Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyclone: A safe dialect of C

Published byFelicity Burke Modified over 5 years ago

Similar presentations

Presentation on theme: "Cyclone: A safe dialect of C"— Presentation transcript:

1 Cyclone: A safe dialect of C
Trevor Jim Greg Morrisett Dan Grossman Michael Hicks James Cheney Yanling Wang

2 Overview Introduction From C to Cyclone Implementation Design History
Conclusion/Questions

3 Introduction “Common errors that cause vulnerabilities — buffer overflows, poor handling of unexpected types and amounts of data — are well understood. Unfortunately, features still seem to be valued more highly among manufacturers than reliability.” When dealing with security it is common to see this quote . The quote leads us to believe violations can be prevented by changing priorities But many reasons safety violations occur so often in C is more than poor training it is due to the roots to the design of C itself We learn about buffer overflows in all programming classes yet this is still a huge issue. There are fundamental reasons for this that have to do with the design of C. The next slide will name a few common practices that can cause vulnerabilities.

4 Introduction Safety violations that occur in C
Buffer overflows in C can be caused by bad pointer arithmetic C uses Null-terminating strings Out-of-bounds pointers are commonplace in C An off by one error can cause a buffer overflow and its hard to train people to completely eliminate off by one errors Null terminating strings are important for efficiency, but the null terminator can be overwritten and this could cause a buffer overflow Out of bound pointers occur quite frequently when working with arrays We determine the end of an array by placing the pointer right past the end. Since this is common it is expected that occasionally it will be dereferenced or assigned.

5 Introduction Cyclone allows for safety while retaining C’s syntax and semantics Has been in development for 2 years Designed from the ground up for: Prevention of buffer overflows Format string attacks Memory management errors 110,000 lines 35,000 for the compiler 15,000 for supporting libraries Looking at safety violations enabled by C and how Cyclone avoids them Cyclone allows for safety without giving up C’s control of data representation and memory management It allows for developers to not have to switch to a high level language Developing cyclone to have the safety guarantee of Java while keeping C’s syntax, semantics, and idioms intact. Cyclone is freely available. The compiler and accompanying tools are licensed under GNU Now we will look at how Cyclone was developed

6 From C to Cyclone Similarities Differences It uses C processor
Follows C’s lexical convention and grammar Same data representation as C Differences Cyclone performs a static analysis on code Inserts run-time checks Rejects some programs that C might compile Similarities arrays, pointers, enumerations, unions, structures Differences the run time checks into the compiled output at places where the analysis can’t determine that an operation is safe some safe programs will be rejected during this process

7 From C to Cyclone Restrictions
Null checks are inserted to prevent segmentation faults Pointer arithmetic is restricted Dangling pointers are prevented through region analysis and limitations on free Only “safe casts’ and unions are allowed Setjmp and longjmp are not supported Switch labels in different scopes are disallowed These are just some of the restrictions that are imposed to c to preserve safety. The best results are to use more than one technique. Other projects have also tried applying add-ons to C so they are seldom used in production. Cyclone makes safety the default.

8 From C to Cyclone Extensions
Never-Null pointers do not require Null checks Tagged unions support type-varying arguments Injections help automate the use of tagged unions for programmers Polymorphism replaces some use of void * Exceptions replace some uses of setjmp and longjmp These are some of the extensions that are imposed in Cyclone to make C safer

9 From C to Cyclone The free function in C can create dangling pointers
The following is a code example Region h { int *x = rmalloc(h.sizeof(int)); int ?y = rnew(h) {1, 2, 3}; char ?z = rprintf(h, “hello”); } The article gives multiple examples, but we will just go over Free To prevent this Cyclone uses growable regions the following code is an example of how the regions are created Also this way cyclone can deallocate the entire region at one time when exiting The regions are also growable that way the memory doesn’t run out In the example x is initiallized as a pointer to an int size of memory Rnew creates an array y in the region x Rprintf creates buffer pointed to by z to store information

