The Fail-Safe C to Java translator Yuhki Kamijima (Tohoku Univ.)
-
Upload
maurice-archibald-owens -
Category
Documents
-
view
227 -
download
5
Transcript of The Fail-Safe C to Java translator Yuhki Kamijima (Tohoku Univ.)
The Fail-Safe C to Java translator
Yuhki Kamijima (Tohoku Univ.)
2
Background
The programming language C does not
guarantee memory safety This is the cause of memory attacks
ex. buffer overflow attacks
Attackers can obtain root privilege and operate freely
We want to execute C programs safely!
3
Background
How can we achieve memory safety? Point : Java is memory safe
We use Java to guarantee memory safety
4
Goal
Source to source, C to Java translation
with memory safety and ANSI conformance Save a lot of work spent on rewriting programs Java rejects dangerous programs
Prevent memory bugs and attacks
5
Summary
We propose one way of translating C to Java Well-defined operations
→ simulate by using objects Unsafe (= undefined) operations
→ raise an exceptionPointer operations
Represent pointers and memory blocks as Java objectsSimulate pointer operations by using these objects
CastsUse access methods to access memory blocks
Enables access by different types
6
Outline
C to Java translation by using Java objects Representation of pointer operations Examples of translation
Class details Fat pointer, block Access methods Fat integer
Implementation of the translator Experiments and considerations Related work Conclusion and future work
7
Representation of pointer operations
C : A pointer points to a memory block
Java : The object representing a pointer refers to
an object representing a memory block
C Java
memory objectspointer
8
Pointer : FatPointer Fields : base, offset
1 word memory block : FatBlock Field : contents Method : access methods
Java classes
FatPointer
base offset
accessmethods
FatBlock
contents
9
Regard variables as one element arrays
Examples of translation : declaration
int *p = NULL ;int a[3] ;
FatBlock p = new FatBlock(1) ;FatBlock a = new FatBlock(3) ;
accessmethods
aaccess
methodsp
10
Address operation
p = &a[1] ;
p.writeFat(0*4, new FatPointer(a, 1*4)) ;
0 4 8
p
4
a accessmethods
baseoffset
accessmethods
virtual offset 0
generate a new pointer which points to offset 4 of a
readFatwriteFat…
11
Address operation
p = &a[1] ;
p.writeFat(0*4, new FatPointer(a, 1*4)) ;access method for 1 word write
write the pointer on offset 0 of p
0 4 8
p a accessmethods
baseoffset
virtual offset 0
4access
methodsreadFat
…writeFat
12
i = p.readFat(0*4) ; new FatPointer(i.base, i.offset+1*4) ;1 word read
Addition of pointer and integer
p + 1; read the pointer contained at offset 0 of p
0 4 8
p a accessmethods
offset
virtual offset 0
4i base
4access
methods writeFat…
readFat
13
i = p.readFat(0*4) ; new FatPointer(i.base, i.offset+1*4) ;
Addition of pointer and integer
p + 1;
0 4 8
p a accessmethods
offset
virtual offset 0
8 base
make a new pointer which points to offset 8 of a
4access
methodsreadFatwriteFat…
14
*(char *)(&a[1]) ;
Cast
i = new FatPointer(a, 1*4) ; i.base.readByte(i.offset) ;
4
a
virtual offset 0 4 8
0x12345678
i
create a new pointer which points to offset 4 of a
readByteaccessmethods
readFatwriteFat…writeByte
15
*(char *)(&a[1]) ;
Cast
i = new FatPointer(a, 1*4) ; i.base.readByte(i.offset) ;1 byte read
4
a
virtual offset 0 4 8
0x12345678
i
offset 4
0x12
read 1 byte of data from the location i points to
accessmethods
readFatwriteFat…writeByte
readByte
16
Outline
C to Java translation by using Java objects Representation of pointer operations Examples of translation
Class details Fat pointer, block Access methods Fat integer
Implementation of the translator Experiments and considerations Related work Conclusion and future work
17
Pointer operation
How to simulate a pointer which points to the
middle of a memory block? References in Java cannot point to the middle of
an object
JavaC
→ Use fat pointers×
18
Fat Pointer [Austin et al. 94] [Oiwa et al. 01] et al.
