Abstract
We describe flow-insensitive type qualifiers, a lightweight, practical mechanism for specifying and checking properties not captured by traditional type systems. We present a framework for adding new, user-specified type qualifiers to programming languages with static type systems, such as C and Java. In our system, programmers add a few type qualifier annotations to their program, and automatic type qualifier inference determines the remaining qualifiers and checks the annotations for consistency. We describe a tool CQual for adding type qualifiers to the C programming language. Our tool CQual includes a visualization component for displaying browsable inference results to the programmer. Finally, we present several experiments using our tool, including inferring const qualifiers, finding security vulnerabilities in several popular C programs, and checking initialization data usage in the Linux kernel. Our results suggest that inference and visualization make type qualifiers lightweight, that type qualifier inference scales to large programs, and that type qualifiers are applicable to a wide variety of problems.
- Abadi, M., Banerjee, A., Heintze, N., and Riecke, J. G. 1999. A core calculus of dependency. In Proceedings of the 26th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Language (San Antonio, TX). ACM, New York, 147--160.]] Google Scholar
- Aiken, A., Foster, J. S., Kodumal, J., and Terauchi, T. 2003. Checking and inferring local non-aliasing. In Proceedings of the 2003 ACM SIGPLAN Conference on Programming Language Design and Implementation (San Diego, CA). ACM, New York, 129--140.]] Google Scholar
- Ansi 1989. Rationale for American National Standard for Information Systems---Programming Language---C. ANSI. Associated with ANSI standard X3.159-1989.]]Google Scholar
- Ansi 1999. Programming languages---C. ANSI/ISO/IEC 9899:1999.]]Google Scholar
- Bailleux, C. 2000. More security problems in bftpd-1.0.12. BugTraq Mailing List. http://www.securityfocus.com/archive/1/149977.]]Google Scholar
- Ball, T., Naik, M., and Rajamani, S. K. 2003. From symptom to cause: Localizing errors in counterexample traces. In Proceedings of the 30th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (New Orleans, LA), ACM, New York, 97--105.]] Google Scholar
- Ball, T. and Rajamani, S. K. 2001. Automatically validating temporal safety properties of interfaces. In Proceedings of the 8th International SPIN Workshop on Model Checking of Software. Lecture Notes in Computer Science, vol. 2057, Springer-Verlag, New York, 103--122.]] Google Scholar
- Ball, T. and Rajamani, S. K. 2002. The SLAM project: Debugging system software via static analysis. In Proceedings of the 29th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Portland, OR). ACM, New York, 1--3.]] Google Scholar
- Bishop, M. and Dilger, M. 1996. Checking for race conditions in file accesses. Comput. Syst. 2, 2, 131--152.]]Google Scholar
- Broadwell, P., Harren, M., and Sastry, N. 2003. Scrash: A system for generating secure crash information. In Proceedings of the 12th Usenix Security Symposium (Washington, DC).]] Google Scholar
- Bush, W. R., Pincus, J. D., and Sielaff, D. J. 2000. A static analyzer for finding dynamic programming errors. Softw.---Pract. Exper. 30, 7 (June), 775--802.]] Google Scholar
- Cert. 2001. CERT Advisory CA-2001-19 “Code Red” worm exploiting buffer overflow In IIS indexing service DLL. http://www.cert.org/advisories/CA-2001-19.html.]]Google Scholar
- Chandra, S. and Reps, T. W. 1999. Physical type checking for C. In Proceedings of the ACM SIGPLAN/SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (Toulouse, France). ACM, New York, 66--75.]] Google Scholar
- Chin, B., Markstrum, S., and Millstein, T. 2005. Semantic type qualifiers. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (Chicago, IL). ACM, New York.]] Google Scholar
- Cousot, P. and Cousot, R. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York, 238--252.]] Google Scholar
- Cowan, C., Barringer, M., Beattie, S., and Kroah-Hartman, G. 2001. FormatGuard: Automatic protection from print format string vulnerabilities. In Proceedings of the 10th Usenix Security Symposium (Washington, DC).]] Google Scholar
