Safety in the C programming Language

Peter WihlMay 26th, 2005

CS 297 Security and Programming Languages

Overall Issue: Safety in C

• Best feature of C:– Gives programmer access to the lowest levels

of the machine

• Worst feature of C:– Gives programmer access to the lowest levels

of the machine

The Problem of Memory Manipulation

• Bad Pointer Arithmetic

• Defining the end of a string, the NULL termination

• Trespassing: When a pointer goes out of its bounds

• “The design of the C programming language encourages programming at the edge of safety.” –A1

The Band Aid Approach

• Create guidelines for the use of the existing language

• Examples:– DECOS: Dependable Embedded Components and

Systems used in Europe and designed by comity – DOE-STD-1172-2003: Safety Software Quality

guidelines for Nuclear Facilities– NASA C Programming Style Guide: From Goddard

Space Flight Center– MISRA: Motor Industry Software Reliability

Association

The Next Approach

• Create a modification of the C language– Cyclone– CCured

Cyclone

• Automatically insert run-time NULL checks when pointers are used

• Defined two new types of pointers:– Never-NULL pointer

• ‘@’ instead of ‘*’

– Fat pointer• ‘?’ instead of ‘*’• permits pointer arithmetic• ?-pointer represented by an address + bounds

Cyclone

• Uninitialized pointers: Static analysis to detect them

• Dangling pointers: to prevent dereferencing of a dangling pointer it performs a “region analysis” on the code.

• Freeing memory:– “growable regions” lives on the heap and are

accessed though handles.• Tagged Unions: used to control type-varying

arguments, the tags distinguish the cases of the unions to know which types are being used in a particular call.

CCured

• Deals only with pointers

• Classifies them in two groups:

• Statically typed pointers

• Dynamically-typed pointers

CCured

• Defines two types classes of pointers: Static and dynamic

• CCured does not allow these two pointer conditions.– Cannot have both a dynamically-typed and a statically

typed pointer pointing to the same location– Cannot have a statically type pointer stored in an area

pointed to by a dynamic pointer

• Deallocation is handled though built in garbage collection

CCured: Statically Typed Pointer

• The SEQ (“sequence”) pointer– Can be used in pointer arithmetic but are

required to carry bounds

• The SAFE pointer– Can be NULL but does not allow for pointer

arithmetic

CCured: Dynamically Typed Pointer

• DYN pointer

• Contains two fields, the base and the pointer field

• Base field points to the start of a dynamically typed area that is processed by a length and followed by tag bits

Possible Problems With These Solutions

• Application level programming vs. system level programming

• Manually setting the address of a data pointer

• Needed for Memory mapped I/O

• Separating regions of code in systems with no OS

An example

• You are writing code for an embedded system with no OS and limited run time environment

• System architecture has two memory maps, boot time and run time.

• Build two separate execution regions:

• Boot and Main

Example (continued)

• …..

• void *Jump(void);

• Jump = 0;

• Jump();

• What am I doing here?!?! This is evil code!

• (it was written by Justin R. Cutler )

Example (continued)

• This is a soft reset that jumps out of Boot code and goes to the start of Main that is now at address location 0x000000

• Would this be allowed by Cyclone or CCured? Something to talk about or maybe not.

References

• Software Safety Home Page:– http://www.softwaresafety.net/Guidelines/