Represent a pointer as two words base : always points to the front of a memory block offset : contains an integer meaning the distance from
base to the address pointed to by the pointer
base offset means 8 byte distance
offset 0 4 8 12 16 20 24 28 32
8
the location we want to point to
19
FatPointer class
Simulate fat pointers in Java base : refers to a Block object offset : contains an integer
FatPointer
Block
accessmethods contents
virtual offset 0 4 8 12 16 20 24 28 32
base offset
8
20
Block abstract class
Simulate memory blocks contents : contains an array of data objects access methods : deal with memory accesses
Has concrete subclasses
・・・
Block (abstract)
accessmethods contents
ByteBlock
accessmethods
FatBlock
accessmethods
: FatPointer object : Byte object (1 byte of data)
21
Access methods
Memory accesses are implemented using
access methods Block class has several methods for
reading and writingreadFat : 1 word read
writeFat : 1 word write
readByte : 1 byte read
writeShort : 2 byte write
… Enables memory accesses by different types
contentsreadShortreadByteaccess
methodsreadFatwriteFat… writeByte writeShort
22
Fat Integer [Oiwa et al. 01]
Represent integers by two words Pointers are also integers in C,
generally expressed with 1 word We represent integers by objects
FatInt class base : always null offset : contains integer
FatInt
base offset
5null
23
Fat class
Common parent class of FatPointer and FatInt FatBlock contents contains Fat objects
FatPointer or FatInt
Fat (abstract)
base offset
FatPointer
base offset
FatInt
base offset
accessmethods
FatBlock
24
Outline
C to Java translation by using Java objects Representation of pointer operations Examples of translation
Class details Fat pointer, block Access methods Fat integer
Implementation of the translator Experiments and considerations Related work Conclusion and future work
25
Implementation of the translator
Translator implemented in Objective Caml
lexer
codegenerator
parser
pretty-printer
Csource code
Javasource code
CIL [Necula et al. 02]
Joust [Cooper]
implemented
this part
translator
Cabstract
syntax tree
Java abstract
syntax tree
26
Experiments
Benchmark programs taken from
The Computer Language Shootout Values in the graph means overheads
Fail-Safe C to Java user time / C user time Handwritten Java user time / C user time
Environments 2.80GHz Intel Pentium 4 CPU, 2GB memory Linux 2.6 gcc : version 4.0.0 with –O2 option javac, java : Sun JDK version 1.5.0 with –O option
27
Experiments
13.1
7 4.2
7
52.0
3
51.0
7
45.0
8 35.4
1
4.3
9
79.6
46.8
9 37.4
2
50.5
1
11.8
2 3.6
1
3.1
6
1.0
8
3.5
5
0.9
5
1.6
7
16.3
5
2.1
9
1.1
9
1.4
7
0
10
20
30
40
50
60
70
80
90
sta
rtup
su
m-file
nsie
ve
sp
ectra
l-n
orm
man
delb
rot
recu
rsiv
e
partia
l-su
ms
nsie
ve-b
its
fan
nku
ch
bin
ary
-trees
n-b
od
y
FSC2J/C
Java/C
28
Consideration
All pointers, integers and memory blocks are
translated to objects Lots of object creations and method calls
Reduce these by optimizations Translate variables to FatBlock only if they are pointed
to by a pointer Translate integers to FatInt only if they cannot be
distinguished from pointers Eliminate redundant calls to the same access method
29
Outline
C to Java translation by using Java objects Representation of pointer operations Examples of translation
Class details Fat pointer, block Access methods Fat integer
Implementation of the translator Experiments and considerations Related work Conclusion and future work
30
Related work : C to Java translators
Jazillian [Jazillian, Inc.] Aims at readability and maintainability Assumes user intervention of generated code
Ephedra [Martin et al. 01] Does not support cast of pointers between different types Does not support memory access via pointers of different types
Our translatorAims at 100% ANSI conformance (and more) and memory safety
Supports memory access via cast pointers by using
access methods
31
Related work : Safe C runtime systems
CCured [Necula et al. 02] Dynamically checks unsafe operations Reduces overheads by static analysis (to 3 - 87 %) Does not aim at 100% ANSI conformance
Fail-Safe C [Oiwa et al. 01] Based on the same ideas of fat pointers and fat intergers
Both compile C to native codeIf these compilers have a bug, unsafe codes are executed
Our translator translates C to Java source codeProvided that Java is safe, unsafe codes are rejected
(even if our translator has a bug)
We clarify the essence of Fail-Safe C
32
Conclusion and future work
We propose translation from C to Java Simulate pointers, integers and memory blocks
with Java objects
Future work Support all ANSI C and more Optimizations