Abstract
Low-level programming languages with weak/static type systems, such as C and C++, are vulnerable to errors relating to the misuse of memory at runtime, such as (sub-)object bounds overflows, (re)use-after-free, and type confusion. Such errors account for many security and other undefined behavior bugs for programs written in these languages. In this paper, we introduce the notion of dynamically typed C/C++, which aims to detect such errors by dynamically checking the "effective type" of each object before use at runtime. We also present an implementation of dynamically typed C/C++ in the form of the Effective Type Sanitizer (EffectiveSan). EffectiveSan enforces type and memory safety using a combination of low-fat pointers, type meta data and type/bounds check instrumentation. We evaluate EffectiveSan against the SPEC2006 benchmark suite and the Firefox web browser, and detect several new type and memory errors. We also show that EffectiveSan achieves high compatibility and reasonable overheads for the given error coverage. Finally, we highlight that EffectiveSan is one of only a few tools that can detect sub-object bounds errors, and uses a novel approach (dynamic type checking) to do so.
Supplemental Material
- P. Akritidis, M. Costa, M. Castro, and S. Hand. 2009. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense Against Out-of-Bounds Errors. In USENIX Security Symposium. USENIX. Google Scholar
Digital Library
- T. Austin, S. Breach, and G. Sohi. 1994. Efficient Detection of All Pointer and Array Access Errors. In Programming Language Design and Implementation. ACM. Google Scholar
Digital Library
- H. Boehm and M. Weiser. 1988. Garbage Collection in an Uncooperative Environment. Software Practical Experience 18, 9 (1988). Google Scholar
Digital Library
- Debugging Information Format Committee. 2010. DWARF Debugging Information Format V4.Google Scholar
- A. Diwan, K. McKinley, and J. Moss. 1998. Type-based Alias Analysis. In Programming Language Design and Implementation. ACM. Google Scholar
Digital Library
- G. Duck and R. Yap. 2016. Heap Bounds Protection with Low Fat Pointers. In Compiler Construction. ACM. Google Scholar
Digital Library
- G. Duck and R. Yap. 2018. An Extended Low Fat Allocator API and Applications. CoRR abs/1804.04812 (2018).Google Scholar
- G. Duck, R. Yap, and L. Cavallaro. 2017. Stack Bounds Protection with Low Fat Pointers. In Network and Distributed System Security Symposium. The Internet Society.Google Scholar
- F. Eigler. 2003. Mudflap: Pointer Use Checking for C/C++. In GCC Developer's Summit.Google Scholar
- Firefox 2018. Firefox Web Browser. https://www.mozilla.org/.Google Scholar
- I. Haller, Y. Jeon, H. Peng, M. Payer, C. Giuffrida, H. Bos, and E. van der Kouwe. 2016. TypeSan: Practical Type Confusion Detection. In Computer and Communications Security. ACM. Google Scholar
Digital Library
- C. Hathhorn, C. Ellison, and G. Rosu. 2015. Defining the Undefinedness of C. In Programming Language Design and Implementation. ACM. Google Scholar
Digital Library
- J. Henning. 2006. SPEC CPU2006 Benchmark Descriptions. Computer Architecture News 34, 4 (2006). Google Scholar
Digital Library
- Intel Corporation. 2018. Intel 64 and IA-32 Architectures Software Developer's Manual.Google Scholar
- I. Ireland. 2013. SafeType: Detecting Type Violations for Type-Based Alias Analysis of C. Master's thesis. University of Alberta.Google Scholar
- ISO. 2011. Programming Languages - C. ISO/IEC 9899:2011.Google Scholar
- ISO. 2017. Programming Languages - C++. ISO/IEC 14882:2017.Google Scholar
- Y. Jeon, P. Biswas, S. Carr, B. Lee, and M. Payer. 2017. HexType: Efficient Detection of Type Confusion Errors for C++. In Computer and Communications Security. ACM. Google Scholar
Digital Library
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. 2002. Cyclone: A Safe Dialect of C. In USENIX Annual Technical Conference. USENIX. Google Scholar
Digital Library
- S. Kell. 2016. Dynamically Diagnosing Type Errors in Unsafe Code. In Object-Oriented Programming, Systems, Languages, and Applications. ACM. Google Scholar
Digital Library
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. 2014. Code-pointer Integrity. In USENIX Symposium on Operating Systems Design and Implementation. USENIX. Google Scholar
Digital Library
- A. Kwon, U. Dhawan, J. Smith, T. Knight, and A. DeHon. 2013. Low-fat Pointers: Compact Encoding and Efficient Gate-level Implementation of Fat Pointers for Spatial Safety and Capability-based Security. In Computer and Communications Security. ACM. Google Scholar
Digital Library
- B. Lee, C. Song, T. Kim, and W. Lee. 2015. Type Casting Verification: Stopping an Emerging Attack Vector. In USENIX Security Symposium. USENIX. Google Scholar
Digital Library
- LLVM. 2018. http://llvm.org.Google Scholar
- A. Loginov, S. Yong, S. Horwitz, and T. Reps. 2001. Debugging via Run-Time Type Checking. In Fundamental Approaches to Software Engineering. Springer. Google Scholar
Digital Library
- K. Memarian, J. Matthiesen, J. Lingard, K. Nienhuis, D. Chisnall, R. Watson, and P. Sewell. 2016. Into the Depths of C: Elaborating the De Facto Standards. In Programming Language Design and Implementation. ACM. Google Scholar
Digital Library
- Microsoft. 2013. Microsoft Security Intelligence Report: Featured Intelligence. Volume 16.Google Scholar
- S. Nagarakatte, Z. Santosh, M. Jianzhou, M. Martin, and S. Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In Programming Language Design and Implementation. ACM. Google Scholar
Digital Library
- S. Nagarakatte, J. Zhao, M. Martin, and S. Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In International Symposium on Memory Management. ACM. Google Scholar
Digital Library
- G. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. 2005. CCured: Type-safe Retrofitting of Legacy Software. Transactions on Programming Languages and Systems (2005). Google Scholar
Digital Library
- O. Oleksenko, D. Kuvaiskii, P. Bhatotia, P. Felber, and C. Fetzer. 2017. Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches. CoRR abs/1702.00719 (2017).Google Scholar
- K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In USENIX Annual Technical Conference. USENIX. Google Scholar
Digital Library
- UBSan 2018. Undefined Behavior Sanitizer. https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html.Google Scholar
- Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. 2010. PAriCheck: An Efficient Pointer Arithmetic Checker for C Programs. In Information, Computer and Communications Security. ACM. Google Scholar
Digital Library
Index Terms
EffectiveSan: type and memory error detection using dynamically typed C/C++
Recommendations
EffectiveSan: type and memory error detection using dynamically typed C/C++
PLDI 2018: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and ImplementationLow-level programming languages with weak/static type systems, such as C and C++, are vulnerable to errors relating to the misuse of memory at runtime, such as (sub-)object bounds overflows, (re)use-after-free, and type confusion. Such errors account ...
Discriminative sum types locate the source of type errors
We propose a type system for locating the source of type errors in an applied lambda calculus with ML-style polymorphism. The system is based on discriminative sum types---known from work on soft typing---with annotation subtyping and recursive types. ...
Type checking and typability in domain-free lambda calculi
This paper shows (1) the undecidability of the type checking and the typability problems in the domain-free lambda calculus with negation, product, and existential types, (2) the undecidability of the typability problem in the domain-free polymorphic ...







Comments