The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

Slides:



Advertisements
Similar presentations
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
Advertisements

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
CSE 303 Lecture 16 Multi-file (larger) programs
Chapter 7 Process Environment Chien-Chung Shen CIS, UD
Chapter 7: User-Defined Functions II
C++ Programming: Program Design Including Data Structures, Third Edition Chapter 7: User-Defined Functions II.
CERTIFICATION OBJECTIVES Use Class Members Develop Wrapper Code & Autoboxing Code Determine the Effects of Passing Variables into Methods Recognize when.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Tam Vu Remote Procedure Call CISC 879 – Spring 03 Tam Vu March 06, 03.
1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.
. Plab – Tirgul 2 Const, C Strings. Pointers int main() { int i,j; int *x; // x points to an integer i = 1; x = &i; j = *x; ijx 1.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.
. Compilation / Pointers Debugging 101. Compilation in C/C++ hello.c Preprocessor Compiler stdio.h tmpXQ.i (C code) hello.o (object file)
C strings (Reek, Ch. 9) 1CS 3090: Safety Critical Programming in C.
A Type System for Expressive Security Policies David Walker Cornell University.
ARRAYS AND POINTERS Although pointer types are not integer types, some integer arithmetic operators can be applied to pointers. The affect of this arithmetic.
CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.
Guide To UNIX Using Linux Third Edition
Templates. Objectives At the conclusion of this lesson, students should be able to Explain how function templates are used Correctly create a function.
. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.
Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.
Sockets CIS 370 Fall 2009, UMassD. Introduction  Sockets provide a simple programming interface which is consistent for processes on the same machine.
1 CISC181 Introduction to Computer Science Dr. McCoy Lecture 19 Clicker Questions November 3, 2009.
C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 13: Pointers, Classes, Virtual Functions, and Abstract Classes.
C++ Programming: From Problem Analysis to Program Design, Fourth Edition Chapter 14: Pointers, Classes, Virtual Functions, and Abstract Classes.
Copyright 2001 Oxford Consulting, Ltd1 January Storage Classes, Scope and Linkage Overview Focus is on the structure of a C++ program with –Multiple.
CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.
Nirmalya Roy School of Electrical Engineering and Computer Science Washington State University Cpt S 122 – Data Structures Classes: A Deeper Look Part.
CS212: Object Oriented Analysis and Design Lecture 12: Operator Overloading-II.
1 C - Memory Simple Types Arrays Pointers Pointer to Pointer Multi-dimensional Arrays Dynamic Memory Allocation.
Copyright  Hannu Laine C++-programming Part 3 Hannu Laine.
1 Compiler Construction (CS-636) Muhammad Bilal Bashir UIIT, Rawalpindi.
Dynamic memory allocation and Pointers Lecture 4.
The Fail-Safe C to Java translator Yuhki Kamijima (Tohoku Univ.)
CPS4200 Unix Systems Programming Chapter 2. Programs, Processes and Threads A program is a prepared sequence of instructions to accomplish a defined task.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Topic 3: C Basics CSE 30: Computer Organization and Systems Programming Winter 2011 Prof. Ryan Kastner Dept. of Computer Science and Engineering University.
Chapter 10: Classes and Data Abstraction. Objectives In this chapter, you will: Learn about classes Learn about private, protected, and public members.
Functions Illustration of: Pass by value, reference Scope Allocation Reference: See your CS115/215 textbook.
1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.
POINTERS. // Chapter 3 - Program 1 - POINTERS.CPP #include int main() { int *pt_int; float *pt_float; int pig = 7, dog = 27; float x = , y = 32.14;
1 Becoming More Effective with C++ … Day Two Stanley B. Lippman
Object-Oriented Programming in C++ Lecture 4 Constants References Operator overloading.
Semantic Analysis II Type Checking EECS 483 – Lecture 12 University of Michigan Wednesday, October 18, 2006.
Variables and memory addresses
Chapter 1 Java Programming Review. Introduction Java is platform-independent, meaning that you can write a program once and run it anywhere. Java programs.
Chapter 10: Classes and Data Abstraction. Classes Object-oriented design (OOD): a problem solving methodology Objects: components of a solution Class:
1 Recall that... char str [ 8 ]; str is the base address of the array. We say str is a pointer because its value is an address. It is a pointer constant.
 Data Type is a basic classification which identifies different types of data.  Data Types helps in: › Determining the possible values of a variable.
CSE 303 Concepts and Tools for Software Development Richard C. Davis UW CSE – 10/11/2006 Lecture 7 – Introduction to C.
LECTURE 19 Subroutines and Parameter Passing. ABSTRACTION Recall: Abstraction is the process by which we can hide larger or more complex code fragments.
Chapter 7 Process Environment Chien-Chung Shen CIS/UD
DYNAMIC MEMORY ALLOCATION. Disadvantages of ARRAYS MEMORY ALLOCATION OF ARRAY IS STATIC: Less resource utilization. For example: If the maximum elements.
Language-Based Security: Overview of Types Deepak Garg Foundations of Security and Privacy October 27, 2009.
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Lesson One – Creating a thread
C Basics.
Secure Coding Rules for C++ Copyright © Curt Hill
Pointers, Dynamic Data, and Reference Types
6 Chapter Functions.
Pointers C#, pointers can only be declared to hold the memory addresses of value types int i = 5; int *p; p = &i; *p = 10; // changes the value of i to.
Language-based Security
Dynamic Memory.
SPL – PS2 C++ Memory Handling.
Presentation transcript:

