Abstract
Owing to the continued use of C (and C++), spatial safety violations (e.g., buffer overflows) still constitute one of today's most dangerous and prevalent security vulnerabilities. To combat these violations, Checked C extends C with bounds-enforced checked pointer types. Checked C is essentially a gradually typed spatially safe C - checked pointers are backwards-binary compatible with legacy pointers, and the language allows them to be added piecemeal, rather than necessarily all at once, so that safety retrofitting can be incremental. This paper presents a semi-automated process for porting a legacy C program to Checked C. The process centers on 3C, a static analysis-based annotation tool. 3C employs two novel static analysis algorithms - typ3c and boun3c - to annotate legacy pointers as checked pointers, and to infer array bounds annotations for pointers that need them. 3C performs a root cause analysis to direct a human developer to code that should be refactored; once done, 3C can be re-run to infer further annotations (and updated root causes). Experiments on 11 programs totaling 319KLoC show 3C to be effective at inferring checked pointer types, and experience with previously and newly ported code finds 3C works well when combined with human-driven refactoring.
- 2021. C to rust translation, refactoring, and cross-checking. https://c2rust.com/Google Scholar
- NH Bingham. 1996. The sample mid-range and interquartiles. Statistics & probability letters, 27, 2 (1996), 131–136.Google Scholar
- BlueHat. 2019. Memory corruption is still the most prevalent security vulnerability. https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/ Accessed: 2020-02-11.Google Scholar
- Hans-Juergen Boehm and Mark Weiser. 1988. Garbage collection in an uncooperative environment. Software: Practice and Experience, 18, 9 (1988), 807–820.Google Scholar
Digital Library
- Jeremy Condit, Matthew Harren, Zachary Anderson, David Gay, and George C Necula. 2007. Dependent types for low-level programming. In Proceedings of the 2007 European Symposium on Programming (ESOP). 520–535.Google Scholar
Cross Ref
- Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 1977 ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL). 238–252.Google Scholar
Digital Library
- Junhan Duan, Yudi Yang, Jie Zhou, and John Criswell. 2020. Refactoring the FreeBSD Kernel with Checked C. In Proceedings of the 2020 IEEE Cybersecurity Development Conference (SecDev).Google Scholar
Cross Ref
- Gregory J Duck and Roland HC Yap. 2016. Heap bounds protection with low fat pointers. In Proceedings of the 2016 International Conference on Compiler Construction (CC). 132–142.Google Scholar
Digital Library
- Mehmet Emre, Kyle Dewey, Ryan Schroeder, and Ben Hardekopf. 2021. Translating C to Safer Rust. In Proceedings of the 2021 ACM on Programming Languges (PACMPL), 5, OOPSLA (2021).Google Scholar
Digital Library
- Jeffrey S Foster, Robert Johnson, John Kodumal, and Alex Aiken. 2006. Flow-insensitive type qualifiers. ACM Transactions on Programming Languages and Systems (TOPLAS), 28, 6 (2006), 1035–1087.Google Scholar
Digital Library
- Jeffrey S Foster, Tachio Terauchi, and Alex Aiken. 2002. Flow-sensitive type qualifiers. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming language design and implementation (PLDI). 1–12.Google Scholar
Digital Library
- Graeme Gange, Jorge A Navas, Peter Schachte, Harald Søndergaard, and Peter J Stuckey. 2015. Interval analysis and machine arithmetic: Why signedness ignorance is bliss. ACM Transactions on Programming Languages and Systems (TOPLAS), 37, 1 (2015).Google Scholar
Digital Library
- Ben Greenman and Matthias Felleisen. 2018. A spectrum of type soundness and performance. In Proceedings of the 2018 ACM SIGPLAN International Conference on Functional Programming., 2, ICFP (2018), 1–32.Google Scholar
Digital Library
- Trevor Jim, J Gregory Morrisett, Dan Grossman, Michael W Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference (ATC). 275–288.Google Scholar
