

• Automatically insert run-time NULL checks when
  pointers are used
• Defined two new types of pointers
• Never-NULL pointer
• _at_ instead of
• Fat pointer
• ? instead of
• permits pointer arithmetic
• ?-pointer represented by an address bounds

7
Cyclone

• Uninitialized pointers Static analysis to detect
  them
• Dangling pointers to prevent dereferencing of a
  dangling pointer it performs a region analysis
  on the code.
• Freeing memory
• growable regions lives on the heap and are
  accessed though handles.
• Tagged Unions used to control type-varying
  arguments, the tags distinguish the cases of the
  unions to know which types are being used in a
  particular call.

8
CCured

• Deals only with pointers
• Classifies them in two groups
• Statically typed pointers
• Dynamically-typed pointers

9
CCured

• Defines two types classes of pointers Static and
  dynamic
• CCured does not allow these two pointer
  conditions.
• Cannot have both a dynamically-typed and a
  statically typed pointer pointing to the same
  location
• Cannot have a statically type pointer stored in
  an area pointed to by a dynamic pointer
• Deallocation is handled though built in garbage
  collection

10
CCured Statically Typed Pointer

• The SEQ (sequence) pointer
• Can be used in pointer arithmetic but are
  required to carry bounds
• The SAFE pointer
• Can be NULL but does not allow for pointer
  arithmetic

11
(No Transcript)
12
CCured Dynamically Typed Pointer

• DYN pointer
• Contains two fields, the base and the pointer
  field
• Base field points to the start of a dynamically
  typed area that is processed by a length and
  followed by tag bits

13
(No Transcript)
14
Possible Problems With These Solutions

• Application level programming vs. system level
  programming
• Manually setting the address of a data pointer
• Needed for Memory mapped I/O
• Separating regions of code in systems with no OS

15
An example

• You are writing code for an embedded system with
  no OS and limited run time environment
• System architecture has two memory maps, boot
  time and run time.
• Build two separate execution regions
• Boot and Main

16
Example (continued)

• ..
• void Jump(void)
• Jump 0
• Jump()
• What am I doing here?!?! This is evil code!
• (it was written by Justin R. Cutler ?)

17
Example (continued)

• This is a soft reset that jumps out of Boot code
  and goes to the start of Main that is now at
  address location 0x000000
• Would this be allowed by Cyclone or CCured?
  Something to talk about or maybe not.

18
References

• Software Safety Home Page
• http//www.softwaresafety.net/Guidelines/