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko

International Symposium on Software Security2 In this presentation…  We introduce the IDL for Fail-Safe C  With our IDL, we can… Easily generate wrappers for external functions Safely interface Fail-Safe C with external functions  Our approach can be used to other safe languages

International Symposium on Software Security3 Background

International Symposium on Software Security4 Fail-Safe C  Safe implementation of C Translates C sources to fail-safe ones Inserts safety checks such as boundary checks Ensures safety focusing on types of objects Prevents programs from performing unsafe operations

International Symposium on Software Security5 Problems of Fail-Safe C  Cooperation with external functions Data representation problem Fail-Safe C uses its original data representation  Cannot call external functions directly Safety problem Many external functions require preconditions for safety

International Symposium on Software Security6 Solution  To prepare a wrapper for each function Checks preconditions, converts representation, … We want to automatically generate such wrappers

International Symposium on Software Security7 Approach  Interface Definition Language (IDL) Describe preconditions and behavior of external functions with the IDL IDL processor Interface Definition Wrappers

wrapper(…) { … memcpy(…) … wrapper(…) { … memcpy(…) … int main(…) { … memcpy(…) … … int main(…) { … memcpy(…) … … memcpy(…) { … return; } memcpy(…) { … return; } Checks Preconditions Converts Arguments Converts Return value

International Symposium on Software Security9 Outline of the Presentation  Safety Fail-Safe C and our IDL guarantees  Internal data representation of Fail-Safe C  Wrappers’ behavior  Experiment  Related work  Future work

International Symposium on Software Security10 The Safety Fail-Safe C Guarantees If a program attempts to perform undefined behavior, Fail-Safe C aborts the program before the operation is performed Not fully formal, but sufficient for our aim

International Symposium on Software Security11 The Safety Fail-Safe C Guarantees void strcpy(char *s1, char *s2) { while (*s1++ = *s2++) ; } Out-of-bound access may occur here The result of out-of-bound access is Undefined Usual C compiler

International Symposium on Software Security12 The Safety Fail-Safe C Guarantees void strcpy(char *s1, char *s2) { while (*s1++ = *s2++) ; } Attempts to perform out-of-bound access Aborts the program Fail-Safe C compiler

International Symposium on Software Security13 The Safety Fail-Safe C Guarantees (again) If a program attempts to perform undefined behavior, Fail-Safe C aborts the program before the operation is performed Not fully formal, but sufficient for our aim

International Symposium on Software Security14 The Safety our IDL Guarantees  Two assumptions Fail-Safe C does not contain bugs The safety of Fail-Safe C does hold just before wrappers are called Interface definitions correctly reflect the implementation of external functions If these two assumptions hold, our IDL guarantees that Fail-Safe C’s safety holds after external functions return

International Symposium on Software Security15 Internal Data Representation of Fail-Safe C  Fail-Safe C differs from usual C in representation of… Memory blocks Pointers Integers

International Symposium on Software Security16 Internal Data Representation of Fail-Safe C  Every memory block has a header size Data TypeInfo Header

International Symposium on Software Security17 Internal Data Representation of Fail-Safe C  Every pointer is represented in 2 words size Data base offset TypeInfo

International Symposium on Software Security18 Internal Data Representation of Fail-Safe C  Every integer is also represented in 2 words (pointers may be cast to integers) base offset pointer integer cast

International Symposium on Software Security19 Summary of Data Representation  Pointers Represented in 2 words  Integers Represented in 2 words  Memory blocks Have metadata Contents has Fail-Safe C’s representation Wrappers have to convert the representation of arguments

International Symposium on Software Security20 Behavior of the Wrapper of memcpy char *memcpy(char *s1, char *s2, int n);

International Symposium on Software Security21 Behavior of the Wrapper of memcpy char *memcpy(char *s1, char *s2, int n); Preconditions n > 0 1. s1 != NULL, s2 != NULL 2. First n bytes of memory blocks has to be accessible n bytes from s1 and s2 cannot overlap each other

International Symposium on Software Security22 Behavior of the Wrapper of memcpy char *memcpy(char *s1, char *s2, int n); Converting representation (before call) 2-word repr. → 1-word repr. 1.Allocates new memory block in C’s image 2.Copies contents to it converting repr.