- Samuel C Kendall. 1983. Bcc: Runtime checking for C programs. In Proceedings of the USENIX Summer Conference. 5–16.Google Scholar
- Per Larson. 2018. Migrating Legacy Code to Rust. RustConf 2018 talk.Google Scholar
- Liyi Li, Yiyun Liu, Deena L. Postol, Leonidas Lampropoulos, David Van Horn, and Michael Hicks. 2022. A Formal Model of Checked C. In Proceedings of the Computer Security Foundations Symposium (CSF).Google Scholar
Cross Ref
- Aravind Machiry, John Kastner, Matt McCutchen, Aaron Eline, Kyle Headley, and Michael Hicks. 2022. C to Checked C by 3C (Extended Version). arXiv preprint arXiv:2203.13445.Google Scholar
- Microsoft. 2019. Benchmarks for evaluating Checked C. https://github.com/microsoft/checkedc/wiki/Benchmarks-for-evaluating-Checked-C Accessed: 2020-10-27.Google Scholar
- Zeina Migeed and Jens Palsberg. 2020. What is Decidable about Gradual Types? In Proceedings of the 2020 ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL).Google Scholar
Digital Library
- MITRE. 2021. 2021 CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.htmlGoogle Scholar
- Mozilla. 2021. Rust Programming Language. https://www.rust-lang.org/Google Scholar
- Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 245–258.Google Scholar
Digital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2010. CETS: compiler enforced temporal safety for C. In Proceedings of the 2010 International Symposium on Memory Management (ISMM). 31–40.Google Scholar
Digital Library
- George C Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems (TOPLAS), 27, 3 (2005), 477–526.Google Scholar
Digital Library
- Luna Phipps-Costin, Carolyn Jane Anderson, Michael Greenberg, and Arjun Guha. 2021. Solver-based Gradual Type Migration. In Proceedings of the 2021 ACM on Programming Languges (PACMPL), 5, OOPSLA (2021).Google Scholar
Digital Library
- Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. 2006. Existential Label Flow Inference via CFL Reachability. In Proceedings of the Static Analysis Symposium (SAS), Kwangkeun Yi (Ed.) (Lecture Notes in Computer Science, Vol. 4134). Springer-Verlag, 88–106.Google Scholar
Digital Library
- Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. 2011. Locksmith: Practical Static Race Detection for C. ACM Transactions on Programming Languages and Systems (TOPLAS), 33, 1 (2011), Jan., Article 3.Google Scholar
Digital Library
- Aseem Rastogi, Avik Chaudhuri, and Basil Hosmer. 2012. The Ins and Outs of Gradual Type Inference. In Proceedings of the 2012 ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL).Google Scholar
Digital Library
- Nilo Redini, Ruoyu Wang, Aravind Machiry, Yan Shoshitaishvili, Giovanni Vigna, and Christopher Kruegel. 2019. B in T rimmer: Towards Static Binary Debloating Through Abstract Interpretation. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 482–501.Google Scholar
Cross Ref
- Jakob Rehof and Torben Æ gidius Mogensen. 1999. Tractable Constraints in Finite Semilattices. Sci. Comput. Program., 35, 2–3 (1999), Nov., 191–221. issn:0167-6423 https://doi.org/10.1016/S0167-6423(99)00011-8 Google Scholar
Digital Library
- Clang repo. 2022. The Checked C project code. https://github.com/secure-sw-dev/checkedc-clangGoogle Scholar
- Marcus Rodrigues, Breno Guimarães, and Fernando Magno Quintão Pereira. 2019. Generation of In-Bounds Inputs for Arrays in Memory-Unsafe Languages. In Proceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).Google Scholar
Cross Ref
- Raphael Ernani Rodrigues, Victor Hugo Sperle Campos, and Fernando Magno Quintao Pereira. 2013. A fast and low-overhead technique to secure programs against integer overflows. In Proceedings of the 2013 IEEE/ACM international symposium on code generation and optimization (CGO). 1–11.Google Scholar
Digital Library
- Andrew Ruef, Leonidas Lampropoulos, Ian Sweet, David Tarditi, and Michael Hicks. 2019. Achieving Safety Incrementally with Checked C. In Proceedings of the 2019 International Conference on Principles of Security and Trust (POST). 76–98.Google Scholar
