skip to main content

C to checked C by 3c

Published:29 April 2022Publication History
Skip Abstract Section

Abstract

Owing to the continued use of C (and C++), spatial safety violations (e.g., buffer overflows) still constitute one of today's most dangerous and prevalent security vulnerabilities. To combat these violations, Checked C extends C with bounds-enforced checked pointer types. Checked C is essentially a gradually typed spatially safe C - checked pointers are backwards-binary compatible with legacy pointers, and the language allows them to be added piecemeal, rather than necessarily all at once, so that safety retrofitting can be incremental. This paper presents a semi-automated process for porting a legacy C program to Checked C. The process centers on 3C, a static analysis-based annotation tool. 3C employs two novel static analysis algorithms - typ3c and boun3c - to annotate legacy pointers as checked pointers, and to infer array bounds annotations for pointers that need them. 3C performs a root cause analysis to direct a human developer to code that should be refactored; once done, 3C can be re-run to infer further annotations (and updated root causes). Experiments on 11 programs totaling 319KLoC show 3C to be effective at inferring checked pointer types, and experience with previously and newly ported code finds 3C works well when combined with human-driven refactoring.

References

  1. 2021. C to rust translation, refactoring, and cross-checking. https://c2rust.com/Google ScholarGoogle Scholar
  2. NH Bingham. 1996. The sample mid-range and interquartiles. Statistics & probability letters, 27, 2 (1996), 131–136.Google ScholarGoogle Scholar
  3. BlueHat. 2019. Memory corruption is still the most prevalent security vulnerability. https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/ Accessed: 2020-02-11.Google ScholarGoogle Scholar
  4. Hans-Juergen Boehm and Mark Weiser. 1988. Garbage collection in an uncooperative environment. Software: Practice and Experience, 18, 9 (1988), 807–820.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Jeremy Condit, Matthew Harren, Zachary Anderson, David Gay, and George C Necula. 2007. Dependent types for low-level programming. In Proceedings of the 2007 European Symposium on Programming (ESOP). 520–535.Google ScholarGoogle ScholarCross RefCross Ref
  6. Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 1977 ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL). 238–252.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Junhan Duan, Yudi Yang, Jie Zhou, and John Criswell. 2020. Refactoring the FreeBSD Kernel with Checked C. In Proceedings of the 2020 IEEE Cybersecurity Development Conference (SecDev).Google ScholarGoogle ScholarCross RefCross Ref
  8. Gregory J Duck and Roland HC Yap. 2016. Heap bounds protection with low fat pointers. In Proceedings of the 2016 International Conference on Compiler Construction (CC). 132–142.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Mehmet Emre, Kyle Dewey, Ryan Schroeder, and Ben Hardekopf. 2021. Translating C to Safer Rust. In Proceedings of the 2021 ACM on Programming Languges (PACMPL), 5, OOPSLA (2021).Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Jeffrey S Foster, Robert Johnson, John Kodumal, and Alex Aiken. 2006. Flow-insensitive type qualifiers. ACM Transactions on Programming Languages and Systems (TOPLAS), 28, 6 (2006), 1035–1087.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Jeffrey S Foster, Tachio Terauchi, and Alex Aiken. 2002. Flow-sensitive type qualifiers. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming language design and implementation (PLDI). 1–12.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Graeme Gange, Jorge A Navas, Peter Schachte, Harald Søndergaard, and Peter J Stuckey. 2015. Interval analysis and machine arithmetic: Why signedness ignorance is bliss. ACM Transactions on Programming Languages and Systems (TOPLAS), 37, 1 (2015).Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Ben Greenman and Matthias Felleisen. 2018. A spectrum of type soundness and performance. In Proceedings of the 2018 ACM SIGPLAN International Conference on Functional Programming., 2, ICFP (2018), 1–32.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Trevor Jim, J Gregory Morrisett, Dan Grossman, Michael W Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference (ATC). 275–288.Google ScholarGoogle Scholar
  15. Samuel C Kendall. 1983. Bcc: Runtime checking for C programs. In Proceedings of the USENIX Summer Conference. 5–16.Google ScholarGoogle Scholar
  16. Per Larson. 2018. Migrating Legacy Code to Rust. RustConf 2018 talk.Google ScholarGoogle Scholar
  17. Liyi Li, Yiyun Liu, Deena L. Postol, Leonidas Lampropoulos, David Van Horn, and Michael Hicks. 2022. A Formal Model of Checked C. In Proceedings of the Computer Security Foundations Symposium (CSF).Google ScholarGoogle ScholarCross RefCross Ref
  18. Aravind Machiry, John Kastner, Matt McCutchen, Aaron Eline, Kyle Headley, and Michael Hicks. 2022. C to Checked C by 3C (Extended Version). arXiv preprint arXiv:2203.13445.Google ScholarGoogle Scholar
  19. Microsoft. 2019. Benchmarks for evaluating Checked C. https://github.com/microsoft/checkedc/wiki/Benchmarks-for-evaluating-Checked-C Accessed: 2020-10-27.Google ScholarGoogle Scholar
  20. Zeina Migeed and Jens Palsberg. 2020. What is Decidable about Gradual Types? In Proceedings of the 2020 ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL).Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. MITRE. 2021. 2021 CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.htmlGoogle ScholarGoogle Scholar
  22. Mozilla. 2021. Rust Programming Language. https://www.rust-lang.org/Google ScholarGoogle Scholar
