checked c
play

Checked C Michael Hicks The University of Maryland joint work with - PowerPoint PPT Presentation

Jul 18, 2023 •254 likes •585 views

Checked C Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW) UM Motivation - Lots of C/C++ code out there. - One open source code indexer (openhub.net) found 8.5 billion lines of C

  1. Checked C Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW) UM

  2. Motivation - Lots of C/C++ code out there. - One open source code indexer (openhub.net) found 8.5 billion lines of C code. - Huge investment in existing (often unsafe) code - Many approaches “saving C” have been proposed : - Static/dynamic analysis (ASAN, Softbound), fuzzing, OS/HW- level mitigations - Rewrite the code in a type-safe language (Java/Rust…) - New dialects of C (Cyclone, CCured, Deputy, …) 2

  3. Checked C Checked C is another take at making system software written in C more reliable and secure. Approach: - Extend C so that type-safe programs can be written in it. - A new language risks introducing unnecessary differences. - Backward compatible , support incremental conversion of code to be type-safe. - Implement in widely used C compilers (Clang/ LLVM ) - Create automated conversion tools - Hypothesis: most source code behaves in a type-safe fashion. - Evaluate and get real-world use . Iterate based on experience. https://github.com/Microsoft/checkedc https://github.com/Microsoft/checkedc-clang 3

  4. Design Like Cyclone • Making code type safe • Static/dynamic bounds checking for pointers and arrays • Initialization of data, type casts, explicit memory management • No temporal safety enforcement at present (use GC) Unlike Cyclone • Backward compatibility • All pointers binary-compatible (no “fat” pointers) • Strict extension (parsing) of C • Unchecked and checked code can co-exist (e.g., in a function) • The former can use checked types in a looser manner • Can prove a “blame” property that characterizes isolation • Can work with improving hardware designs 4

  5. Clang & LLVM Checked LLVM C's x86 / Clang Analyses x64 / Frontend ARM / Optimizations Analyses Other Assembly LLVM IR Code Generators Generator 5

  6. Pointers T* val = malloc(sizeof(T)); Singleton Pointer ptr<T> val = malloc(sizeof(T)); T* vals = calloc(n, sizeof(T)); T vals[N] = { ... }; Array Pointer array_ptr<T> vals = calloc(n, sizeof(T)); T vals checked[N] = { ... }; 6

  7. Bounds Declarations Declaration Invariant array_ptr<T> p : bounds(l, u) l ≤ p < u array_ptr<T> p : count(n) p ≤ p < p+n array_ptr<T> p : byte_count(n) p ≤ p < (char*)p + n Expressions in bounds(l, u) must be non-modifying - No Assignments or Increments/Decrements - No Calls 7

  8. NUL Terminated Pointers char* str = calloc(n, sizeof(char)); NT Array Pointer char str[N] = { ... }; nt_array_ptr<char> str : count(n-1) = calloc(n, sizeof(char)); char str checked[N+1] = { …, ‘\0’ }; l ≤ p ≤ u && ∃ c ≥ u. *c == ‘\0’ nt_array_ptr<T> p : bounds(l, u) can read *u or write ‘\0’ to it 8

  9. Bounds Expansion size_t my_strlcpy( nt_array_ptr<char> dst: count(dst_sz - 1), nt_array_ptr<char> src, size_t dst_sz) { size_t i = 0; nt_array_ptr<char> s : count(i) = src; while (s[i] != ’\0’ && i < dst_sz - 1) { //bounds on s may expand by 1 dst[i] = s[i]; ++i; } dst[i] = ’\0’; //ok to write to upper bound return i; } 9

  10. Where Dynamic Checks Occur p[n] Pointer Dereference int i = *p; p->field Assignment *p = 0; Compound Assignment *p += 1; Increment/Decrement (*p)++; Elided if the compiler can prove the access is safe 10

  11. Copy data bool echo( int16_t user_length, from user_payload size_t user_payload_len, into new buffer in char *user_payload, resp_t *resp) { resp object char *resp_data = malloc(user_length); Example inspired by resp->payload_buf = resp_data; Heartbleed error resp->payload_buf_len = user_length; // memcpy(resp->payload_buf, user_payload_buf, user_length) for (int i = 0; i < user_length; i++) { resp->payload_buf[i] = user_payload_buf[i]; } return true; } user_length is user_payload_len is typedef struct { size_t payload_len; provided by user from the parser char *payload; // ... } resp_t; 11

