CCured: type-safe retrofitting of legacy software

This article describes CCured, a program transformation system that adds type safety guarantees to existing C programs. CCured attempts to verify statically that memory errors cannot occur, and it inserts run-time checks where static verification is insufficient.CCured extends C's type system by separating pointer types according to their usage, and it uses a surprisingly simple type inference algorithm that is able to infer the appropriate pointer kinds for existing C programs. CCured uses physical subtyping to recognize and verify a large number of type casts at compile time. Additional type casts are verified using run-time type information. CCured uses two instrumentation schemes, one that is optimized for performance and one in which metadata is stored in a separate data structure whose shape mirrors that of the original user data. This latter scheme allows instrumented programs to invoke external functions directly on the program's data without the use of a wrapper function.We have used CCured on real-world security-critical network daemons to produce instrumented versions without memory-safety vulnerabilities, and we have found several bugs in these programs. The instrumented code is efficient enough to be used in day-to-day operations.

[1]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[2]  Harish Patil,et al.  Low‐cost, Concurrent Checking of Pointer and Array Accesses in C Programs , 1997, Softw. Pract. Exp..

[3]  Fritz Henglein,et al.  Global tagging optimization by type inference , 1992, LFP '92.

[4]  Satish R. Thatte Quasi-static typing , 1989, POPL '90.

[5]  Martin Hirzel Effectiveness of Garbage Collection and Explicit Deallocation , 2000 .

[6]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[7]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[8]  Simon L. Peyton Jones,et al.  Dynamic typing as staged type inference , 1998, POPL '98.

[9]  Susan Horwitz,et al.  Debugging via Run-Time Type Checking , 2001, FASE.

[10]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[11]  Satish Chandra,et al.  Physical type checking for C , 1999, PASTE '99.

[12]  Luca Cardelli,et al.  Modula-3 Report. , 1988 .

[13]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[14]  Frank Tip,et al.  Aggregate structure identification and its application to program analysis , 1999, POPL '99.

[15]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[16]  C NeculaGeorge,et al.  CCured: type-safe retrofitting of legacy software , 2005 .

[17]  Robert Harper,et al.  Compiling polymorphism using intensional type analysis , 1995, POPL '95.

[18]  Dominic Duggan,et al.  Dynamic typing for distributed programming in polymorphic languages , 1999, TOPL.

[19]  Harish Patil,et al.  Efficient Run-time Monitoring Using Shadow Processing , 1995, AADEBUG.

[20]  Robert Cartwright,et al.  A practical soft type system for scheme , 1997, TOPL.

[21]  Didier Rémy,et al.  Objective ML: a simple object-oriented extension of ML , 1997, POPL '97.

[22]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[23]  Karl Crary,et al.  Intensional polymorphism in type-erasure semantics , 1998, ICFP '98.

[24]  Fritz Henglein,et al.  Formally optimal boxing , 1994, POPL '94.

[25]  Satish Chandra,et al.  Coping with type casts in C , 1999, ESEC/FSE-7.

[26]  Andreas Kind,et al.  A practical approach to type inference for EuLisp , 1993, LISP Symb. Comput..

[27]  Craig Schaffert,et al.  CLU Reference Manual , 1984, Lecture Notes in Computer Science.

[28]  Geoffrey Smith,et al.  A Sound Polymorphic Type System for a Dialect of C , 1998, Sci. Comput. Program..

[29]  Thomas W. Reps,et al.  Debugging via Run-Time Type Checking , 2001, FASE.

[30]  Luca Cardelli,et al.  Modula-3 Report (revised) , 1992 .

[31]  Suresh Jagannathan,et al.  Effective Flow Analysis for Avoiding Run-Time Checks , 1995, SAS.

[32]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[33]  Martin C. Carlisle,et al.  Olden: parallelizing programs with dynamic data structures on distributed-memory machines , 1996 .

[34]  Manuvir Das,et al.  Unification-based pointer analysis with directional assignments , 2000, PLDI '00.

[35]  George C. Necula,et al.  CCured in the real world , 2003, PLDI '03.

[36]  Robert Cartwright,et al.  Soft typing , 2004, SIGP.

[37]  Martín Abadi,et al.  Dynamic typing in a statically-typed language , 1989, POPL '89.

[38]  Harish Patil,et al.  Low‐cost, Concurrent Checking of Pointer and Array Accesses in C Programs , 1997 .

[39]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[40]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[41]  Joseph L. Steffen Adding run‐time checking to the portable C compiler , 1992, Softw. Pract. Exp..