- Das, M., Lerner, S., and Seigle, M. 2002. ESP: Path-sensitive program verification in polynomial time. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (Berlin, Germany). ACM, New York, 57--68.]] Google Scholar
- Das, M., Liblit, B., Fähndrich, M., and Rehof, J. 2001. Estimating the impact of scalable pointer analysis on optimization. In Static Analysis, Eighth International Symposium (Paris, France), P. Cousot, Ed. Lecture Notes in Computer Science, vol. 2126. Springer-Verlag, New York.]] Google Scholar
- Davey, B. A. and Priestley, H. A. 1990. Introduction to Lattices and Order. Cambridge University Press.]]Google Scholar
- DeKok, A. 2000. PScan: A limited problem scanner for C source files. http://www.striker.ottawa.on.ca/~aland/pscan.]]Google Scholar
- DeLine, R. and Fähndrich, M. 2001. Enforcing high-level protocols in low-level software. In Proceedings of the 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation (Snowbird, UT). ACM, New York, 59--69.]] Google Scholar
- Denning, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (May), 236--243.]] Google Scholar
- Detlefs, D. L., Leino, K. R. M., Nelson, G., and Saxe, J. B. 1998. Extended static checking. Tech. Rep. 159, Compaq Systems Research Center. Dec.]]Google Scholar
- Dussart, D., Henglein, F., and Mossin, C. 1995. Polymorphic recursion and subtype qualifications: Polymorphic binding-time analysis in polynomial time. In Static Analysis, Second International Symposium (Glasgow, Scotland), A. Mycroft, Ed. Lecture Notes in Computer Science, vol. 983. Springer-Verlag, New York, 118--135.]] Google Scholar
- Eifrig, J., Smith, S., and Trifonov, V. 1995. Type inference for recursively constrained types and its application to OOP. In Mathematical Foundations of Programming Semantics, Eleventh Annual Conference. Electronic Notes in Theoretical Computer Science, vol. 1. Elsevier-North Holland, Amsterdam, The Netherlands.]]Google Scholar
- Engler, D., Chelf, B., Chou, A., and Hallem, S. 2000. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the 4th Symposium on Operating System Design and Implementation (San Diego, CA).]] Google Scholar
- Evans, D. 1996. Static detection of dynamic memory errors. Proceedings of the 1996 ACM SIGPLAN Conference on Programming Language Design and Implementation (Philadelphia, PA). ACM, New York, 44--53.]] Google Scholar
- Fähndrich, M. 1999. BANE: A library for scalable constraint-based program analysis. Ph.D. thesis, University of California, Berkeley.]]Google Scholar
- Fähndrich, M. and DeLine, R. 2002. Adoption and focus: Practical linear types for imperative programming. Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (Berlin, Germany). ACM, New York, 13--24.]] Google Scholar
- Fähndrich, M., Foster, J. S., Su, Z., and Aiken, A. 1998. Partial online cycle elimination in inclusion constraint graphs. In Proceedings of the 1998 ACM SIGPLAN Conference on Programming Language Design and Implementation (Montreal, Ont., Canada). ACM, New York, 85--96.]] Google Scholar
- Flanagan, C., Flatt, M., Krishnamurthi, S., Weirich, S., and Felleisen, M. 1996. Catching bugs in the web of program invariants. Proceedings of the 1996 ACM SIGPLAN Conference on Programming Language Design and Implementation (Philadelphia, PA). ACM, New York, 23--32.]] Google Scholar
- Flanagan, C. and Leino, K. R. M. 2001. Houdini, an annotation assitant for ESC/Java. In FME 2001: Formal Methods for Increasing Software Productivity, International Symposium of Formal Methods (Berlin, Germany) J. N. Oliverira and P. Zave, Eds. Lecture Notes in Computer Science, vol. 2021. Springer-Verlag, New York, 500--517.]] Google Scholar
- Flanagan, C., Leino, K. R. M., Lillibridge, M., Nelson, G., Saxe, J. B., and Stata, R. 2002. Extended static checking for Java. Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (Berlin, Germany). ACM, New York, 234--245.]] Google Scholar
- Foster, J. S. 2002. Type qualifiers: Lightweight specifications to improve software quality. Ph.D. dissertation, University of California, Berkeley, Berkeley, CA.]] Google Scholar
- Foster, J. S., Fähndrich, M., and Aiken, A. 1999. A theory of type qualifiers. In Proceedings of the 1999 ACM SIGPLAN Conference on Programming Language Design and Implementation (Atlanta, GA). ACM, New York, 192--203.]] Google Scholar
