Cyclone: A safe dialect of C

Trevor JimTrevor JimGreg MorrisettGreg MorrisettDan GrossmanDan GrossmanMichael HicksMichael HicksJames CheneyJames CheneyYanling WangYanling Wang

Cyclone: A safe dialect of C

OverviewOverview

IntroductionIntroduction From C to CycloneFrom C to Cyclone ImplementationImplementation Design HistoryDesign History Conclusion/QuestionsConclusion/Questions

IntroductionIntroduction

“Common errors that cause vulnerabilities — buffer overflows, poor handling of unexpected types and amounts of data — are well understood. Unfortunately, features still seem to be valued more highly among manufacturers than reliability.”

IntroductionIntroduction

Safety violations that occur in CSafety violations that occur in C Buffer overflows in C can be caused by Buffer overflows in C can be caused by

bad pointer arithmeticbad pointer arithmetic C uses Null-terminating stringsC uses Null-terminating strings Out-of-bounds pointers are Out-of-bounds pointers are

commonplace in Ccommonplace in C

IntroductionIntroduction Cyclone allows for safety while retaining C’s Cyclone allows for safety while retaining C’s

syntax and semanticssyntax and semantics Has been in development for 2 yearsHas been in development for 2 years Designed from the ground up for:Designed from the ground up for:

Prevention of buffer overflowsPrevention of buffer overflows Format string attacksFormat string attacks Memory management errorsMemory management errors

110,000 lines 110,000 lines 35,000 for the compiler35,000 for the compiler 15,000 for supporting libraries15,000 for supporting libraries

Looking at safety violations enabled by C and how Looking at safety violations enabled by C and how Cyclone avoids themCyclone avoids them

From C to CycloneFrom C to Cyclone

SimilaritiesSimilarities It uses C processorIt uses C processor Follows C’s lexical convention and grammarFollows C’s lexical convention and grammar Same data representation as CSame data representation as C

DifferencesDifferences Cyclone performs a static analysis on codeCyclone performs a static analysis on code Inserts run-time checksInserts run-time checks Rejects some programs that C might compileRejects some programs that C might compile


RestrictionsRestrictions NullNull checks are inserted to prevent checks are inserted to prevent

segmentation faultssegmentation faults Pointer arithmetic is restrictedPointer arithmetic is restricted Dangling pointers are prevented through Dangling pointers are prevented through

region analysis and limitations on region analysis and limitations on freefree Only “safe casts’ and unions are allowedOnly “safe casts’ and unions are allowed Setjmp Setjmp and and longjmp longjmp are not supportedare not supported Switch Switch labels in different scopes are labels in different scopes are

disalloweddisallowed

From C to CycloneFrom C to Cyclone ExtensionsExtensions

Never-Never-NullNull pointers do not require pointers do not require Null Null checkschecks

Tagged unions support type-varying Tagged unions support type-varying argumentsarguments

Injections help automate the use of tagged Injections help automate the use of tagged unions for programmersunions for programmers

Polymorphism replaces some use of void *Polymorphism replaces some use of void * Exceptions replace some uses of Exceptions replace some uses of setjmp setjmp

and and longjmplongjmp


The free function in C can create The free function in C can create dangling pointersdangling pointers

The following is a code exampleThe following is a code exampleRegion h {Region h {

int *x = rmalloc(h.sizeof(int));int *x = rmalloc(h.sizeof(int));

int ?y = rnew(h) {1, 2, 3};int ?y = rnew(h) {1, 2, 3};

char ?z = rprintf(h, “hello”);char ?z = rprintf(h, “hello”);

}}

From C to CycloneFrom C to Cyclone Rmalloc – works like malloc but allocates Rmalloc – works like malloc but allocates

into a region of the handleinto a region of the handle Rnew – allocates and initializes a single Rnew – allocates and initializes a single

stepstep Rprintf – creates a buffer then prints Rprintf – creates a buffer then prints

formatted information to that bufferformatted information to that buffer Handles can be passes to library functionsHandles can be passes to library functions

ImplementationImplementation

Cyclone compiler implemented Cyclone compiler implemented 35,000 lines of Cyclone35,000 lines of Cyclone Consists of a parserConsists of a parser Static analysis phaseStatic analysis phase And a simple translatorAnd a simple translator

Uses gcc as a backendUses gcc as a backend Have built in utilitiesHave built in utilities

Memory profilerMemory profiler


BenchmarksBenchmarks Table shows that much of a significant Table shows that much of a significant

difference between C and Cyclonedifference between C and Cyclone Ease of PortingEase of Porting

Created cyclone so existing C code can Created cyclone so existing C code can be easily ported be easily ported

Fewer than 10% of the lines needed to Fewer than 10% of the lines needed to be changed to port the benchmarks be changed to port the benchmarks


PerformancePerformance Non-web benchmarks Non-web benchmarks

Mean and median same Mean and median same Standard deviation was at most 2% of the meanStandard deviation was at most 2% of the mean

Near zero over-head for I/O bound applicationsNear zero over-head for I/O bound applications Factor of three slower than C for Factor of three slower than C for

computationally-intensive benchmarkscomputationally-intensive benchmarks SafetySafety

Found array bound violations in three Found array bound violations in three benchmarks when C was ported to Cyclone benchmarks when C was ported to Cyclone

Design HistoryDesign History

Began as an offshoot of TALBegan as an offshoot of TAL Designed Popcorn to use with itDesigned Popcorn to use with it Cyclone a rework of PopcornCyclone a rework of Popcorn From learning’s made some notable From learning’s made some notable

mistakes and changesmistakes and changes Supported arrays with a type array<t> Supported arrays with a type array<t>

not a fat pointernot a fat pointer Didn’t understand the importance of Didn’t understand the importance of

Null-terminated stringsNull-terminated strings

ConclusionConclusion Cyclone a dialect of C that provides Cyclone a dialect of C that provides

safetysafety Cyclone uses static analysis and run-Cyclone uses static analysis and run-

time checks to prevent safety time checks to prevent safety violationsviolations

Tries to accommodate C’s style of Tries to accommodate C’s style of low-level programminglow-level programming

Questions ?

Cyclone: A safe dialect of C

Documents

Transcript of Cyclone: A safe dialect of C