Cross Ref
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Annual Technical Conference (ATC). 309–318.Google Scholar
- Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. 2001. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 2001 USENIX Security Symposium (SEC). Washington, D.C.. 201–218.Google Scholar
- Jeremy Siek and Walid Taha. 2007. Gradual typing for objects. In Proceedings of 2007 European Conference on Object-Oriented Programming (ECOOP). 2–27.Google Scholar
Digital Library
- Jeremy G. Siek and Manish Vachharajani. 2008. Gradual Typing with Unification-Based Inference. In Proceedings of the 2008 Symposium on Dynamic Languages (DLS).Google Scholar
- Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, and Michael Franz. 2019. SoK: Sanitizing for Security. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (S&P).Google Scholar
Cross Ref
- Checked C Specification. 2016. The Checked C. https://github.com/secure-sw-dev/checkedc Accessed: 2022-01-26.Google Scholar
- Joseph L Steffen. 1992. Adding run-time checking to the portable C compiler. Software: Practice and Experience, 22, 4 (1992), 305–316.Google Scholar
Digital Library
- László Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P).Google Scholar
Digital Library
- David Tarditi, Archibald Samuel Elliott, Andrew Ruef, and Michael Hicks. 2018. Checked C: Making C Safe by Extension. In IEEE Cybersecurity Development Conference 2018 (SecDev).Google Scholar
- Sam Tobin-Hochstadt, Matthias Felleisen, Robert Findler, Matthew Flatt, Ben Greenman, Andrew M. Kent, Vincent St-Amour, T. Stephen Strickland, and Asumu Takikawa. 2017. Migratory Typing: Ten Years Later. In 2nd Summit on Advances in Programming Languages (SNAPL 2017). 71, 17:1–17:17.Google Scholar
- CVE Trends. 2021. CVE trends. https://www.cvedetails.com/vulnerabilities-by-types.php Accessed: 2020-10-11.Google Scholar
- Mohsen Vakilian, Amarin Phaosawasdi, Michael D Ernst, and Ralph E Johnson. 2015. Cascade: A universal programmer-assisted type qualifier inference tool. In Proceedings of the 2015 IEEE/ACM International Conference on Software Engineering (ICSE). 1, 234–245.Google Scholar
Cross Ref
- Anna Zeng and Will Crichton. 2019. Identifying Barriers to Adoption for Rust through Online Discourse. arXiv preprint arXiv:1901.01001.Google Scholar
- Feng Zhou, Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew Harren, George Necula, and Eric Brewer. 2006. SafeDrive: Safe and recoverable extensions using language-based techniques. In Proceedings of the 2006 symposium on Operating systems design and implementation (OSDI). 45–60.Google Scholar
- Jie Zhou. 2021. The Benefits and Costs of Using Fat Pointers for Temporal Memory Safety. Poster presentation at PLDI 2021 student research competition (silver medalist).Google Scholar
Index Terms
C to checked C by 3c
Recommendations
Fat Pointers for Temporal Memory Safety of C
Temporal memory safety bugs, especially use-after-free and double free bugs, pose a major security threat to C programs. Real-world exploits utilizing these bugs enable attackers to read and write arbitrary memory locations, causing disastrous ...
Checked Load: Architectural support for JavaScript type-checking on mobile processors
HPCA '11: Proceedings of the 2011 IEEE 17th International Symposium on High Performance Computer ArchitectureDynamic languages such as Javascript are the de-facto standard for web applications. However, generating efficient code for dynamically-typed languages is a challenge, because it requires frequent dynamic type checks. Our analysis has shown that some ...
Safe bounds check annotations
Compilers for Parallel Computers 2007 Workshop (CPC 2007)The semantics of the Java programming language require that the out-of-bounds array accesses be caught at runtime. In general, this requires dynamic checks at the time the array element is accessed. Some of these checks can be eliminated statically ...






Comments