  12. Copy data bool echo( int16_t user_length, from user_payload size_t user_payload_len, into new buffer in char *user_payload, resp_t *resp) { resp object char *resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; // memcpy(resp->payload_buf, user_payload_buf, user_length) malloc could fail for (int i = 0; i < user_length; i++) { resp->payload_buf[i] = user_payload_buf[i]; } return true; } user_length is user_payload_len is typedef struct { size_t payload_len; provided by user from the parser char *payload; // ... } resp_t; 12

  13. Copy data bool echo( int16_t user_length, from user_payload size_t user_payload_len, into new buffer in char *user_payload, resp_t *resp) { resp object char *resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { resp->payload[i] = user_payload[i]; } return true; } user_length is user_payload_len is typedef struct { size_t payload_len; user_length could be provided by user from the parser char *payload; // ... larger than user_payload_len } resp_t; 13

  14. bool echo( Step 1: int16_t user_length, Manually size_t user_payload_len, array_ptr<char> user_payload, Convert to ptr<resp_t> resp) { Checked Types array_ptr<char> resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { resp->payload[i] = user_payload[i]; } return true; } typedef struct { size_t payload_len; array_ptr<char> payload; // ... } resp_t; 14

  15. bool echo( int16_t user_length, size_t user_payload_len, array_ptr<char> user_payload : count(user_payload_len), ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; Step 2: Manually // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { Add Bounds resp->payload[i] = user_payload[i]; Declarations } return true; } typedef struct { size_t payload_len; array_ptr<char> payload : count(payload_len); // ... } resp_t; 15

  16. bool echo( Step 3: int16_t user_length, Compiler Inserts size_t user_payload_len, array_ptr<char> user_payload : count(user_payload_len), Checks Automatically ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length); dynamic_check(resp != NULL); resp->payload = resp_data; resp->payload_len = user_length; malloc now checked // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { dynamic_check(user_payload != NULL); dynamic_check(user_payload <= &user_payload[i]); dynamic_check(&user_payload[i] < user_payload + user_payload_len); dynamic_check(resp->payload != NULL); dynamic_check(resp->payload <= &resp->payload[i]); dynamic_check(&resp->payload[i] < resp->payload + resp->payload_len resp->payload[i] = user_payload[i]; } No Memory Disclosure return true; 16 }

  17. bool echo( Step 3: int16_t user_length, Compiler Inserts size_t user_payload_len, array_ptr<char> user_payload : count(user_payload_len), Checks Automatically ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length); Code Not Bug-Free: dynamic_check(resp != NULL); Will signal run-time error if either resp->payload = resp_data; resp->payload_len = user_length; malloc now checked - malloc(user_length) fails // memcpy(resp->payload, user_payload, user_length) - user_length > user_payload_len for (size_t i = 0; i < user_length; i++) { dynamic_check(user_payload != NULL); dynamic_check(user_payload <= &user_payload[i]); dynamic_check(&user_payload[i] < user_payload + user_payload_len); But: Vulnerable Executions Prevented dynamic_check(resp->payload != NULL); dynamic_check(resp->payload <= &resp->payload[i]); dynamic_check(&resp->payload[i] < resp->payload + resp->payload_len resp->payload[i] = user_payload[i]; } No Memory Disclosure return true; 17 }

  18. Step 4: bool echo( int16_t user_length, Restrictions on bounds size_t user_payload_len, expressions may allow removal array_ptr<char> user_payload : count(user_payload_len), ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length); dynamic_check(resp != NULL); resp->payload = resp_data; resp->payload_len = user_length; malloc still checked dynamic_check(user_payload != NULL); dynamic_check(resp->payload != NULL); // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { dynamic_check(i <= user_payload_len); resp->payload[i] = user_payload[i]; } return true; } No Memory Disclosure 18

  19. Partially Converted Code - We may not want (or be able) to port all at once - Can use checked types wherever we want - Allows some hard-to-prove-safe idioms - But adds risk void more(int *b, int idx, ptr<int *>out) { int oldidx = idx, c; do { c = readvalue(); b[idx++] = c; //could overflow b? } while (c != 0); *out = b+idx-oldidx; //bad if out corrupted } 19

Recommend

1 The temperature of a supermarket fridge is regularly checked to ensure that it is working

1 The temperature of a supermarket fridge is regularly checked to ensure that it is working

1 The temperature of a supermarket fridge is regularly checked to ensure that it is working correctly. Over a period of three months the temperature (measured in degrees Celsius) is checked 600 times. These temperatures are displayed in the

221 views • 4 slides
I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has

I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has

Wheres your phone? Pocket, lap, hand? It is prolly within an easy reach, unless you are one of those people. Always losing it. I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has changed the way

647 views • 50 slides
Is That Book Checked Out? Getting Holdings and Availability Data into Other Applications Jane

Is That Book Checked Out? Getting Holdings and Availability Data into Other Applications Jane

Is That Book Checked Out? Getting Holdings and Availability Data into Other Applications Jane Sandberg Linn-Benton Community College April 21, 2016 1 / 14 Background Creating a new Discovery Layer Using Blacklight, because its cool!

