dynamically checking types bounds and maybe even more
play

Dynamically checking types, bounds and maybe even more (or: some - PowerPoint PPT Presentation

Dec 11, 2023 •565 likes •863 views

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted (how it all started) if (obj > type == OBJ

  1. Dynamically checking types, bounds and maybe even more (or: “some were meant for C”) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1

  2. “Tool wanted” (how it all started) if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 2

  3. “Tool wanted” (how it all started) if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) 2

  4. “Tool wanted” (how it all started) if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � reasonable performance � avoid being C-specific!* * mostly... 2

  5. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends 3

  6. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally 3

  7. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks 3

  8. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 3

  9. Fast-forward to 2016 We can do it! � checking casts works pretty well Last year I talked about a bounds checker � also now going pretty well (more shortly) Other new developments: � Clang front-end (Chris Diamand) � generalising the infrastructure to other uses � liballocs core library (see Onward! 2015) Impending tie-ins: Cerberus, CHERI, ... 4

  10. State of play c.2015 � libcrunch pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness 5

  11. State of play c.2015 � libcrunch pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // passes check int ∗ y1 = ( int ∗ ) &z.y; // fails ! int ∗ y2 = &z.x + 1; // use SoftBound int ∗ y3 = &((&z.x )[1]); // use SoftBound return &z; // use CETS 5

  12. State of play c.2015 � libcrunch pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // passes check int ∗ y1 = ( int ∗ ) &z.y; // fails (good)! int ∗ y2 = &z.x + 1; // ∗∗∗ int ∗ y3 = &((&z.x )[1]); // ∗∗∗ return &z; // use CETS 5

  13. Wanted: a bounds checker people might even leave turned on?! Must check bounds! But also � support all common idioms � be precise , not best-effort � very, very few false positives � minimise problems with uninstrumented libraries � option to continue after a reported error � easy to turn on/off � fast Memcheck, ASan, SoftBound all fail at > 1 of these 6

  14. Existing bounds checkers use per-pointer metadata p_base x 3.5 ctr y 8.0 maj 2 min 7 p_e = &my_ellipses[1] x 1.0 ctr y 1.5 ellipse struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; p_limit 7

  15. Existing bounds checkers use per-pointer metadata struct ellipse { x 3.5 ctr struct point { y 8.0 double x, y; maj 2 } ctr; p_base min 7 double maj; p_ d = &p_e->ctr.x x 1.0 double double min; ctr p_limit y 1.5 } my_ellipses[3]; maj 5 min 8 x 6.5 ctr y -2.0 maj 4 min 4 7

  16. Without type information, pointer bounds may lose precision struct ellipse { x 3.5 ctr struct point { y 8.0 double x, y; maj 2 } ctr; p_base min 7 double maj; p_ f = (ellipse*) p_d x 1.0 double min; ctr p_limit y 1.5 } my_ellipses[3]; ellipse maj 5 min 8 x 6.5 ctr y -2.0 maj 4 min 4 8

  17. Given allocation type and pointer type, bounds are implicit x 3.5 ctr y 8.0 maj 2 min 7 p_ e = &my_ellipses[1] x 1.0 ctr y 1.5 ellipse[3] ellipse struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; 9

  18. Given allocation type and pointer type, bounds are implicit x 3.5 ctr y 8.0 maj 2 min 7 p_ d = &p_e->ctr.x x 1.0 double double ctr y 1.5 ellipse[3] struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; 9

  19. Given allocation type and pointer type, bounds are implicit x 3.5 ctr y 8.0 maj 2 min 7 p_ f = (ellipse*) p_d x 1.0 ctr y 1.5 ellipse[3] ellipse struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; 9

  20. The importance of being type-aware (when bounds-checking) struct driver { / ∗ ... ∗ / } ∗ d = / ∗ ... ∗ / ; struct i2c driver { / ∗ ... ∗ / struct driver driver ; / ∗ ... ∗ / } ; #define container of(ptr , type, member) \ ((type ∗ )( ( char ∗ )(ptr) − offsetof(type,member) )) i2c drv = container of(d, struct i2c driver , driver ); 10

