checked c
play

Checked C Michael Hicks The University of Maryland joint work with - PowerPoint PPT Presentation

Jul 18, 2023 •254 likes •585 views

Checked C Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW) UM Motivation - Lots of C/C++ code out there. - One open source code indexer (openhub.net) found 8.5 billion lines of C

  1. Checked C Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW) UM

  2. Motivation - Lots of C/C++ code out there. - One open source code indexer (openhub.net) found 8.5 billion lines of C code. - Huge investment in existing (often unsafe) code - Many approaches “saving C” have been proposed : - Static/dynamic analysis (ASAN, Softbound), fuzzing, OS/HW- level mitigations - Rewrite the code in a type-safe language (Java/Rust…) - New dialects of C (Cyclone, CCured, Deputy, …) 2

  3. Checked C Checked C is another take at making system software written in C more reliable and secure. Approach: - Extend C so that type-safe programs can be written in it. - A new language risks introducing unnecessary differences. - Backward compatible , support incremental conversion of code to be type-safe. - Implement in widely used C compilers (Clang/ LLVM ) - Create automated conversion tools - Hypothesis: most source code behaves in a type-safe fashion. - Evaluate and get real-world use . Iterate based on experience. https://github.com/Microsoft/checkedc https://github.com/Microsoft/checkedc-clang 3

  4. Design Like Cyclone • Making code type safe • Static/dynamic bounds checking for pointers and arrays • Initialization of data, type casts, explicit memory management • No temporal safety enforcement at present (use GC) Unlike Cyclone • Backward compatibility • All pointers binary-compatible (no “fat” pointers) • Strict extension (parsing) of C • Unchecked and checked code can co-exist (e.g., in a function) • The former can use checked types in a looser manner • Can prove a “blame” property that characterizes isolation • Can work with improving hardware designs 4

  5. Clang & LLVM Checked LLVM C's x86 / Clang Analyses x64 / Frontend ARM / Optimizations Analyses Other Assembly LLVM IR Code Generators Generator 5

  6. Pointers T* val = malloc(sizeof(T)); Singleton Pointer ptr<T> val = malloc(sizeof(T)); T* vals = calloc(n, sizeof(T)); T vals[N] = { ... }; Array Pointer array_ptr<T> vals = calloc(n, sizeof(T)); T vals checked[N] = { ... }; 6

  7. Bounds Declarations Declaration Invariant array_ptr<T> p : bounds(l, u) l ≤ p < u array_ptr<T> p : count(n) p ≤ p < p+n array_ptr<T> p : byte_count(n) p ≤ p < (char*)p + n Expressions in bounds(l, u) must be non-modifying - No Assignments or Increments/Decrements - No Calls 7

  8. NUL Terminated Pointers char* str = calloc(n, sizeof(char)); NT Array Pointer char str[N] = { ... }; nt_array_ptr<char> str : count(n-1) = calloc(n, sizeof(char)); char str checked[N+1] = { …, ‘\0’ }; l ≤ p ≤ u && ∃ c ≥ u. *c == ‘\0’ nt_array_ptr<T> p : bounds(l, u) can read *u or write ‘\0’ to it 8

  9. Bounds Expansion size_t my_strlcpy( nt_array_ptr<char> dst: count(dst_sz - 1), nt_array_ptr<char> src, size_t dst_sz) { size_t i = 0; nt_array_ptr<char> s : count(i) = src; while (s[i] != ’\0’ && i < dst_sz - 1) { //bounds on s may expand by 1 dst[i] = s[i]; ++i; } dst[i] = ’\0’; //ok to write to upper bound return i; } 9

  10. Where Dynamic Checks Occur p[n] Pointer Dereference int i = *p; p->field Assignment *p = 0; Compound Assignment *p += 1; Increment/Decrement (*p)++; Elided if the compiler can prove the access is safe 10

  11. Copy data bool echo( int16_t user_length, from user_payload size_t user_payload_len, into new buffer in char *user_payload, resp_t *resp) { resp object char *resp_data = malloc(user_length); Example inspired by resp->payload_buf = resp_data; Heartbleed error resp->payload_buf_len = user_length; // memcpy(resp->payload_buf, user_payload_buf, user_length) for (int i = 0; i < user_length; i++) { resp->payload_buf[i] = user_payload_buf[i]; } return true; } user_length is user_payload_len is typedef struct { size_t payload_len; provided by user from the parser char *payload; // ... } resp_t; 11