469 views • 27 slides
A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03

A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03

A Machine-Checked Theory of Floating Point Arithmetic 1 A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03 Introduction to IA-64 and HOL Light Floating point formats Ulps Rounding

254 views • 13 slides
mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit:

mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit:

mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit: voltamax@pixabay Dream Everyone can (easily) check their work in computers 4 Notable Projects Four-color theorem

527 views • 37 slides
A Machine-Checked Formalization of -Protocols eguelin 1 Santiago Zanella-B Gilles Barthe 1

A Machine-Checked Formalization of -Protocols eguelin 1 Santiago Zanella-B Gilles Barthe 1

A Machine-Checked Formalization of -Protocols eguelin 1 Santiago Zanella-B Gilles Barthe 1 Daniel Hedin 1 egoire 2 Sylvain Heraud 2 Benjamin Gr 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - M editerran ee, France

725 views • 51 slides
A Machine-Checked Model of MGU Axioms: Applications of Finite Maps and Functional Induction

A Machine-Checked Model of MGU Axioms: Applications of Finite Maps and Functional Induction

A Machine-Checked Model of MGU Axioms: Applications of Finite Maps and Functional Induction Presented by Sunil Kothari Joint work with Prof. James Caldwell Department of Computer Science, University of Wyoming, USA 23rd International Workshop

807 views • 70 slides
FACADE RECONSTRUCTION HISTORIC PHOTO &amp; CHECKED BY: RM ARCHITECTURE PLANNING INTERIOR

FACADE RECONSTRUCTION HISTORIC PHOTO &amp; CHECKED BY: RM ARCHITECTURE PLANNING INTERIOR

PHOTO 1940s PHOTO 2016 ARCHITECT: PROJECT: DRAWING TITLE: PROJECT NO.: 17003 DATE: 10.24.2017 MISRA &amp; ASSOCIATES P.C. DRAWN BY: MS DWG NO.: FACADE RECONSTRUCTION HISTORIC PHOTO &amp; CHECKED BY: RM ARCHITECTURE PLANNING

358 views • 9 slides
Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud Franois Pottier December 16, 2015 1 / 1 Message Lets begin with a demo... Proving correctness and termination is not enough! 2 / 1

782 views • 17 slides
Machine-checked Interpolation Theorems for Substructural Logics using Display Calculi Jeremy E.

Machine-checked Interpolation Theorems for Substructural Logics using Display Calculi Jeremy E.

Machine-checked Interpolation Theorems for Substructural Logics using Display Calculi Jeremy E. Dawson James Brotherston Rajeev Gor e Research School of Computer Science, Australian National University University College London, UK IJCAR,

325 views • 31 slides
Fitting the Pieces Together: A Machine-Checked Model of Safe Composition Benjamin Delaware

Fitting the Pieces Together: A Machine-Checked Model of Safe Composition Benjamin Delaware

Fitting the Pieces Together: A Machine-Checked Model of Safe Composition Benjamin Delaware William Cook Don Batory University of Texas at Austin Safe Composition Features Word Processor has formatting, printing, spell check,

535 views • 37 slides
Presentation Search Results on Alternans at HRS 2013 Presentations per Page Add Checked Selections

Presentation Search Results on Alternans at HRS 2013 Presentations per Page Add Checked Selections

Presentation Search Results on Alternans at HRS 2013 Presentations per Page Add Checked Selections to My Itinerary Select/Clear All 25 Presentation Session Thu, May 9, 2:45 - 3:00 PM Jason D. Bayer, MS, Abstract Session AB02-06 -

528 views • 4 slides
Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud Franois Pottier September 8, 2015 1 / 32 The Union-Find data structure: OCaml interface type elem val make : unit -&gt; elem val find : elem

481 views • 37 slides
Adaptive Controls for In-Line Checked Baggage Screening Systems (CBSS) Shalom Dolev and Cathal

Adaptive Controls for In-Line Checked Baggage Screening Systems (CBSS) Shalom Dolev and Cathal

