Cyclone: A safe dialect of C
-
Upload
yael-emerson -
Category
Documents
-
view
24 -
download
1
description
Transcript of Cyclone: A safe dialect of C
Trevor JimTrevor JimGreg MorrisettGreg MorrisettDan GrossmanDan GrossmanMichael HicksMichael HicksJames CheneyJames CheneyYanling WangYanling Wang
Cyclone: A safe dialect of C
OverviewOverview
IntroductionIntroduction From C to CycloneFrom C to Cyclone ImplementationImplementation Design HistoryDesign History Conclusion/QuestionsConclusion/Questions
IntroductionIntroduction
“Common errors that cause vulnerabilities — buffer overflows, poor handling of unexpected types and amounts of data — are well understood. Unfortunately, features still seem to be valued more highly among manufacturers than reliability.”
IntroductionIntroduction
Safety violations that occur in CSafety violations that occur in C Buffer overflows in C can be caused by Buffer overflows in C can be caused by
bad pointer arithmeticbad pointer arithmetic C uses Null-terminating stringsC uses Null-terminating strings Out-of-bounds pointers are Out-of-bounds pointers are
commonplace in Ccommonplace in C
IntroductionIntroduction Cyclone allows for safety while retaining C’s Cyclone allows for safety while retaining C’s
syntax and semanticssyntax and semantics Has been in development for 2 yearsHas been in development for 2 years Designed from the ground up for:Designed from the ground up for:
Prevention of buffer overflowsPrevention of buffer overflows Format string attacksFormat string attacks Memory management errorsMemory management errors
110,000 lines 110,000 lines 35,000 for the compiler35,000 for the compiler 15,000 for supporting libraries15,000 for supporting libraries
Looking at safety violations enabled by C and how Looking at safety violations enabled by C and how Cyclone avoids themCyclone avoids them
From C to CycloneFrom C to Cyclone
SimilaritiesSimilarities It uses C processorIt uses C processor Follows C’s lexical convention and grammarFollows C’s lexical convention and grammar Same data representation as CSame data representation as C
DifferencesDifferences Cyclone performs a static analysis on codeCyclone performs a static analysis on code Inserts run-time checksInserts run-time checks Rejects some programs that C might compileRejects some programs that C might compile
From C to CycloneFrom C to Cyclone
RestrictionsRestrictions NullNull checks are inserted to prevent checks are inserted to prevent
segmentation faultssegmentation faults Pointer arithmetic is restrictedPointer arithmetic is restricted Dangling pointers are prevented through Dangling pointers are prevented through
region analysis and limitations on region analysis and limitations on freefree Only “safe casts’ and unions are allowedOnly “safe casts’ and unions are allowed Setjmp Setjmp and and longjmp longjmp are not supportedare not supported Switch Switch labels in different scopes are labels in different scopes are
disalloweddisallowed
From C to CycloneFrom C to Cyclone ExtensionsExtensions
Never-Never-NullNull pointers do not require pointers do not require Null Null checkschecks
Tagged unions support type-varying Tagged unions support type-varying argumentsarguments
Injections help automate the use of tagged Injections help automate the use of tagged unions for programmersunions for programmers
Polymorphism replaces some use of void *Polymorphism replaces some use of void * Exceptions replace some uses of Exceptions replace some uses of setjmp setjmp
and and longjmplongjmp
From C to CycloneFrom C to Cyclone
The free function in C can create The free function in C can create dangling pointersdangling pointers
The following is a code exampleThe following is a code exampleRegion h {Region h {
int *x = rmalloc(h.sizeof(int));int *x = rmalloc(h.sizeof(int));
int ?y = rnew(h) {1, 2, 3};int ?y = rnew(h) {1, 2, 3};
char ?z = rprintf(h, “hello”);char ?z = rprintf(h, “hello”);
}}
From C to CycloneFrom C to Cyclone Rmalloc – works like malloc but allocates Rmalloc – works like malloc but allocates
into a region of the handleinto a region of the handle Rnew – allocates and initializes a single Rnew – allocates and initializes a single
stepstep Rprintf – creates a buffer then prints Rprintf – creates a buffer then prints
formatted information to that bufferformatted information to that buffer Handles can be passes to library functionsHandles can be passes to library functions
ImplementationImplementation
Cyclone compiler implemented Cyclone compiler implemented 35,000 lines of Cyclone35,000 lines of Cyclone Consists of a parserConsists of a parser Static analysis phaseStatic analysis phase And a simple translatorAnd a simple translator
Uses gcc as a backendUses gcc as a backend Have built in utilitiesHave built in utilities
Memory profilerMemory profiler
ImplementationImplementation
BenchmarksBenchmarks Table shows that much of a significant Table shows that much of a significant
difference between C and Cyclonedifference between C and Cyclone Ease of PortingEase of Porting
Created cyclone so existing C code can Created cyclone so existing C code can be easily ported be easily ported
Fewer than 10% of the lines needed to Fewer than 10% of the lines needed to be changed to port the benchmarks be changed to port the benchmarks
ImplementationImplementation
PerformancePerformance Non-web benchmarks Non-web benchmarks
Mean and median same Mean and median same Standard deviation was at most 2% of the meanStandard deviation was at most 2% of the mean
Near zero over-head for I/O bound applicationsNear zero over-head for I/O bound applications Factor of three slower than C for Factor of three slower than C for
computationally-intensive benchmarkscomputationally-intensive benchmarks SafetySafety
Found array bound violations in three Found array bound violations in three benchmarks when C was ported to Cyclone benchmarks when C was ported to Cyclone
Design HistoryDesign History
Began as an offshoot of TALBegan as an offshoot of TAL Designed Popcorn to use with itDesigned Popcorn to use with it Cyclone a rework of PopcornCyclone a rework of Popcorn From learning’s made some notable From learning’s made some notable
mistakes and changesmistakes and changes Supported arrays with a type array<t> Supported arrays with a type array<t>
not a fat pointernot a fat pointer Didn’t understand the importance of Didn’t understand the importance of
Null-terminated stringsNull-terminated strings
ConclusionConclusion Cyclone a dialect of C that provides Cyclone a dialect of C that provides
safetysafety Cyclone uses static analysis and run-Cyclone uses static analysis and run-
time checks to prevent safety time checks to prevent safety violationsviolations
Tries to accommodate C’s style of Tries to accommodate C’s style of low-level programminglow-level programming
Questions ?