- Foster, J. S., Terauchi, T., and Aiken, A. 2002. Flow-sensitive type qualifiers. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (Berlin, Germany). ACM, New York, 1--12.]] Google Scholar
- Frasunek, P. 2001a. format string vulnerability in mars_nwe 0.99pl19. http://online.securityfocus.com/archive/1/158959.]]Google Scholar
- Frasunek, P. 2001b. ports/24733: mars_nwe remote format string vulnerability. http://groups.google.com/groups?q=mars_nwe+vulnerability&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=9566si%24gpv%241%40FreeBSD.csie.NCTU.edu.tw&rnum=1.]]Google Scholar
- Freeman, T. and Pfenning, F. 1991. Refinement types for ML. In Proceedings of the 1991 ACM SIGPLAN Conference on Programming Language Design and Implementation (Toronto, Ont., Canada). ACM, New York, 268--277.]] Google Scholar
- Gates, B. 2002. Trustworthy computing. Microsoft internal memo. Available at http://www.theregister.co.uk/content/4/23715.html.]]Google Scholar
- Gay, D. and Aiken, A. 2001. Language support for regions. In Proceedings of the 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation (Snowbird, UT). ACM, New York, 70--80.]] Google Scholar
- Gifford, D. K., Jouvelot, P., Lucassen, J. M., and Sheldon, M. A. 1987. FX-87 Reference Manual. Tech. Rep. MIT/LCS/TR-407, MIT Laboratory for Computer Science. Sept.]]Google Scholar
- Greenfieldboyce, D. and Foster, J. S. 2004. Visualizing type qualifier inference with eclipse. In Proceedings of the Workshop on Eclipse Technology eXchange (Vancouver, B.C., Canada). ACM, New York.]] Google Scholar
- Grossman, D., Morrisett, G., Jim, T., Hicks, M., Wang, Y., and Cheney, J. 2002. Region-based memory management in cyclone. Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (Berlin, Germany). ACM, New York, 282--293.]] Google Scholar
- Grossman, D., Morrisett, G., Wang, Y., Jim, T., Hicks, M., and Cheney, J. 2001. Cyclone user's manual. Tech. Rep. 2001-1855, Department of Computer Science, Cornell University. Nov.]] Google Scholar
- Hallem, S., Chelf, B., Xie, Y., and Engler, D. 2002. A system and language for building system-specific, static analyses. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (Berlin, Germany). ACM, New York, 69--82.]] Google Scholar
- Harrelson, C. 2001. Program analysis mode. http://www.cs.berkeley.edu/~chrishtr/pam.]]Google Scholar
- Heintze, N. and Tardieu, O. 2001. Ultra-fast aliasing analysis using CLA: A million lines of C code in a second. In Proceedings of the 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation (Snowbird, UT). ACM, New York, 254--263.]] Google Scholar
- Henglein, F. 1991. Efficient type inference for higher-order binding-time analysis. In FPCA '91 Conference on Functional Programming Languages and Computer Architecture (Cambridge, MA), J. Hughes, Ed. Lecture Notes in Computer Science, vol. 523. Springer-Verlag, New York, 448--472.]] Google Scholar
- Henglein, F. 1993. Type inference with polymorphic recursion. ACM Trans. Prog. Lang. Syst. 15, 2 (Apr.), 253--289.]] Google Scholar
- Henrion, M. 2000. MUH IRC bouncer remote vulnerability. FreeBSD-SA-00:57. http://www.securityfocus.com/advisories/2741.]]Google Scholar
- Henzinger, T. A., Jhala, R., Majumdar, R., and Sutre, G. 2002. Lazy abstraction. In Proceedings of the 29th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Portland, OR). ACM, New York, 58--70.]] Google Scholar
- Horwitz, S., Reps, T., and Sagiv, M. 1995. Demand interprocedural dataflow analysis. In Proceedings of the 3rd Symposium on the Foundations of Software Engineering (Washington, DC), 104--115.]] Google Scholar
- Huuskonen, J. 2000a. Possibility for format char errors in syslog call. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17349.]]Google Scholar
- Huuskonen, J. 2000b. Some possible format string errors. Linux security audit project mailing list. http://www2.merton.ox.ac.uk/~security/security-audit-200009/0118.html.]]Google Scholar
- Huuskonen, J. 2000c. syslog(prio, buf) in mars_nwe. Linux security audit project mailing list. http://www2.merton.ox.ac.uk/~security/security-audit-200009/0136.html.]]Google Scholar
- Johnson, R. and Wagner, D. 2004. Finding user/kernel bugs with type inference. In Proceedings of the 13th Usenix Security Symposium (San Diego, CA).]] Google Scholar