International Symposium on Software Security23 Behavior of the Wrapper of memcpy char *memcpy(char *s1, char *s2, int n); Converting representation (after returns) 1.Writes back update of the memory block 2.Deallocates the newly allocated memory block Encodes return value maintaining the distance from s1

International Symposium on Software Security24 Behavior of Wrappers 1.Precondition Checking 2.Decoding and Allocation Integers are converted to 1-word repr. Allocates a memory block and copies to it for each pointer-type argument 3.Call Safe if assumptions appeared before hold

International Symposium on Software Security25 Behavior of Wrappers 4.Encoding and Deallocation Converts the return value to Fail-Safe C’s repr. Reflect update of passed memory blocks Reflect update of global variables (Fail- Safe C allocates two regions for each global variable) Deallocates memory blocks allocated in the wrapper

International Symposium on Software Security26 An Example of Interface Definition  Add supplemental information to C’s declaration in the form of attributes [points_in(s1)] char *memcpy([never_null, can_access(0, n-1), write(true, 0, n-1)] char *s1, [never_null, can_access(0, n-1)] const char *s2 int n) [precond(n > 0), no_overlap(s1, 0, n-1, s2, 0, n-1)];

International Symposium on Software Security27 Experiments  Measured overhead with four micro- benchmarks In each benchmark, we used… Programs compiled with Fail-Safe C and used wrappers to call external functions Programs compiled with gcc and called wrappers directly Environment: UltraSPARC-II 400 MHz CPU, 13.0 GB RAM

International Symposium on Software Security28 Benchmark 1: succ  Takes one integer, adds 1 to it and return it  Measured time spent in calling this function 10 7 times as an external function  Give information about the overhead of converting integers

International Symposium on Software Security29 Benchmark 2: arraysucc  Takes an array of 10 7 characters  Measured time spent in calling this function once as an external function  Give information about the overhead of converting pointer-type arguments

International Symposium on Software Security30 Benchmark 3: cp  File-copying program that uses open, read and write system calls  Measured time spent in copying a 100K- byte file  Give information about the overhead of pretty practical programs

International Symposium on Software Security31 Benchmark 4: echo  A simple echo server that uses socket, bind, listen, accept, recv and send system calls (with 1K-byte buffer)  Measured time spent in sending/receiving 100K-byte data between two machines connected with 100BASE-T  Give information about the overhead under existence of network delay

International Symposium on Software Security32 Overall Result The overhead of memory allocation is large Execution time (msec) succarraysucccpecho With wrappers Without wrappers Overhead (%)

International Symposium on Software Security33 Breakdown of arraysucc PreDecodeCallEncodeTotal Time (msec) proportion(%) Time spent in each phase of arraysucc More than half of wrapper’s execution time is spent in Decoding and Allocation

International Symposium on Software Security34 Breakdown of cp Execution time of each phase of read/write’s wrapper PreDecodeCallEncodeTotal read write Call phase takes most of time due to file access. However, Decoding and Allocation phase takes much time in wrapper’s execution time

International Symposium on Software Security35 Overall Result (again) Execution time (msec) succarraysucccpecho With wrappers Without wrappers Overhead (%) The overhead of echo is very small

International Symposium on Software Security36 Breakdown of echo Time spent in each phase of recv/send system calls Pre/DecodeCallEncodeTotal recv send1405 Under existence of network delay, wrappers’ overhead is relatively small

International Symposium on Software Security37 Discussion  The overhead of Decoding and Allocation is dominant  To reduce this overhead… Omit copying contents of memory block if the block is not read Omit allocating new memory block if the block has the same image as usual C’s one

International Symposium on Software Security38 Related Work  CamlIDL [Leroy 01], H/Direct [Finne et.al. 98] IDL for OCaml and Haskell The syntax of our IDL is based on CamlIDL Pay less attention to safety External function call is not always safe if preconditions do not hold

International Symposium on Software Security39 Related Work  CCured [Necula et.al. 02, Condit et.al. 03] Analyses pointer usage statically and cuts off unnecessary safety checks Two ways to call external functions Tell the compiler which functions are external ones  Cannot check preconditions, cannot deal with memory blocks allocated in external functions Provide wrappers for each external function  Have to write wrappers manually

International Symposium on Software Security40 Future Work  Implementing optimizations  Applying our approach to existing programs As soon as the implementation of Fail-Safe C is complemeted Target: sendmail

International Symposium on Software Security41 Conclusion  We designed an IDL for Fail-Safe C to call external functions safely

International Symposium on Software Security42 Fin

International Symposium on Software Security43 Internal Data Representation of Fail-Safe C  TypeInfo contains typename and handler methods size Data Type name read_word() write_word() Handler methods: Functions that access memory according to the memory block’s type

International Symposium on Software Security44 Why we don’t need to check postconditions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.