  23. Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 245–258.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2010. CETS: compiler enforced temporal safety for C. In Proceedings of the 2010 International Symposium on Memory Management (ISMM). 31–40.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. George C Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems (TOPLAS), 27, 3 (2005), 477–526.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Luna Phipps-Costin, Carolyn Jane Anderson, Michael Greenberg, and Arjun Guha. 2021. Solver-based Gradual Type Migration. In Proceedings of the 2021 ACM on Programming Languges (PACMPL), 5, OOPSLA (2021).Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. 2006. Existential Label Flow Inference via CFL Reachability. In Proceedings of the Static Analysis Symposium (SAS), Kwangkeun Yi (Ed.) (Lecture Notes in Computer Science, Vol. 4134). Springer-Verlag, 88–106.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. 2011. Locksmith: Practical Static Race Detection for C. ACM Transactions on Programming Languages and Systems (TOPLAS), 33, 1 (2011), Jan., Article 3.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Aseem Rastogi, Avik Chaudhuri, and Basil Hosmer. 2012. The Ins and Outs of Gradual Type Inference. In Proceedings of the 2012 ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL).Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Nilo Redini, Ruoyu Wang, Aravind Machiry, Yan Shoshitaishvili, Giovanni Vigna, and Christopher Kruegel. 2019. B in T rimmer: Towards Static Binary Debloating Through Abstract Interpretation. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 482–501.Google ScholarGoogle ScholarCross RefCross Ref
  31. Jakob Rehof and Torben Æ gidius Mogensen. 1999. Tractable Constraints in Finite Semilattices. Sci. Comput. Program., 35, 2–3 (1999), Nov., 191–221. issn:0167-6423 https://doi.org/10.1016/S0167-6423(99)00011-8 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Clang repo. 2022. The Checked C project code. https://github.com/secure-sw-dev/checkedc-clangGoogle ScholarGoogle Scholar
  33. Marcus Rodrigues, Breno Guimarães, and Fernando Magno Quintão Pereira. 2019. Generation of In-Bounds Inputs for Arrays in Memory-Unsafe Languages. In Proceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).Google ScholarGoogle ScholarCross RefCross Ref
  34. Raphael Ernani Rodrigues, Victor Hugo Sperle Campos, and Fernando Magno Quintao Pereira. 2013. A fast and low-overhead technique to secure programs against integer overflows. In Proceedings of the 2013 IEEE/ACM international symposium on code generation and optimization (CGO). 1–11.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Andrew Ruef, Leonidas Lampropoulos, Ian Sweet, David Tarditi, and Michael Hicks. 2019. Achieving Safety Incrementally with Checked C. In Proceedings of the 2019 International Conference on Principles of Security and Trust (POST). 76–98.Google ScholarGoogle ScholarCross RefCross Ref
  36. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Annual Technical Conference (ATC). 309–318.Google ScholarGoogle Scholar
  37. Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. 2001. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 2001 USENIX Security Symposium (SEC). Washington, D.C.. 201–218.Google ScholarGoogle Scholar
  38. Jeremy Siek and Walid Taha. 2007. Gradual typing for objects. In Proceedings of 2007 European Conference on Object-Oriented Programming (ECOOP). 2–27.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Jeremy G. Siek and Manish Vachharajani. 2008. Gradual Typing with Unification-Based Inference. In Proceedings of the 2008 Symposium on Dynamic Languages (DLS).Google ScholarGoogle Scholar
  40. Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, and Michael Franz. 2019. SoK: Sanitizing for Security. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle ScholarCross RefCross Ref
  41. Checked C Specification. 2016. The Checked C. https://github.com/secure-sw-dev/checkedc Accessed: 2022-01-26.Google ScholarGoogle Scholar
  42. Joseph L Steffen. 1992. Adding run-time checking to the portable C compiler. Software: Practice and Experience, 22, 4 (1992), 305–316.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. László Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. David Tarditi, Archibald Samuel Elliott, Andrew Ruef, and Michael Hicks. 2018. Checked C: Making C Safe by Extension. In IEEE Cybersecurity Development Conference 2018 (SecDev).Google ScholarGoogle Scholar
  45. Sam Tobin-Hochstadt, Matthias Felleisen, Robert Findler, Matthew Flatt, Ben Greenman, Andrew M. Kent, Vincent St-Amour, T. Stephen Strickland, and Asumu Takikawa. 2017. Migratory Typing: Ten Years Later. In 2nd Summit on Advances in Programming Languages (SNAPL 2017). 71, 17:1–17:17.Google ScholarGoogle Scholar
  46. CVE Trends. 2021. CVE trends. https://www.cvedetails.com/vulnerabilities-by-types.php Accessed: 2020-10-11.Google ScholarGoogle Scholar
  47. Mohsen Vakilian, Amarin Phaosawasdi, Michael D Ernst, and Ralph E Johnson. 2015. Cascade: A universal programmer-assisted type qualifier inference tool. In Proceedings of the 2015 IEEE/ACM International Conference on Software Engineering (ICSE). 1, 234–245.Google ScholarGoogle ScholarCross RefCross Ref
  48. Anna Zeng and Will Crichton. 2019. Identifying Barriers to Adoption for Rust through Online Discourse. arXiv preprint arXiv:1901.01001.Google ScholarGoogle Scholar
  49. Feng Zhou, Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew Harren, George Necula, and Eric Brewer. 2006. SafeDrive: Safe and recoverable extensions using language-based techniques. In Proceedings of the 2006 symposium on Operating systems design and implementation (OSDI). 45–60.Google ScholarGoogle Scholar
  50. Jie Zhou. 2021. The Benefits and Costs of Using Fat Pointers for Temporal Memory Safety. Poster presentation at PLDI 2021 student research competition (silver medalist).Google ScholarGoogle Scholar

Index Terms

  1. C to checked C by 3c

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!