Adaptive Controls for In-Line Checked Baggage Screening Systems (CBSS) Shalom Dolev and Cathal Flynn SecureLogic Corporation, New York, New York, USA Abstract The first principle of risk management is to reduce risk to the lowest affordable

195 views • 6 slides
Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October

Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October

Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October 13, 2004 Oct. 13, 2004 p.1/42 Introduction Dijkstras shortest path algorithm: a classical algorithm to find the shortest path between two

529 views • 42 slides
Welcome to CSSE 220 We are excited that you are here: Hopefully you followed the

Welcome to CSSE 220 We are excited that you are here: Hopefully you followed the

Welcome to CSSE 220 We are excited that you are here: Hopefully you followed the instructions in the welcome email, installed eclipse and checked out the Java intro project Start your computer &amp; Eclipse Pick up a quiz from the

550 views • 18 slides
Attendees Countries Newcomers Newcomers Georgia Russia Ukraine Other attendees Armenia

Attendees Countries Newcomers Newcomers Georgia Russia Ukraine Other attendees Armenia

282 attendees checked in 600 450 300 150 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 1 1 1 1 1 1 1 G G G G G G G G G G G G G G G G O O O O O O O O O O O O O O O O N N N N N N N N N N N N

331 views • 14 slides
1 1. Systems/Areas Likely to be Checked Records to verify accuracy of all data certified by

1 1. Systems/Areas Likely to be Checked Records to verify accuracy of all data certified by

Sanitary Sewer Order Enforcement Updated 5/2013 James Fischer, P.E. Special Investigations Unit State Water Board, Office of Enforcement 1001 I Street, Sacramento, CA 95814 Jim.Fischer@waterboards.ca.gov 1 1. Systems/areas Likely to be

485 views • 11 slides
A D A R K A N D S T O R M Y N I G H T @kiranb Kiran Bhattaram It was a dark and stormy

A D A R K A N D S T O R M Y N I G H T @kiranb Kiran Bhattaram It was a dark and stormy

TA L E S O F O P E R A B I L I T Y A N T I - PA T T E R N S A D A R K A N D S T O R M Y N I G H T @kiranb Kiran Bhattaram It was a dark and stormy night; the rain fell in torrents except at occasional intervals, when it was checked

711 views • 44 slides
Speaking and Presentation Skills I Presentation Skills The following are tips of what a good

Speaking and Presentation Skills I Presentation Skills The following are tips of what a good

LNG 102: Fundamental English II Students Handout Speaking and Presentation Skills Prepared by Napaporn Ngamwilaipong Language Checked by Anthony R. French Speaking and Presentation Skills

531 views • 13 slides
Error processing Errors can occur at compile-time or runtime. Error processing Errors can occur

Error processing Errors can occur at compile-time or runtime. Error processing Errors can occur

ITI 1121. Introduction to Computing II Marcel Turcotte School of Electrical Engineering and Computer Science Version of February 23, 2013 Abstract Handling errors Declaring, creating and handling exceptions Checked and unchecked

1.06k views • 103 slides
National Curriculum Changes The first few slides in this presentation will inform you of the

National Curriculum Changes The first few slides in this presentation will inform you of the

National Curriculum Changes The first few slides in this presentation will inform you of the changes to the curriculum in the core areas. There have been many more changes in other subjects and these can easily be checked by doing a google search

792 views • 52 slides
1 2 A BRIEF INTRODUCTION TO SANDHILLS Where we are | Who we serve Our Schools: 3 within walking

1 2 A BRIEF INTRODUCTION TO SANDHILLS Where we are | Who we serve Our Schools: 3 within walking

1 2 A BRIEF INTRODUCTION TO SANDHILLS Where we are | Who we serve Our Schools: 3 within walking distance; 20+ we serve/outreach to regularly; 6 STEAM-related Magnet Schools Our Library: More items checked-out than any other location, 25,000

745 views • 35 slides
UNIT 2: CONTROL STRUCTURES. IF ELSE, FOR, WHILE TEXT LOGISTICS Lab #3 due Friday - must

UNIT 2: CONTROL STRUCTURES. IF ELSE, FOR, WHILE TEXT LOGISTICS Lab #3 due Friday - must

CS103L SPRING 2017 UNIT 2: CONTROL STRUCTURES. IF ELSE, FOR, WHILE TEXT LOGISTICS Lab #3 due Friday - must go if you havent checked it off yet HW#2 due Thursday - note updated due dates TEXT LEARNING OBJECTIVES Understand

1.01k views • 53 slides

More recommend