1 / 18

Safety in the C programming Language

Safety in the C programming Language. Peter Wihl May 26 th , 2005 CS 297 Security and Programming Languages. Overall Issue: Safety in C. Best feature of C: Gives programmer access to the lowest levels of the machine Worst feature of C:

daryl
Download Presentation

Safety in the C programming Language

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safety in the C programming Language Peter Wihl May 26th, 2005 CS 297 Security and Programming Languages

  2. Overall Issue: Safety in C • Best feature of C: • Gives programmer access to the lowest levels of the machine • Worst feature of C: • Gives programmer access to the lowest levels of the machine

  3. The Problem of Memory Manipulation • Bad Pointer Arithmetic • Defining the end of a string, the NULL termination • Trespassing: When a pointer goes out of its bounds • “The design of the C programming language encourages programming at the edge of safety.” –A1

  4. The Band Aid Approach • Create guidelines for the use of the existing language • Examples: • DECOS: Dependable Embedded Components and Systems used in Europe and designed by comity • DOE-STD-1172-2003: Safety Software Quality guidelines for Nuclear Facilities • NASA C Programming Style Guide: From Goddard Space Flight Center • MISRA: Motor Industry Software Reliability Association

  5. The Next Approach • Create a modification of the C language • Cyclone • CCured

  6. Cyclone • Automatically insert run-time NULL checks when pointers are used • Defined two new types of pointers: • Never-NULL pointer • ‘@’ instead of ‘*’ • Fat pointer • ‘?’ instead of ‘*’ • permits pointer arithmetic • ?-pointer represented by an address + bounds

  7. Cyclone • Uninitialized pointers: Static analysis to detect them • Dangling pointers: to prevent dereferencing of a dangling pointer it performs a “region analysis” on the code. • Freeing memory: • “growable regions” lives on the heap and are accessed though handles. • Tagged Unions: used to control type-varying arguments, the tags distinguish the cases of the unions to know which types are being used in a particular call.

  8. CCured • Deals only with pointers • Classifies them in two groups: • Statically typed pointers • Dynamically-typed pointers

  9. CCured • Defines two types classes of pointers: Static and dynamic • CCured does not allow these two pointer conditions. • Cannot have both a dynamically-typed and a statically typed pointer pointing to the same location • Cannot have a statically type pointer stored in an area pointed to by a dynamic pointer • Deallocation is handled though built in garbage collection

  10. CCured: Statically Typed Pointer • The SEQ (“sequence”) pointer • Can be used in pointer arithmetic but are required to carry bounds • The SAFE pointer • Can be NULL but does not allow for pointer arithmetic

  11. CCured: Dynamically Typed Pointer • DYN pointer • Contains two fields, the base and the pointer field • Base field points to the start of a dynamically typed area that is processed by a length and followed by tag bits

  12. Possible Problems With These Solutions • Application level programming vs. system level programming • Manually setting the address of a data pointer • Needed for Memory mapped I/O • Separating regions of code in systems with no OS

  13. An example • You are writing code for an embedded system with no OS and limited run time environment • System architecture has two memory maps, boot time and run time. • Build two separate execution regions: • Boot and Main

  14. Example (continued) • ….. • void *Jump(void); • Jump = 0; • Jump(); • What am I doing here?!?! This is evil code! • (it was written by Justin R. Cutler )

  15. Example (continued) • This is a soft reset that jumps out of Boot code and goes to the start of Main that is now at address location 0x000000 • Would this be allowed by Cyclone or CCured? Something to talk about or maybe not.

  16. References • Software Safety Home Page: • http://www.softwaresafety.net/Guidelines/

More Related