  21. The importance of being type-aware (when bounds-checking) struct driver { / ∗ ... ∗ / } ∗ d = / ∗ ... ∗ / ; struct i2c driver { / ∗ ... ∗ / struct driver driver ; / ∗ ... ∗ / } ; #define container of(ptr , type, member) \ ((type ∗ )( ( char ∗ )(ptr) − offsetof(type,member) )) i2c drv = container of(d, struct i2c driver , driver ); SoftBound is oblivious to casts, even though they matter: � bounds of d : just the smaller struct � bounds of the char* : the whole allocation � bounds of i2c drv : the bigger struct If only we knew the type of the storage! 10

  22. Idea: a bounds-checker build on per-allocation type metadata � avoid these false positives � avoid libc wrappers, ... � robust to uninstrumented callers/callees Making it fast: � cache bounds: make pointers “locally fat, globally thin” � only check derivation , not use inline int check derive ptr ( const void ∗∗ p derived, const void ∗ derivedfrom, struct uniqtype ∗ t, libcrunch bounds t ∗ opt derivedfrom bounds); 11

  23. Lots of hacking later: did it work? Mostly! But SoftBound-competitive performance requires � bounds passing via a shadow stack (like SoftBound) � bounds store/load via a shadow space (like SoftBound) ... i.e. still pushing per-pointer metadata around. But! T t = a[i ]; // derive, then immediately use T ∗ t = p + n; // derive (no use) T ∗ t = p − > next − > next − > t; // use (x3) Unlike SoftBound, we check pointer derivations not uses � performance implications go here 12

  24. Trap reps for one-past pointers Use x86-64’s non-canonical addresses � to represent “one-past” addresses � trap if used � de-trap to compare, cast, etc. Massively useful! � tolerate some “pointer stuffing” � (should) support nasty union cases � (should) help “roaming” char* Other arches: reserve n − 1 n of VAS (diagram: Vladsinger, CC-BY-SA 3.0) 13

  25. Other advances on SoftBound � continuing after an error (!) � dealing with casts � staying precise even with uninstrumented libraries � performance on linked-structure-based programs � TBC! good benchmarks, anyone? Next: repetition and reproduction studies on SoftBound � repeating SoftBound results (same code): tricky � reproducing SoftBound results � do SoftBound-identical checks with libcrunch � disjoint infrastructure → reproduction interest 14

  26. Emerging: a safe C that people might actually use?! Likely forthcoming research tie-ins: � Cerberus: formally state what’s being checked � CHERI: multiple bounds checking “personalities” � syscall spec work: syscalls need bounds checks! Safety gap-plugging to do: � easy-ish: unions, memcpy, link-time check � more work: temporal safety (GC, initialization) � roaming pointers, ... Development: � in Clang; in-kernel, other arch/OSes, make world ... 15

  27. How not to feel bad (1) A common view among language-y people: C is bad and you should feel bad if you don’t say it is bad M ay 23, 2016 ∞ I’ve spent a lot of t im e on t his blog point ing out how C and C++ are t o blam e for m ost of t he severe c om put er sec urit y failures w e see on a daily basis. The evidenc e so overw helm ing (and w ell k now n!) t hat in m y ex perienc e even t he m ost rabid C part isans do not c hallenge it . 16

  28. How not to feel bad (2) ... but this view confuses languages with implementations ! What the world really needs is � a safe implementation of C! (and C ++ and...) � not (just) new safe languages or dialects Preserve all of C, including the real good bits � communicating with “aliens”, through memory � it’s not [just] about manual memory management � it’s not really about performance at all 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted if (obj > type == OBJ COMMIT) { if (process commit(walker, ( struct commit )obj))

641 views • 62 slides
Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types and type checking Intro Various types and their representation Equality of types Type checking 2 / 43 Outline 1. Types and type checking Intro

1.11k views • 43 slides
Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

281 views • 26 slides
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010 Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program

595 views • 20 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology July 8th, 2013 Algorithmic Meta-Theorems Positive results Negative results Problem X is tractable. Problem X is hard. Model Checking Lower

912 views • 62 slides
Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types Micro-Haskell: crash course MH Types & Abstract Syntax Type Checking Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex Simpson School of Informatics University of Edinburgh