- Klarlund, N. and Schwartzbach, M. I. 1993. Graph types. In Proceedings of the 20th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Charleston, SC). ACM, New York, 196--205.]] Google Scholar
- Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th Usenix Security Symposium (Washington, DC).]] Google Scholar
- Leino, K. R. M. and Nelson, G. 1998. An extended static checker for modula-3. In Compiler Construction, 7th International Conference (Lisbon, Portugal). K. Koskimies, Ed. Lecture Notes in Computer Science, vol. 1383. Springer-Verlag, New York, 302--305.]] Google Scholar
- Liblit, B. and Aiken, A. 2000. Type systems for distributed data structures. In Proceedings of the 27th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Boston, MA). ACM, New York, 199--213.]] Google Scholar
- Lucassen, J. M. and Gifford, D. K. 1988. Polymorphic effect systems. In Proceedings of the 15th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Diego, CA). ACM, New York, 47--57.]] Google Scholar
- Mandelbaum, Y., Walker, D., and Harper, R. 2003. An effective theory of type refinements. In Proceedings of the 8th ACM SIGPLAN International Conference on Functional Programming (Uppsala, Sweden). ACM, New York, 213--225.]] Google Scholar
- Mars Climate Orbiter Mishap Investigation Board. 1999. Phase I Report. ftp://ftp.hq.nasa.gov/pub/pao/reports/1999/MCO_report.pdf.]]Google Scholar
- Milner, R. 1978. A theory of type polymorphism in programming. J. Comput. Syst. Sci. 17, 348--375.]]Google Scholar
- Mitchell, J. C. 1991. Type inference with simple subtypes. J. Funct. Prog. 1, 3 (July), 245--285.]]Google Scholar
- Møller, A. and Schwartzbach, M. I. 2001. The pointer assertion logic engine. In Proceedings of the 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation (Snowbird, UT). ACM, New York, 221--231.]] Google Scholar
- Mossin, C. 1996. Flow analysis of typed higher-order programs. Ph.D. dissertation. DIKU, Department of Computer Science, University of Copenhagen.]]Google Scholar
- Necula, G., McPeak, S., and Weimer, W. 2002. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Portland, OR). ACM, New York, 128--139.]] Google Scholar
- Newsham, T. 2000. Format string attacks. http://online.securityfocus.com/guest/3342.]]Google Scholar
- NIST. 2002. The economic impacts of inadequate infrastructure for software testing. NIST Planning Report 02-3. http://www.nist.gov/director/prog-ofc/report02-3.pdf.]]Google Scholar
- Odersky, M., Sulzmann, M., and Wehr, M. 1997. Type inference with constrained types. In Proceedings of the 4th International Workshop on Foundations of Object-Oriented Languages, B. Pierce, Ed.]]Google Scholar
- Ørbæk, P. and Palsberg, J. 1997. Trust in the λ-calculus. J. Funct. Prog. 3, 2, 75--85.]]Google Scholar
- Pierce, B. C. 2002. Types and Programming Languages. MIT Press, Cambridge, MA.]] Google Scholar
- PITAC. 1999. President's Information Technology Advisory Committee Report to the President. http://www.ccic.gov/ac/report.]]Google Scholar
- Pratikakis, P., Spacco, J., and Hicks, M. 2004. Transparent proxies for Java futures. In Proceedings of the 19th Annual Conference on Object-Oriented Programming Systems, Languages, and Applications. 206--223.]] Google Scholar
- Pratt, V. and Tiuryn, J. 1996. Satisfiability of inequalities in a poset. Funda. Inf. 28, 1-2, 165--182.]] Google Scholar
- Rehof, J. and Fähndrich, M. 2001. Type-based flow analysis: From polymorphic subtyping to CFL-reachability. In Proceedings of the 28th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (London, United Kingdom). ACM, New York, 54--66.]] Google Scholar
- Rehof, J. and Mogensen, T. Æ. 1996. Tractable constraints in finite semilattices. In Static Analysis, Third International Symposium (Aachen, Germany). R. Cousot and D. A. Schmidt, Eds. Lecture Notes in Computer Science, vol. 1145. Springer-Verlag, New York, 285--300.]] Google Scholar
- Reps, T., Horwitz, S., and Sagiv, M. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Francisco, CA). ACM, New York, 49--61.]] Google Scholar
- Robbins, T. J. 2001. Libformat--Protection against format string attacks. http://www.wiretapped.net/~fyre/software/libformat.html.]]Google Scholar
