Fail-safe ANSI-C compiler: An approach to making C programs secure progress report

Abstract

It is well known that programs written in C are apt to suffer from nasty errors due to dangling pointers and/or buffer overflow. In particular, such errors in Internet servers are often exploited by malicious attackers to "crack" an entire system, which becomes even social problems nowadays. Nevertheless, it is yet unrealistic to throw away the C language at once because of legacy programs and legacy programmers. To alleviate this dilemma, many approaches to safe implementations of the C language - such as Safe C and CCured - have been proposed and implemented. To our knowledge, however, none of them support all the features of the ANSI C standard and prevent all unsafe operations. (By unsafe operations, we mean any operation that leads to "undefined behavior" , such as array boundary overrun and dereference of a pointer in a wrong type.) This paper describes a memory-safe implementation of the full ANSI C language. Our implementation detects and disallows all unsafe operations, yet conforming to the full ANSI C standard (including casts and unions) and even supporting many "dirty tricks" common in programs beyond ANSI C. This is achieved using sophisticated representations of pointers (and integers) that contain dynamic type and size information. We also devise several techniques - both compile-time and runtime - to reduce the overhead of runtime checks. © Springer-Verlag Berlin Heidelberg 2003.