574 views • 26 slides
Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as objects Arrays of objects Command-line arguments Variable-length parameter lists Multidimensional arrays Java Foundations, 3rd Edition,

628 views • 59 slides
Process-wide type and bounds checking (via an alliance of many language implementations) Stephen

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Join me, and together we can rule all the languages

849 views • 70 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would

Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would

Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would like to talk about how to use types for complexity-checking; how to do this in an expressive programming language, such as ML (with

615 views • 57 slides
Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized

Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized

Code checking tools Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized Comp Sci 1585 values Invalid read / write Data Structures Lab: Mis-used delete Tools for Computer Scientists Memory leaks

447 views • 17 slides
Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types for Object Ownership Ilya Sergey 14 November 2012 Types A type - is a set of data instances and operations on them true , false boolean =

1.27k views • 86 slides
Colored intersection types: a bridge between linear logic and higher-order model-checking Charles

Colored intersection types: a bridge between linear logic and higher-order model-checking Charles

Colored intersection types: a bridge between linear logic and higher-order model-checking Charles Grellois (joint work with Paul-Andr e Melli` es) PPS & LIAFA Universit e Paris 7 TYPES conference May 18th, 2015 Charles

549 views • 35 slides
FAT File system Case studies Microsoft, late 70s FAT late 70s; Microsoft File Allocation Table

FAT File system Case studies Microsoft, late 70s FAT late 70s; Microsoft File Allocation Table

FAT File system Case studies Microsoft, late 70s FAT late 70s; Microsoft File Allocation Table (FAT) key idea: linked list started with MSDOS Today: flash sticks in FAT-32, supports 2 28 blocks and files of 2 32 -1 bytes Unix FFS mid 80 s

225 views • 10 slides
Conquering Time with FRP A practical introduction to Functional Reactive Programming by sergi

Conquering Time with FRP A practical introduction to Functional Reactive Programming by sergi

Conquering Time with FRP A practical introduction to Functional Reactive Programming by sergi mansilla | @sergimansilla @sergimansilla http:/ /github.com/sergi Alumni Shameless linkbaiting Conquering Time with FRP A practical introduction

1.18k views • 68 slides
Good Morning! MC S 2490/ BMS 2308 Package Production J anuary 2017 Ulrich Werner 1. Audio

Good Morning! MC S 2490/ BMS 2308 Package Production J anuary 2017 Ulrich Werner 1. Audio

Good Morning! MC S 2490/ BMS 2308 Package Production J anuary 2017 Ulrich Werner 1. Audio Production Process 2. Project Idea Generation How M icrophones work M icrophones are a type of transducer - a device which converts energy

741 views • 41 slides
CS 251 Fall 2019 CS 251 Spring 2020 Principles of Programming Languages Principles of

CS 251 Fall 2019 CS 251 Spring 2020 Principles of Programming Languages Principles of

CS 251 Fall 2019 CS 251 Spring 2020 Principles of Programming Languages Principles of Programming Languages Ben Wood Ben Wood ML vs. Racket and Static vs. Dynamic Type-Checking https://cs.wellesley.edu/~cs251/s20/ 1 Static vs.

755 views • 33 slides
Preacher: Network Policy Checker for Adversarial Environments Kashyap Thimmaraju, Liron Schiff

Preacher: Network Policy Checker for Adversarial Environments Kashyap Thimmaraju, Liron Schiff

Preacher: Network Policy Checker for Adversarial Environments Kashyap Thimmaraju, Liron Schiff and Stefan Schmid 1 Backdoors and exploits Network devices are very effective attack vectors Provide access to internal networks

469 views • 18 slides
Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park,

Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park,

Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Scientific Certification: 1 Does The Current Approach Work? Fuel emergency on Airbus A340-642, G-VATL, on 8

998 views • 21 slides
Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification

Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification

Introduction Modeling Specification Algorithms Conclusions Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification Algorithms Conclusions Motivation Formal Methods: Motivation examples of what can go

986 views • 74 slides
Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal

Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal

The Mu-Calculus Model Checking Example Results Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal Papers in Verification March 23, 2012 Andrena Francisco Symbolic Model Checking The Mu-Calculus

196 views • 15 slides

More recommend