Ensuring code safety without runtime checks for real-time control systems

This paper considers the problem of providing safe programming support and enabling secure online software upgrades for control software in real-time control systems. In such systems, offline techniques for ensuring code safety are greatly preferable to online techniques. We propose a language called Control-C that is essentially a subset of C, but with key restrictions designed to ensure that memory safety of code can be verified entirely by static checking, under certain system assumptions. The language permits pointer-based data structures, restricted dynamic memory allocation, and restricted array operations, without requiring any runtime checks on memory operations and without garbage collection. The language restrictions have been chosen based on an understanding of both compiler technology and the needs of real-time control systems. The paper describes the language design and a compiler implementation for Control-C. We use control codes from three different experimental control systems to evaluate the suitability of the language for these codes, the effort required to port them to Control-C, and the effectiveness of the compiler in detecting a wide range of potential security violations for one of the systems.

[1]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[2]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[3]  William Pugh,et al.  The Omega Library interface guide , 1995 .

[4]  James Gosling,et al.  The Real-Time Specification for Java , 2000, Computer.

[5]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[6]  William Pugh,et al.  A practical algorithm for exact array dependence analysis , 1992, CACM.

[7]  Vikram S. Adve,et al.  Automatic pool allocation for disjoint data structures , 2003, MSP '02.

[8]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[9]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[10]  Mads Tofte,et al.  Region-based Memory Management , 1997, Inf. Comput..

[11]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[12]  David Gay,et al.  Memory management with explicit regions , 1998, PLDI.

[13]  Vikram S. Adve,et al.  Automatic pool allocation for disjoint data structures , 2002, MSP/ISMM.

[14]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[15]  Guy L. Steele,et al.  Java Language Specification, Second Edition: The Java Series , 2000 .

[16]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[17]  Lui Sha,et al.  Ensuring Integrity and Service Availability in a Web-Based Control Laboratory , 2001, Scalable Comput. Pract. Exp..

[18]  Lui Sha Dependable system upgrade , 1998, Proceedings 19th IEEE Real-Time Systems Symposium (Cat. No.98CB36279).

[19]  Vikram S. Adve,et al.  The LLVM Instruction Set and Compilation Strategy , 2002 .

[20]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[21]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[22]  Lui Sha,et al.  Using Simplicity to Control Complexity , 2001, IEEE Softw..