Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming...
-
Upload
chloe-watson -
Category
Documents
-
view
221 -
download
4
Transcript of Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming...
Safety in the C programming Language
Peter WihlMay 26th, 2005
CS 297 Security and Programming Languages
Overall Issue: Safety in C
• Best feature of C:– Gives programmer access to the lowest levels
of the machine
• Worst feature of C:– Gives programmer access to the lowest levels
of the machine
The Problem of Memory Manipulation
• Bad Pointer Arithmetic
• Defining the end of a string, the NULL termination
• Trespassing: When a pointer goes out of its bounds
• “The design of the C programming language encourages programming at the edge of safety.” –A1
The Band Aid Approach
• Create guidelines for the use of the existing language
• Examples:– DECOS: Dependable Embedded Components and
Systems used in Europe and designed by comity – DOE-STD-1172-2003: Safety Software Quality
guidelines for Nuclear Facilities– NASA C Programming Style Guide: From Goddard
Space Flight Center– MISRA: Motor Industry Software Reliability
Association
The Next Approach
• Create a modification of the C language– Cyclone– CCured
Cyclone
• Automatically insert run-time NULL checks when pointers are used
• Defined two new types of pointers:– Never-NULL pointer
• ‘@’ instead of ‘*’
– Fat pointer• ‘?’ instead of ‘*’• permits pointer arithmetic• ?-pointer represented by an address + bounds
Cyclone
• Uninitialized pointers: Static analysis to detect them
• Dangling pointers: to prevent dereferencing of a dangling pointer it performs a “region analysis” on the code.
• Freeing memory:– “growable regions” lives on the heap and are
accessed though handles.• Tagged Unions: used to control type-varying
arguments, the tags distinguish the cases of the unions to know which types are being used in a particular call.
CCured
• Deals only with pointers
• Classifies them in two groups:
• Statically typed pointers
• Dynamically-typed pointers
CCured
• Defines two types classes of pointers: Static and dynamic
• CCured does not allow these two pointer conditions.– Cannot have both a dynamically-typed and a statically
typed pointer pointing to the same location– Cannot have a statically type pointer stored in an area
pointed to by a dynamic pointer
• Deallocation is handled though built in garbage collection
CCured: Statically Typed Pointer
• The SEQ (“sequence”) pointer– Can be used in pointer arithmetic but are
required to carry bounds
• The SAFE pointer– Can be NULL but does not allow for pointer
arithmetic
CCured: Dynamically Typed Pointer
• DYN pointer
• Contains two fields, the base and the pointer field
• Base field points to the start of a dynamically typed area that is processed by a length and followed by tag bits
Possible Problems With These Solutions
• Application level programming vs. system level programming
• Manually setting the address of a data pointer
• Needed for Memory mapped I/O
• Separating regions of code in systems with no OS
An example
• You are writing code for an embedded system with no OS and limited run time environment
• System architecture has two memory maps, boot time and run time.
• Build two separate execution regions:
• Boot and Main
Example (continued)
• …..
• void *Jump(void);
• Jump = 0;
• Jump();
• What am I doing here?!?! This is evil code!
• (it was written by Justin R. Cutler )
Example (continued)
• This is a soft reset that jumps out of Boot code and goes to the start of Main that is now at address location 0x000000
• Would this be allowed by Cyclone or CCured? Something to talk about or maybe not.
References
• Software Safety Home Page:– http://www.softwaresafety.net/Guidelines/