  12. Copy data bool echo( int16_t user_length, from user_payload size_t user_payload_len, into new buffer in char *user_payload, resp_t *resp) { resp object char *resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; // memcpy(resp->payload_buf, user_payload_buf, user_length) malloc could fail for (int i = 0; i < user_length; i++) { resp->payload_buf[i] = user_payload_buf[i]; } return true; } user_length is user_payload_len is typedef struct { size_t payload_len; provided by user from the parser char *payload; // ... } resp_t; 12

  13. Copy data bool echo( int16_t user_length, from user_payload size_t user_payload_len, into new buffer in char *user_payload, resp_t *resp) { resp object char *resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { resp->payload[i] = user_payload[i]; } return true; } user_length is user_payload_len is typedef struct { size_t payload_len; user_length could be provided by user from the parser char *payload; // ... larger than user_payload_len } resp_t; 13

  14. bool echo( Step 1: int16_t user_length, Manually size_t user_payload_len, array_ptr<char> user_payload, Convert to ptr<resp_t> resp) { Checked Types array_ptr<char> resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { resp->payload[i] = user_payload[i]; } return true; } typedef struct { size_t payload_len; array_ptr<char> payload; // ... } resp_t; 14

  15. bool echo( int16_t user_length, size_t user_payload_len, array_ptr<char> user_payload : count(user_payload_len), ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; Step 2: Manually // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { Add Bounds resp->payload[i] = user_payload[i]; Declarations } return true; } typedef struct { size_t payload_len; array_ptr<char> payload : count(payload_len); // ... } resp_t; 15

  16. bool echo( Step 3: int16_t user_length, Compiler Inserts size_t user_payload_len, array_ptr<char> user_payload : count(user_payload_len), Checks Automatically ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length); dynamic_check(resp != NULL); resp->payload = resp_data; resp->payload_len = user_length; malloc now checked // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { dynamic_check(user_payload != NULL); dynamic_check(user_payload <= &user_payload[i]); dynamic_check(&user_payload[i] < user_payload + user_payload_len); dynamic_check(resp->payload != NULL); dynamic_check(resp->payload <= &resp->payload[i]); dynamic_check(&resp->payload[i] < resp->payload + resp->payload_len resp->payload[i] = user_payload[i]; } No Memory Disclosure return true; 16 }

  17. bool echo( Step 3: int16_t user_length, Compiler Inserts size_t user_payload_len, array_ptr<char> user_payload : count(user_payload_len), Checks Automatically ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length); Code Not Bug-Free: dynamic_check(resp != NULL); Will signal run-time error if either resp->payload = resp_data; resp->payload_len = user_length; malloc now checked - malloc(user_length) fails // memcpy(resp->payload, user_payload, user_length) - user_length > user_payload_len for (size_t i = 0; i < user_length; i++) { dynamic_check(user_payload != NULL); dynamic_check(user_payload <= &user_payload[i]); dynamic_check(&user_payload[i] < user_payload + user_payload_len); But: Vulnerable Executions Prevented dynamic_check(resp->payload != NULL); dynamic_check(resp->payload <= &resp->payload[i]); dynamic_check(&resp->payload[i] < resp->payload + resp->payload_len resp->payload[i] = user_payload[i]; } No Memory Disclosure return true; 17 }

  18. Step 4: bool echo( int16_t user_length, Restrictions on bounds size_t user_payload_len, expressions may allow removal array_ptr<char> user_payload : count(user_payload_len), ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length); dynamic_check(resp != NULL); resp->payload = resp_data; resp->payload_len = user_length; malloc still checked dynamic_check(user_payload != NULL); dynamic_check(resp->payload != NULL); // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { dynamic_check(i <= user_payload_len); resp->payload[i] = user_payload[i]; } return true; } No Memory Disclosure 18

  19. Partially Converted Code - We may not want (or be able) to port all at once - Can use checked types wherever we want - Allows some hard-to-prove-safe idioms - But adds risk void more(int *b, int idx, ptr<int *>out) { int oldidx = idx, c; do { c = readvalue(); b[idx++] = c; //could overflow b? } while (c != 0); *out = b+idx-oldidx; //bad if out corrupted } 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 The temperature of a supermarket fridge is regularly checked to ensure that it is working

1 The temperature of a supermarket fridge is regularly checked to ensure that it is working

1 The temperature of a supermarket fridge is regularly checked to ensure that it is working correctly. Over a period of three months the temperature (measured in degrees Celsius) is checked 600 times. These temperatures are displayed in the

221 views • 4 slides
I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has

I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has

Wheres your phone? Pocket, lap, hand? It is prolly within an easy reach, unless you are one of those people. Always losing it. I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has changed the way

647 views • 50 slides
Is That Book Checked Out? Getting Holdings and Availability Data into Other Applications Jane

Is That Book Checked Out? Getting Holdings and Availability Data into Other Applications Jane

Is That Book Checked Out? Getting Holdings and Availability Data into Other Applications Jane Sandberg Linn-Benton Community College April 21, 2016 1 / 14 Background Creating a new Discovery Layer Using Blacklight, because its cool!

