dynamically checking types bounds and maybe even more
play

Dynamically checking types, bounds and maybe even more (or: some - PowerPoint PPT Presentation

Dec 11, 2023 •565 likes •863 views

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted (how it all started) if (obj > type == OBJ

  1. Dynamically checking types, bounds and maybe even more (or: “some were meant for C”) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1

  2. “Tool wanted” (how it all started) if (obj − > type == OBJ COMMIT) { if (process commit(walker, ( struct commit ∗ )obj)) return − 1; return 0; } 2

  3. “Tool wanted” (how it all started) if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) 2

  4. “Tool wanted” (how it all started) if (obj − > type == OBJ COMMIT) { if (process commit(walker, (struct commit ∗ )obj)) return − 1; տ ր return 0; CHECK this } (at run time) But also wanted: � binary-compatible � source-compatible � reasonable performance � avoid being C-specific!* * mostly... 2

  5. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends 3

  6. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally 3

  7. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks 3

  8. The user’s-eye view � $ crunchcc -o myprog ... # + other front-ends � $ ./myprog # runs normally � $ LD PRELOAD=libcrunch.so ./myprog # does checks � myprog: Failed is a internal(0x5a1220, 0x413560 a.k.a. "uint$32") at 0x40dade, allocation was a heap block of int$32 originating at 0x40daa1 3

  9. Fast-forward to 2016 We can do it! � checking casts works pretty well Last year I talked about a bounds checker � also now going pretty well (more shortly) Other new developments: � Clang front-end (Chris Diamand) � generalising the infrastructure to other uses � liballocs core library (see Onward! 2015) Impending tie-ins: Cerberus, CHERI, ... 4

  10. State of play c.2015 � libcrunch pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness 5

  11. State of play c.2015 � libcrunch pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // passes check int ∗ y1 = ( int ∗ ) &z.y; // fails ! int ∗ y2 = &z.x + 1; // use SoftBound int ∗ y3 = &((&z.x )[1]); // use SoftBound return &z; // use CETS 5

  12. State of play c.2015 � libcrunch pretty good at run-time type checking � supports idiomatic C, source- and binary-compatibly � does not check memory correctness struct { int x; float y; } z; int ∗ x1 = &z.x; // ok int ∗ x2 = ( int ∗ ) &z; // passes check int ∗ y1 = ( int ∗ ) &z.y; // fails (good)! int ∗ y2 = &z.x + 1; // ∗∗∗ int ∗ y3 = &((&z.x )[1]); // ∗∗∗ return &z; // use CETS 5

  13. Wanted: a bounds checker people might even leave turned on?! Must check bounds! But also � support all common idioms � be precise , not best-effort � very, very few false positives � minimise problems with uninstrumented libraries � option to continue after a reported error � easy to turn on/off � fast Memcheck, ASan, SoftBound all fail at > 1 of these 6

  14. Existing bounds checkers use per-pointer metadata p_base x 3.5 ctr y 8.0 maj 2 min 7 p_e = &my_ellipses[1] x 1.0 ctr y 1.5 ellipse struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; p_limit 7

  15. Existing bounds checkers use per-pointer metadata struct ellipse { x 3.5 ctr struct point { y 8.0 double x, y; maj 2 } ctr; p_base min 7 double maj; p_ d = &p_e->ctr.x x 1.0 double double min; ctr p_limit y 1.5 } my_ellipses[3]; maj 5 min 8 x 6.5 ctr y -2.0 maj 4 min 4 7

  16. Without type information, pointer bounds may lose precision struct ellipse { x 3.5 ctr struct point { y 8.0 double x, y; maj 2 } ctr; p_base min 7 double maj; p_ f = (ellipse*) p_d x 1.0 double min; ctr p_limit y 1.5 } my_ellipses[3]; ellipse maj 5 min 8 x 6.5 ctr y -2.0 maj 4 min 4 8

  17. Given allocation type and pointer type, bounds are implicit x 3.5 ctr y 8.0 maj 2 min 7 p_ e = &my_ellipses[1] x 1.0 ctr y 1.5 ellipse[3] ellipse struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; 9

  18. Given allocation type and pointer type, bounds are implicit x 3.5 ctr y 8.0 maj 2 min 7 p_ d = &p_e->ctr.x x 1.0 double double ctr y 1.5 ellipse[3] struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; 9

  19. Given allocation type and pointer type, bounds are implicit x 3.5 ctr y 8.0 maj 2 min 7 p_ f = (ellipse*) p_d x 1.0 ctr y 1.5 ellipse[3] ellipse struct ellipse { maj 5 struct point { min 8 double x, y; x 6.5 ctr } ctr; y -2.0 double maj; maj 4 double min; min 4 } my_ellipses[3]; 9