- Sagiv, M., Reps, T., and Wilhelm, R. 1999. Parametric shape analysis via 3-valued logic. In Proceedings of the 26th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Antonio, TX). ACM, New York, 105--118.]] Google Scholar
- Savola, P. 2000. Very probable remote root vulnerability in cfengine. BugTraq mailing list. http://www.securityfocus.com/archive/1/136751.]]Google Scholar
- Shankar, U., Talwar, K., Foster, J. S., and Wagner, D. 2001. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th Usenix Security Symposium (Washington, DC).]] Google Scholar
- Skalka, C. and Smith, S. 2000. Static enforcement of security with types. In Proceedings of the 5th ACM SIGPLAN International Conference on Functional Programming (Montreal, Que., Canada) ACM, New York, 34--45.]] Google Scholar
- Smith, G. and Volpano, D. 1998. Secure information flow in a multi-threaded imperative language. In Proceedings of the 25th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Diego, CA). ACM, New York, 355--364.]] Google Scholar
- Solberg, K. L. 1995. Annotated type systems for program analysis. Ph.D. dissertation. Aarhus University, Denmark, Computer Science Department.]]Google Scholar
- Stroustrup, B. 2005. C++ style and technique FAQ. http://www.research.att.com/~bs/bs_faq2.html#constplacement.]]Google Scholar
- Viega, J., Bloch, J., Kohno, T., and McGraw, G. 2000. ITS4: A static vulnerability scanner for C and C++ Code. In Proceedings of the 16th Annual Computer Security Applications Conference. http://www.acsac.org.]] Google Scholar
- Volpano, D. and Smith, G. 1997. A type-based approach to program security. In Theory and Practice of Software Development, 7th International Joint Conference (Lille, France). M. Bidoit and M. Dauchet, Eds. Lecture Notes in Computer Science, vol. 1214. Springer-Verlag, New York, 607--621.]] Google Scholar
- Wall, L., Christiansen, T., and Orwant, J. 2000. Programming Perl, 3rd Edition ed. O'Reilly & Associates.]] Google Scholar
- Wright, A. K. 1995. Simple imperative polymorphism. In LISP and Symbolic Computation 8. Vol. 4. 343--356.]] Google Scholar
- Wright, A. K. and Felleisen, M. 1994. A syntactic approach to type soundness. Inf. Comput. 115, 1, 38--94.]] Google Scholar
- Yang, J., Kremenek, T., Xie, Y., and Engler, D. 2003. MECA: An extensible, expressive system and language for statically checking security properties. In Proceedings of the 10th ACM Conference on Computer and Communication Security (Washington, DC). ACM, New York, 321--334.]] Google Scholar
- Yelick, K., Semenzato, L., Pike, G., Miyamoto, C., Liblit, B., Krishnamurthy, A., Hilfinger, P., Graham, S., Gay, D., Colella, P., and Aiken, A. 1998. Titanium: A high-performance Java dialect. In Proceedings of the ACM 1998 Workshop on Java for High-Performance Network Computing. ACM, New York.]]Google Scholar
- Yong, S. H., Horwitz, S., and Reps, T. 1999. Pointer analysis for programs with structures and casting. In Proceedings of the 1999 ACM SIGPLAN Conference on Programming Language Design and Implementation (Atlanta, CA). ACM, New York, 91--103.]] Google Scholar
- Zhang, X., Edwards, A., and Jaeger, T. 2002. Using CQUAL for static analysis of authorization hook placement. In Proceedings of the 11th Usenix Security Symposium (San Francisco, CA).]] Google Scholar
Index Terms
Flow-insensitive type qualifiers
Recommendations
Flow-sensitive type qualifiers
PLDI '02: Proceedings of the ACM SIGPLAN 2002 conference on Programming language design and implementationWe present a system for extending standard type systems with flow-sensitive type qualifiers. Users annotate their programs with type qualifiers, and inference checks that the annotations are correct. In our system only the type qualifiers are modeled ...
Flow-sensitive type qualifiers
We present a system for extending standard type systems with flow-sensitive type qualifiers. Users annotate their programs with type qualifiers, and inference checks that the annotations are correct. In our system only the type qualifiers are modeled ...
Semantic type qualifiers
PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementationWe present a new approach for supporting user-defined type refinements, which augment existing types to specify and check additional invariants of interest to programmers. We provide an expressive language in which users define new refinements and ...






Comments