469 views • 27 slides
A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03

A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03

A Machine-Checked Theory of Floating Point Arithmetic 1 A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03 Introduction to IA-64 and HOL Light Floating point formats Ulps Rounding

254 views • 13 slides
mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit:

mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit:

mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit: voltamax@pixabay Dream Everyone can (easily) check their work in computers 4 Notable Projects Four-color theorem

527 views • 37 slides
A Machine-Checked Formalization of -Protocols eguelin 1 Santiago Zanella-B Gilles Barthe 1

A Machine-Checked Formalization of -Protocols eguelin 1 Santiago Zanella-B Gilles Barthe 1

A Machine-Checked Formalization of -Protocols eguelin 1 Santiago Zanella-B Gilles Barthe 1 Daniel Hedin 1 egoire 2 Sylvain Heraud 2 Benjamin Gr 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - M editerran ee, France

725 views • 51 slides
A Machine-Checked Model of MGU Axioms: Applications of Finite Maps and Functional Induction

A Machine-Checked Model of MGU Axioms: Applications of Finite Maps and Functional Induction

A Machine-Checked Model of MGU Axioms: Applications of Finite Maps and Functional Induction Presented by Sunil Kothari Joint work with Prof. James Caldwell Department of Computer Science, University of Wyoming, USA 23rd International Workshop

807 views • 70 slides
FACADE RECONSTRUCTION HISTORIC PHOTO &amp; CHECKED BY: RM ARCHITECTURE PLANNING INTERIOR

FACADE RECONSTRUCTION HISTORIC PHOTO &amp; CHECKED BY: RM ARCHITECTURE PLANNING INTERIOR

PHOTO 1940s PHOTO 2016 ARCHITECT: PROJECT: DRAWING TITLE: PROJECT NO.: 17003 DATE: 10.24.2017 MISRA &amp; ASSOCIATES P.C. DRAWN BY: MS DWG NO.: FACADE RECONSTRUCTION HISTORIC PHOTO &amp; CHECKED BY: RM ARCHITECTURE PLANNING

358 views • 9 slides
Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud Franois Pottier December 16, 2015 1 / 1 Message Lets begin with a demo... Proving correctness and termination is not enough! 2 / 1

782 views • 17 slides
Machine-checked Interpolation Theorems for Substructural Logics using Display Calculi Jeremy E.

Machine-checked Interpolation Theorems for Substructural Logics using Display Calculi Jeremy E.

Machine-checked Interpolation Theorems for Substructural Logics using Display Calculi Jeremy E. Dawson James Brotherston Rajeev Gor e Research School of Computer Science, Australian National University University College London, UK IJCAR,

325 views • 31 slides
Fitting the Pieces Together: A Machine-Checked Model of Safe Composition Benjamin Delaware

Fitting the Pieces Together: A Machine-Checked Model of Safe Composition Benjamin Delaware

Fitting the Pieces Together: A Machine-Checked Model of Safe Composition Benjamin Delaware William Cook Don Batory University of Texas at Austin Safe Composition Features Word Processor has formatting, printing, spell check,

535 views • 37 slides
Presentation Search Results on Alternans at HRS 2013 Presentations per Page Add Checked Selections

Presentation Search Results on Alternans at HRS 2013 Presentations per Page Add Checked Selections

Presentation Search Results on Alternans at HRS 2013 Presentations per Page Add Checked Selections to My Itinerary Select/Clear All 25 Presentation Session Thu, May 9, 2:45 - 3:00 PM Jason D. Bayer, MS, Abstract Session AB02-06 -

528 views • 4 slides
Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud Franois Pottier September 8, 2015 1 / 32 The Union-Find data structure: OCaml interface type elem val make : unit -&gt; elem val find : elem

481 views • 37 slides
Adaptive Controls for In-Line Checked Baggage Screening Systems (CBSS) Shalom Dolev and Cathal

Adaptive Controls for In-Line Checked Baggage Screening Systems (CBSS) Shalom Dolev and Cathal