  20. The importance of being type-aware (when bounds-checking) struct driver { / ∗ ... ∗ / } ∗ d = / ∗ ... ∗ / ; struct i2c driver { / ∗ ... ∗ / struct driver driver ; / ∗ ... ∗ / } ; #define container of(ptr , type, member) \ ((type ∗ )( ( char ∗ )(ptr) − offsetof(type,member) )) i2c drv = container of(d, struct i2c driver , driver ); 10

  21. The importance of being type-aware (when bounds-checking) struct driver { / ∗ ... ∗ / } ∗ d = / ∗ ... ∗ / ; struct i2c driver { / ∗ ... ∗ / struct driver driver ; / ∗ ... ∗ / } ; #define container of(ptr , type, member) \ ((type ∗ )( ( char ∗ )(ptr) − offsetof(type,member) )) i2c drv = container of(d, struct i2c driver , driver ); SoftBound is oblivious to casts, even though they matter: � bounds of d : just the smaller struct � bounds of the char* : the whole allocation � bounds of i2c drv : the bigger struct If only we knew the type of the storage! 10

  22. Idea: a bounds-checker build on per-allocation type metadata � avoid these false positives � avoid libc wrappers, ... � robust to uninstrumented callers/callees Making it fast: � cache bounds: make pointers “locally fat, globally thin” � only check derivation , not use inline int check derive ptr ( const void ∗∗ p derived, const void ∗ derivedfrom, struct uniqtype ∗ t, libcrunch bounds t ∗ opt derivedfrom bounds); 11

  23. Lots of hacking later: did it work? Mostly! But SoftBound-competitive performance requires � bounds passing via a shadow stack (like SoftBound) � bounds store/load via a shadow space (like SoftBound) ... i.e. still pushing per-pointer metadata around. But! T t = a[i ]; // derive, then immediately use T ∗ t = p + n; // derive (no use) T ∗ t = p − > next − > next − > t; // use (x3) Unlike SoftBound, we check pointer derivations not uses � performance implications go here 12

  24. Trap reps for one-past pointers Use x86-64’s non-canonical addresses � to represent “one-past” addresses � trap if used � de-trap to compare, cast, etc. Massively useful! � tolerate some “pointer stuffing” � (should) support nasty union cases � (should) help “roaming” char* Other arches: reserve n − 1 n of VAS (diagram: Vladsinger, CC-BY-SA 3.0) 13

  25. Other advances on SoftBound � continuing after an error (!) � dealing with casts � staying precise even with uninstrumented libraries � performance on linked-structure-based programs � TBC! good benchmarks, anyone? Next: repetition and reproduction studies on SoftBound � repeating SoftBound results (same code): tricky � reproducing SoftBound results � do SoftBound-identical checks with libcrunch � disjoint infrastructure → reproduction interest 14

  26. Emerging: a safe C that people might actually use?! Likely forthcoming research tie-ins: � Cerberus: formally state what’s being checked � CHERI: multiple bounds checking “personalities” � syscall spec work: syscalls need bounds checks! Safety gap-plugging to do: � easy-ish: unions, memcpy, link-time check � more work: temporal safety (GC, initialization) � roaming pointers, ... Development: � in Clang; in-kernel, other arch/OSes, make world ... 15

  27. How not to feel bad (1) A common view among language-y people: C is bad and you should feel bad if you don’t say it is bad M ay 23, 2016 ∞ I’ve spent a lot of t im e on t his blog point ing out how C and C++ are t o blam e for m ost of t he severe c om put er sec urit y failures w e see on a daily basis. The evidenc e so overw helm ing (and w ell k now n!) t hat in m y ex perienc e even t he m ost rabid C part isans do not c hallenge it . 16

  28. How not to feel bad (2) ... but this view confuses languages with implementations ! What the world really needs is � a safe implementation of C! (and C ++ and...) � not (just) new safe languages or dialects Preserve all of C, including the real good bits � communicating with “aliens”, through memory � it’s not [just] about manual memory management � it’s not really about performance at all 17

Recommend

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted if (obj > type == OBJ COMMIT) { if (process commit(walker, ( struct commit )obj))

641 views • 62 slides
Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types and type checking Intro Various types and their representation Equality of types Type checking 2 / 43 Outline 1. Types and type checking Intro

1.11k views • 43 slides
Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

281 views • 26 slides
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010 Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program

595 views • 20 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology July 8th, 2013 Algorithmic Meta-Theorems Positive results Negative results Problem X is tractable. Problem X is hard. Model Checking Lower

