Presentation is loading. Please wait.

Presentation is loading. Please wait.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Type-Safe Programming in C George Necula EECS Department University of California, Berkeley."— Presentation transcript:

1 Type-Safe Programming in C George Necula EECS Department University of California, Berkeley

2 George Necula - CHESS Kickoff Meeting 11/14/022 Why Memory Safety ? The most basic safety property –Ensures isolation of component failures All programs must have it –Does not even need an explicit specification Most program analyses are unsound without it 50% of security errors are due to buffer overruns

3 George Necula - CHESS Kickoff Meeting 11/14/023 C and Memory Safety A large part of embedded software is written in C C was designed with flexibility and efficiency in mind –Has many operators that can be used in an unsafe way –Memory safety is sacrificed But… Many C programs use unsafe operators safely In the remaining C programs there are only small portions which are responsible for unsafe behavior

4 George Necula - CHESS Kickoff Meeting 11/14/024 CCured Idea 1.Devise a program analysis that discovers the safe uses of potentially unsafe operators 2.Insert run-time checks (e.g. array-bounds checks) in those places where safety cannot be statically verified This way we sacrifice performance instead of safety –Goal: 0-30% performance penalty –Performance improves with hardware progress. Unlike safety!

5 George Necula - CHESS Kickoff Meeting 11/14/025 Checkable Errors Array bounds checks –Pointer arithmetic outside of object bounds –Not always caught by Purify Dereferencing a non-pointer (or NULL) –Complicated by casts and union types Freeing non-pointers, using freed memory

6 George Necula - CHESS Kickoff Meeting 11/14/026 Kinds of Pointers Many pointers are completely “safe” –No bad casts, no arithmetic, etc. –e.g., FILE * fin = fopen(“input”, “r”); –These can be represented without any extra information (just a NULL check when used) Other pointers are involved in pointer arithmetic but not in bad casts –Must carry bounds with them for bounds checking Other pointers cannot be typed statically –Must carry type information with them

7 George Necula - CHESS Kickoff Meeting 11/14/027 Static Analysis and Inference For every pointer in the program –Try to infer the “fastest” sound representation –This is like eliminating classes of run-time checks we know will never fail Can be formulated as constraint-solving –Linear-time whole-program algorithm –Can be modularized if the interfaces are annotated Proved sound Extremely simple, fast and predictable

8 George Necula - CHESS Kickoff Meeting 11/14/028 Experimental Results We have a working prototype –Handles the complete ANSI C and gcc extensions –Used on programs up to 1M lines of code –Used on low level code Experimented with –SPEC95 –Linux device drivers –Apache modules –Network applications: sendmail, openssl, bind, ftpd Found new bugs –Bugs that Purify missed Slowdown: 10-80% (with an average at 50%) Typically 70% of the pointers are found safe

9 George Necula - CHESS Kickoff Meeting 11/14/029 Conclusion C programs are “mostly” type safe –A static analysis can figure this out C programs can be made provable type safe –Use run-time checking where static analysis fails Safe native methods for Java and C# The performance cost is acceptable in some cases More work is required to reduce the cost –Code size, data size, running time Try it out: http://www.cs.berkeley.edu/~necula/ccured

Download ppt "Type-Safe Programming in C George Necula EECS Department University of California, Berkeley."

Similar presentations

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.

Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel

01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Software Engineering-II Sir zubair sajid. What’s the difference? Verification – Are you building the product right? – Software must conform to its specification.

Software Engineering-II Sir zubair sajid. What’s the difference? Verification – Are you building the product right? – Software must conform to its specification.
Exception Handling Xiaoliang Wang, Darren Freeman, George Blank.

Exception Handling Xiaoliang Wang, Darren Freeman, George Blank.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.

Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Korey Breshears. Overview  What are automated security tools?  Why do we need them?  What types of tools are there?  What problems do these tools.

Korey Breshears. Overview  What are automated security tools?  Why do we need them?  What types of tools are there?  What problems do these tools.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.

Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
1 Efficient Memory Safety for TinyOS Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing † Intel Research.

1 Efficient Memory Safety for TinyOS Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing † Intel Research.

Similar presentations

Ads by Google