Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer"— Presentation transcript:

1 May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer {necula,mcpeak,weimer}@cs.berkeley.edu

2 May 22, 2002 OSQ Retreat2 What are we doing?  Add run-time checks to C programs  Catch memory safety errors  Minimal user effort  Make C “feel” as safe as Java

3 May 22, 2002 OSQ Retreat3 The CCured System C Program CCured Translator Instrumented C Program Compile & Execute Halt: Memory Safety Violation Success

4 May 22, 2002 OSQ Retreat4 Motivation  C: Why C? It is popular; it is part of the infrastructure It is also unsafe  CURED: Why memory safety? Implicit specification Prerequisite for isolation, other properties 50% of software errors are due to pointers 50% of security errors due to buffer overruns

5 May 22, 2002 OSQ Retreat5 CCured Overview  Three kinds of pointers: SAFE, SEQ, DYN Spectrum of speed vs. capabilities  Run-time bookkeeping for memory safety Array bounds information Some run-time type information

6 May 22, 2002 OSQ Retreat6 SAFE Pointers SAFE pointer to type   ptr On use: - null check Can do: - dereference

7 May 22, 2002 OSQ Retreat7 SEQuence Pointers SEQ pointer to type   baseptr On use: - null check - bounds check Can do: - dereference - pointer arithmetic end

8 May 22, 2002 OSQ Retreat8 DYNamic Pointers DYN int homeptr DYN pointer len tags On use: - null check - bounds check - tag check/update Can do: - dereference - pointer arithmetic - arbitrary typecasts 110

9 May 22, 2002 OSQ Retreat9 Kinds of Pointers  Most pointers are SAFE No evil casts, no arithmetic, etc. e.g., FILE * fin = fopen(“input”, “r”); These can be represented without any extra information (just a null check when used)  This yields better performance!

10 May 22, 2002 OSQ Retreat10 Static Analysis & Inference  For every pointer in the program Try to infer the fastest safe representation This is like eliminating classes of run-time checks we know will never fail  Can be formulated as constraint-solving Examine casts and expressions to get constraints O(E) where E is number of casts/assignments (flow insensitive)

11 May 22, 2002 OSQ Retreat11 Static Analysis From 10,000 ft  See “p++”, infer p is not SAFE struct { int a; int b; } *p1, *p2; int *q = (int *)p1; // this cast is fine int **r = (int **)p2; // this one is not: // p2 and r must be DYN

12 May 22, 2002 OSQ Retreat12 Variable-Argument Functions  Common in C (e.g., printf, )  Note all types used for actual arguments  Record actual argument types at call-site  Inside body, check when a type is expected  Also check number of arguments requested  Special handling for printf()

13 May 22, 2002 OSQ Retreat13 Experiments  Instrumented Spec95, Olden, Ptrdist  2 Linux Device Drivers  9 Apache Modules  1 FTP Server  Slowdown: benchmark 50%, other 2%  Found some bugs!

14 May 22, 2002 OSQ Retreat14 Experimental Results LOC%Safe%Seq%DynCCured RatioPurify Ratio compress1590871201.2528 go2931596402.0151 ijpeg31371361622.1530 li776193601.8650 bh2053801801.5394 bisort707901001.0342 em3d557851502.447 ks97392801.4731 health72593700.9425

15 May 22, 2002 OSQ Retreat15 Experimental Results (2) LOCSafeSeqDynCCured RatioChanges bc7323901001.260 yacr23999851402.150 WebStone (9 mods) 14940~85~1501.04~204 or 1% pcnet32166192800.995 or 0.3% (ping)1.00 sbull1013851501.0020 or 2% (seeks)1.03 ftpd6553791291.0170 or 1%

16 May 22, 2002 OSQ Retreat16 Bugs Found  ks passes FILE* to printf, not char*  compress, ijpeg: array bound violations  go: 8 array bound violations  go: 1 uninit variable as array index  Many involve multi-dimensional arrays  Purify only found go uninit bug  ftpd buffer overrun bug

17 May 22, 2002 OSQ Retreat17 Other Fun Features  Special Sequences (strings)  void* is treated as a type variable  Limited polymorphism clone functions at call-site later, coalesce identical bodies  DYN function pointers

18 May 22, 2002 OSQ Retreat18 Future Work  ACE C++ operating system framework 2M LOC, 2000 files  Store meta-data apart from pointers better library integration  Explain inference results to user

19 May 22, 2002 OSQ Retreat19 Conclusion  Most C pointers are already type-safe  Static and dynamic analyses complementary  CCured is expressive enough to handle C yet precise enough to find real bugs!  Performance is good

20 May 22, 2002 OSQ Retreat20 Any Questions?

Download ppt "May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer"

Similar presentations

HardBound: Architectural Support for Spatial Safety of the C Programming Language Joe Devietti *, Colin Blundell, Milo Martin, Steve Zdancewic * University.

HardBound: Architectural Support for Spatial Safety of the C Programming Language Joe Devietti *, Colin Blundell, Milo Martin, Steve Zdancewic * University.
CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Things to Remember When Developing 64-bit Software OOO Program Verification Systems www.viva64.com.

Things to Remember When Developing 64-bit Software OOO "Program Verification Systems"
Programming Languages and Paradigms The C Programming Language.

Programming Languages and Paradigms The C Programming Language.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.

Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.
Chapter 7:: Data Types Programming Language Pragmatics

Chapter 7:: Data Types Programming Language Pragmatics
This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.

This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Type Checking.

Type Checking.
Compiler Construction

Compiler Construction
SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.

Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
. Compilation / Pointers Debugging 101. Compilation in C/C++ hello.c Preprocessor Compiler stdio.h tmpXQ.i (C code) hello.o (object file)

. Compilation / Pointers Debugging 101. Compilation in C/C++ hello.c Preprocessor Compiler stdio.h tmpXQ.i (C code) hello.o (object file)

Similar presentations

Ads by Google