Adaptive Controls for In-Line Checked Baggage Screening Systems (CBSS) Shalom Dolev and Cathal Flynn SecureLogic Corporation, New York, New York, USA Abstract The first principle of risk management is to reduce risk to the lowest affordable

195 views • 6 slides
Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October

Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October

Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October 13, 2004 Oct. 13, 2004 p.1/42 Introduction Dijkstras shortest path algorithm: a classical algorithm to find the shortest path between two

529 views • 42 slides
Welcome to CSSE 220 We are excited that you are here: Hopefully you followed the

Welcome to CSSE 220 We are excited that you are here: Hopefully you followed the

Welcome to CSSE 220 We are excited that you are here: Hopefully you followed the instructions in the welcome email, installed eclipse and checked out the Java intro project Start your computer &amp; Eclipse Pick up a quiz from the

550 views • 18 slides
Delimited Continuations The Bees Knees Quasiconf 2012 Andy Wingo A poll How many of you

Delimited Continuations The Bees Knees Quasiconf 2012 Andy Wingo A poll How many of you

Delimited Continuations The Bees Knees Quasiconf 2012 Andy Wingo A poll How many of you use call/cc and continuation objects in large programs? Do we really use it to implement coroutines and backtracking and threads and whatever?

659 views • 28 slides
Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of Oslo, N-0316 Oslo, Norway Spring 2008 Computational Physics II FYS4410 Outline Data Blocking Implementing blocking Using vmc blocking

210 views • 8 slides
Algorithms: Linear and Binary Search CS 110 Bryn Mawr

Algorithms: Linear and Binary Search CS 110 Bryn Mawr

Algorithms: Linear and Binary Search CS 110 Bryn Mawr College Algorithm A well-defined set of instruc;ons for solving a par;cular kind of

169 views • 14 slides
v1 v2 vn (if (null? xs) null F F F (cons ( f (first xs)) (F vn) (F v2) (F v1) (my-map f

v1 v2 vn (if (null? xs) null F F F (cons ( f (first xs)) (F vn) (F v2) (F v1) (my-map f

Higher-order List Func2ons Higher-Order List Functions A function is higher-order if it takes another in Racket function as an input and/or returns another function as a result. E.g. app-3-5 , make-linear-function , flip2 . We will now study

300 views • 6 slides
Verifying Centaurs Floating Point Adder Sol Swords sswords@cs.utexas.edu April 23, 2008 Sol

Verifying Centaurs Floating Point Adder Sol Swords sswords@cs.utexas.edu April 23, 2008 Sol

Verifying Centaurs Floating Point Adder Sol Swords sswords@cs.utexas.edu April 23, 2008 Sol Swords () Verifying Centaurs Floating Point Adder April 23, 2008 1 / 21 Problem Given: Verilog RTL for the Centaur CN processors FADD

898 views • 21 slides
Automated Test Case Generation for CTRL using Pex: Lessons Learned David PY Lawrence 1 Stefan

Automated Test Case Generation for CTRL using Pex: Lessons Learned David PY Lawrence 1 Stefan

1 University of Geneva, Switzerland 2 CERN, Geneva, Switzerland Automated Test Case Generation for CTRL using Pex: Lessons Learned David PY Lawrence 1 Stefan Klikovits 1 , 2 Manuel Gonzalez-Berges 2 Didier Buchs 1 Stefan Klikovits 1

709 views • 48 slides
LECTURE 14 LISTS AS STACKS AND QUEUES MCS 260 Fall 2020 David Dumas / REMINDERS Work on:

LECTURE 14 LISTS AS STACKS AND QUEUES MCS 260 Fall 2020 David Dumas / REMINDERS Work on:

LECTURE 14 LISTS AS STACKS AND QUEUES MCS 260 Fall 2020 David Dumas / REMINDERS Work on: Worksheet 5 Quiz 5 Now posted Project 2 description (read it!) / More on this example: lettervalues.py vals.txt , &quot;&quot;&quot;Compute the

496 views • 12 slides
Parallel DBs &amp; MapReduce CSE 344 SECTION 10 Big Bi g Data The Three

Parallel DBs &amp; MapReduce CSE 344 SECTION 10 Big Bi g Data The Three

Parallel DBs &amp; MapReduce CSE 344 SECTION 10 Big Bi g Data The Three Vs of Big Data A Brief Story PredicIng the future MapReduce MapReduce Phases WordCount Example Map(int id,

500 views • 21 slides

More recommend