912 views • 62 slides
Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex

Types Micro-Haskell: crash course MH Types & Abstract Syntax Type Checking Types and Static Type Checking (Introducing Micro-Haskell) Informatics 2A: Lecture 13 Alex Simpson School of Informatics University of Edinburgh

574 views • 26 slides
Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as objects Arrays of objects Command-line arguments Variable-length parameter lists Multidimensional arrays Java Foundations, 3rd Edition,

628 views • 59 slides
Process-wide type and bounds checking (via an alliance of many language implementations) Stephen

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Join me, and together we can rule all the languages

849 views • 70 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would

Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would

Types for complexity-checking Franc ois Pottier May 20th, 2010 1 / 57 In this talk I would like to talk about how to use types for complexity-checking; how to do this in an expressive programming language, such as ML (with

615 views • 57 slides
Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized

Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized

Code checking tools Lab 7: Code checking tools Background on memory allocation Types of problem Uninitialized Comp Sci 1585 values Invalid read / write Data Structures Lab: Mis-used delete Tools for Computer Scientists Memory leaks

447 views • 17 slides
Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types

Operational Aspects of Type Systems Inter-Derivable Semantics of Type Checking and Gradual Types for Object Ownership Ilya Sergey 14 November 2012 Types A type - is a set of data instances and operations on them true , false boolean =

1.27k views • 86 slides
Colored intersection types: a bridge between linear logic and higher-order model-checking Charles

Colored intersection types: a bridge between linear logic and higher-order model-checking Charles

Colored intersection types: a bridge between linear logic and higher-order model-checking Charles Grellois (joint work with Paul-Andr e Melli` es) PPS & LIAFA Universit e Paris 7 TYPES conference May 18th, 2015 Charles

549 views • 35 slides
Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents

Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents

Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents Introduction Simple analysis Amortized analysis Amortized analysis in a lazy setting Conclusion Bibliography 2 / 57 The traditional use of types

590 views • 57 slides
Tracking Frequent Items Dynamically: Whats Hot and Whats Not Graham Cormode

Tracking Frequent Items Dynamically: Whats Hot and Whats Not Graham Cormode

Tracking Frequent Items Dynamically: Whats Hot and Whats Not Graham Cormode graham@dimacs.rutgers.edu dimacs.rutgers.edu/ ~ graham S. Muthukrishnan muthu@cs.rutgers.edu Outline Problem definition and lower bounds Finding

688 views • 31 slides
Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

COMP 520 Fall 2010 Type checking (1) Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks: determine the types of all expressions; check that values and variables are used correctly; and resolve

631 views • 30 slides
Global Types for Dynamic Checking of Protocol Conformance of Multi-Agent Systems Davide Ancona,

Global Types for Dynamic Checking of Protocol Conformance of Multi-Agent Systems Davide Ancona,

Global Types for Dynamic Checking of Protocol Conformance of Multi-Agent Systems Davide Ancona, Matteo Barbieri and Viviana Mascardi Universit` a di Genova Italian Conference on Theoretical Computer Science, Varese, September 19-21, 2012 D.

381 views • 36 slides
Chapter 6 Data Types Introduction Type Nomenclature Primitive Types Type

Chapter 6 Data Types Introduction Type Nomenclature Primitive Types Type

Chapter 6 Data Types Introduction Type Nomenclature Primitive Types Type constructors Ordinal Types Structured Types Type Checking Type conversion CSCI325 Chapter 6 Dr Ahmed Rafea 1 Introduction Evolution

367 views • 24 slides
Security aid in producing vulnerability free code (bounds primary topic of the paper for today

Security aid in producing vulnerability free code (bounds primary topic of the paper for today

Security aid in producing vulnerability free code (bounds primary topic of the paper for today protect code from people with access to hardware checking, no-execute bit) aid in producing vulnerability free code (bounds secondary topic of the

193 views • 18 slides
Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive Analysis To understand the input computation, a compiler/interpreter need to discover The types of values stored in each variable The types

576 views • 39 slides
Type-checking Linear Dependent Types Arthur Azevedo de Amorim 1 2 Marco Gaboardi 3 Emilio Jess

Type-checking Linear Dependent Types Arthur Azevedo de Amorim 1 2 Marco Gaboardi 3 Emilio Jess

Type-checking Linear Dependent Types Arthur Azevedo de Amorim 1 2 Marco Gaboardi 3 Emilio Jess Gallego Arias 1 Justin Hsu 1 1 University of Pennsylvania 2 INRIA Paris-Rocquencourt 3 University of Dundee 1 2 2 2 Anonymization Movie Ratings

1.07k views • 83 slides

More recommend