10 From C to Cyclone Rmalloc – works like malloc but allocates into a region of the handle Rnew – allocates and initializes a single step Rprintf – creates a buffer then prints formatted information to that buffer Handles can be passes to library functions Cyclone is one of the few programming languages that has safe memory management without using a garbage collector

11 Implementation Cyclone compiler implemented 35,000 lines of Cyclone
Consists of a parser Static analysis phase And a simple translator Uses gcc as a backend Have built in utilities Memory profiler Another tool that was built in also includes documentation generation

12 Implementation Benchmarks Ease of Porting
Table shows that much of a significant difference between C and Cyclone Ease of Porting Created cyclone so existing C code can be easily ported Fewer than 10% of the lines needed to be changed to port the benchmarks

13 Implementation Performance Safety Non-web benchmarks
Mean and median same Standard deviation was at most 2% of the mean Near zero over-head for I/O bound applications Factor of three slower than C for computationally-intensive benchmarks Safety Found array bound violations in three benchmarks when C was ported to Cyclone Also have seen a slow down of a factor of six for operations involving pointer arithmetic

14 Design History Began as an offshoot of TAL
Designed Popcorn to use with it Cyclone a rework of Popcorn From learning’s made some notable mistakes and changes Supported arrays with a type array<t> not a fat pointer Didn’t understand the importance of Null-terminated strings TAL- Typed Assembly Language ensured safety at the machine code level. Popcorn was a C like language that was used as the front end and built a compiler to translate it. They did this with an two agendas to further understand low-level safety and to gain outside adopters Converting C code to use array<t> was painful, so abandoned it and started using fat pointers. This made it easier to port C code requiring only a few changes. Came to understand how important Nul is to efficiency (memory reuse). So changed string library to match C’s

15 Conclusion Questions ? Cyclone a dialect of C that provides safety
Cyclone uses static analysis and run-time checks to prevent safety violations Tries to accommodate C’s style of low-level programming Questions ?

Download ppt "Cyclone: A safe dialect of C"

Similar presentations

The C ++ Language BY Shery khan. The C++ Language Bjarne Stroupstrup, the language’s creator C++ was designed to provide Simula’s facilities for program.

The C ++ Language BY Shery khan. The C++ Language Bjarne Stroupstrup, the language’s creator C++ was designed to provide Simula’s facilities for program.
Dynamic Memory Management

Dynamic Memory Management
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Two alternatives of C: Cyclone and Vault Keami Hung February 01, 2007.

Two alternatives of C: Cyclone and Vault Keami Hung February 01, 2007.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Aalborg Media Lab 21-Jun-15 Software Design Lecture 1 “ Introduction to Java and OOP”

Aalborg Media Lab 21-Jun-15 Software Design Lecture 1 “ Introduction to Java and OOP”
Run time vs. Compile time

Run time vs. Compile time
CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays 2005-06-22.

CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays
Arrays and Pointers in C Alan L. Cox

Arrays and Pointers in C Alan L. Cox
From C++ to C#. Web programming The course is on web programming using ASP.Net and C# The course is on web programming using ASP.Net and C# ASP.Net is.

From C++ to C#. Web programming The course is on web programming using ASP.Net and C# The course is on web programming using ASP.Net and C# ASP.Net is.
Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages.

Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages.
CENG 311 Machine Representation/Numbers

CENG 311 Machine Representation/Numbers
EECE 310: Software Engineering Lecture 2: Understanding Objects in Java and Types.

EECE 310: Software Engineering Lecture 2: Understanding Objects in Java and Types.
COP4020 Programming Languages

COP4020 Programming Languages
Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at

Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello! ); 5 } // end method main.

Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello!" ); 5 } // end method main.
We will talking about story of JAVA language. By Kristsada Songpartom.

We will talking about story of JAVA language. By Kristsada Songpartom.
Combining Garbage Collection and Safe Manual Memory Management Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard,

Combining Garbage Collection and Safe Manual Memory Management Michael Hicks University of Maryland, College Park Joint work with Greg Morrisett - Harvard,

Similar presentations

Ads by Google