Yutaka Oiwa
ABSTRACT
This paper describes a completely memory-safe compiler for C language programs that is fully compatible with the ANSI C specification.
Programs written in C often suffer from nasty errors due to dangling pointers and buffer overflow. Such errors in Internet server programs are often exploited by malicious attackers to crack an entire system. The origin of these errors is usually corruption of in-memory data structures caused by out-of-bound array accesses. Usual C compilers do not provide any protection against such out-of-bound access, although many other languages such as Java and ML do provide such protection. There have been several proposals for preventing such memory corruption from various aspects: runtime buffer overrun detectors, designs for new C-like languages, and compilers for (subsets of) the C language. However, as far as we know, none of them have achieved full memory protection and full compatibility with the C language specification at the same time.
We propose the most powerful solution to this problem ever presented. We have developed Fail-Safe C, a memory-safe implementation of the full ANSI C language. It detects and disallows all unsafe operations, yet conforms to the full ANSI C standard (including casts and unions). This paper introduces several techniques--both compile-time and runtime--to reduce the overhead of runtime checks, while still maintaining 100% memory safety. This compiler lets programmers easily make their programs safe without heavy rewriting or porting of their code. It also supports many of the "dirty tricks" commonly used in many existing C programs, which do not strictly conform to the standard specification. In this paper, we demonstrate several real-world server programs that can be processed by our compiler and present technical details and benchmark results for it.
- American National Standard Institute. American national standard for information systems -- programming language -- C. ANSI X3.159-1989.Google Scholar
- Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. Efficient detection of all pointer and array access errors. In Proc. '94 Conference on Programming Language Design and Implementation (PLDI), pages 290---301, 1994. Google ScholarDigital Library
- Hans Boehm. A garbage collector for C and C++. http: //www.hpl.hp.com/personal/Hans Boehm/gc/.Google Scholar
- Hans Boehm and Mark Weiser. Garbage collection in an uncooperative environment. Software: Practice & Experience, pages 807--820, September 1988. Google ScholarDigital Library
- Jeremy Condit, Matthew Harren, Scott McPeak, George C. Necula, and Westley Weimer. CCured in the real workd. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 232--244, June 2003. Google ScholarDigital Library
- Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Conference, pages 63--78, San Antonio, Texas, January 1998. Google ScholarDigital Library
- Hiroaki Etoh and Kunikazu Yoda. Propolice: Improved stacksmashing attack detection. IPSJ SIG Notes, 2001(75):181--188, 2001.Google Scholar
- Jun Furuse. VITC: Safe C code compilation against attacks. In 4th Workshop on Dependable Software, 2006. In Japanese.Google Scholar
- Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. Region-based memory management in Cyclone. In Proc. ACM Conference on Programming Language Design and Implementation (PLDI), pages 282--293, June 2002. Google ScholarDigital Library
- International Organization for Standards and International Electrotechnical Commission. Programming languages -- C. ISO/IEC Standard ISO/IEC 9899:1990.Google Scholar
- Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and YanlingWang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, June 2002. Google ScholarDigital Library
- Richard W. M. Jones and Paul H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Automated and Algorithmic Debugging, pages 13--26, 1997.Google Scholar
- Yuhki Kamijima and Eijiro Sumii. Safe implementation of C pointer arithmetics by translation to Java. JSSST, 26(1):139--154, 2009. In japanese.Google Scholar
- Brian W. Kernighan and Dennis M. Ritchie. The Programming Language C. Prentice Hall, second edition, 1988. Google ScholarDigital Library
- Alexey Loginov, Suan Hsi Yong, Susan Horwitz, and Thomas Reps. Debugging via run--time type checking. Lecture Notes in Computer Science, 2029:217--, 2001. Google ScholarDigital Library
- Type-safe retrofitting of legacy code. In Proc. The 29th Annual ACM SIGPLAN--SIGACT Symposium on Principles of Programming Languages (POPL2002), pages 128--139, January 2002. Google ScholarDigital Library
- Yutaka Oiwa. Fail-Safe C webpage. https://staff.aist.go.jp/y.oiwa/FailSafeC/index--en.html.Google Scholar
- Yutaka Oiwa. An extension to Fail-Safe C to support object-oriented languages. In Symposium on Programming and Programming Languages, March 2005.Google Scholar
- Yutaka Oiwa. Implementation of a Fail-Safe ANSI C Compiler. PhD thesis, University of Tokyo, 2005.Google Scholar
- Yutaka Oiwa. Type-safe linking of C programs. In Symposium on Programming and Programming Languages, March 2007.Google Scholar
- Gray Watson. Dmalloc -- debug malloc library. http://www.dmalloc.com/.Google Scholar
- George Necula, Scott McPeak, and Westley Weimer. CCured:Google Scholar
Index Terms
- Implementation of the memory-safe full ANSI-C compiler
Recommendations
Implementation of the memory-safe full ANSI-C compiler
PLDI '09This paper describes a completely memory-safe compiler for C language programs that is fully compatible with the ANSI C specification.
Programs written in C often suffer from nasty errors due to dangling pointers and buffer overflow. Such errors in ...
Memory-safe Execution of C on a Java VM
PLAS'15: Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for SecurityIn low-level languages such as C, spatial and temporal safety errors (e.g. buffer overflows or dangling pointer dereferences) are hard to find and can cause security vulnerabilities. Modern high-level languages such as Java avoid these problems by ...
Fail-safe ANSI-C compiler: an approach to making C programs secure
ISSS'02: Proceedings of the 2002 Mext-NSF-JSPS international conference on Software security: theories and systemsIt is well known that programs written in C are apt to suffer from nasty errors due to dangling pointers and/or buffer overflow. In particular, such errors in Internet servers are often exploited by malicious attackers to "crack" an entire system, which ...
Comments