Into the depths of C: elaborating the de facto standards

Memarian, Kayvan; Matthiesen, Justus; Lingard, James; Nienhuis, Kyndylan; Chisnall, David; Watson, Robert N. M.; Sewell, Peter

doi:10.1145/2908080.2908081

Cited by 62 publications

(57 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, there is no tracking of pointer provenance [12]. Furthermore, the prototype implements some common "sloppy" [20] and "de facto" [26] extensions, such as (T *) to/from (void *) coercions. The final limitation relates to sub-object matching.…”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

EffectiveSan: type and memory error detection using dynamically typed C/C++

Duck

Yap

2018

Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Low-level programming languages with weak/static type systems, such as C and C++, are vulnerable to errors relating to the misuse of memory at runtime, such as (sub-)object bounds overflows, (re)use-after-free, and type confusion. Such errors account for many security and other undefined behavior bugs for programs written in these languages. In this paper, we introduce the notion of dynamically typed C/C++, which aims to detect such errors by dynamically checking the "effective type" of each object before use at runtime. We also present an implementation of dynamically typed C/C++ in the form of the Effective Type Sanitizer (EffectiveSan). EffectiveSan enforces type and memory safety using a combination of low-fat pointers, type meta data and type/bounds check instrumentation. We evaluate Effective-San against the SPEC2006 benchmark suite and the Firefox web browser, and detect several new type and memory errors. We also show that EffectiveSan achieves high compatibility and reasonable overheads for the given error coverage. Finally, we highlight that EffectiveSan is one of only a few tools that can detect sub-object bounds errors, and uses a novel approach (dynamic type checking) to do so.

show abstract

Section: Methodsmentioning

confidence: 99%

“…Structure types with flexible array members; and 2. Automatic coercions between types allowable under the C, "sloppy" [20] or "de facto" [26] standards. .…”

Section: Dynamic Type Check Runtimementioning

confidence: 99%

EffectiveSan: type and memory error detection using dynamically typed C/C++

Duck

Yap

2018

Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

show abstract

“…The most frequently recurring problem is that sanitizers often implement a bug finding policy or mechanism which is stricter than either the language standard or the de facto standard. The de facto standard includes widely-followed programming practices that do not necessarily comply with the language standard, even though they result in bug-free code [94]. One could therefore argue that reporting behavior that does not comply with the de facto standard as a bug constitutes a false positive detection.…”

Section: A False Positivesmentioning

confidence: 99%

SoK: Sanitizing for Security

Song

Lettner

Rajasekaran

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

The C and C ++ programming languages are notoriously insecure yet remain indispensable. Developers therefore resort to a multi-pronged approach to find security issues before adversaries. These include manual, static, and dynamic program analysis. Dynamic bug finding tools-henceforth "sanitizers"can find bugs that elude other types of analysis because they observe the actual execution of a program, and can therefore directly observe incorrect program behavior as it happens.A vast number of sanitizers have been prototyped by academics and refined by practitioners. We provide a systematic overview of sanitizers with an emphasis on their role in finding security issues. Specifically, we taxonomize the available tools and the security vulnerabilities they cover, describe their performance and compatibility properties, and highlight various trade-offs. class Base { virtual void func(); }; class Derived : public Base { public: int extra; }; Base b[2]; Derived * d = static_cast(&b[0]); // Bad-casting d->extra = ...; // Type-unsafe, out-of-bounds access, which // overwrites the vtable pointer of b[1]Listing 4. Bad-casting vulnerability leading to a type-and memory-unsafe memory access

show abstract

“…Our results are expected to help tool developers in prioritizing implementation effort, maintenance, and optimization of builtins. Thus, this study facilitates the development of compilers such as GCC, Clang [24], ICC, and the formally verified CompCert compiler [25,26]; of static-analysis tools such as the Clang Static Analyzer [66], splint [14,15], Frama-C [65], and uno [17]; of semantic models for C [23,31]; and of alternative execution environments and bug-finding tools such as KLEE [3], Sulong [52,56], the LLVM sanitizers [58,59], and SoftBound [36,37]. For reproducibility and verifiability, we provide the database with GCC builtin usage, test suite, tools used for the analysis, and a record of the manual decisions on https:// github.com/ jku-ssw/ gcc-builtin-study.…”

Section: Introductionmentioning

confidence: 99%

Understanding GCC builtins to develop better tools

Rigger¹,

Marr

Adams

et al. 2019

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

View full text Add to dashboard Cite

C programs can use compiler builtins to provide functionality that the C language lacks. On Linux, GCC provides several thousands of builtins that are also supported by other mature compilers, such as Clang and ICC. Maintainers of other tools lack guidance on whether and which builtins should be implemented to support popular projects. To assist tool developers who want to support GCC builtins, we analyzed builtin use in 4,913 C projects from GitHub. We found that 37% of these projects relied on at least one builtin. Supporting an increasing proportion of projects requires support of an exponentially increasing number of builtins; however, implementing only 10 builtins already covers over 30% of the projects. Since we found that many builtins in our corpus remained unused, the effort needed to support 90% of the projects is moderate, requiring about 110 builtins to be implemented. For each project, we analyzed the evolution of builtin use over time and found that the majority of projects mostly added builtins. This suggests that builtins are not a legacy feature and must be supported in future tools. Systematic testing of builtin support in existing tools revealed that many lacked support for builtins either partially or completely; we also discovered incorrect implementations in various tools, including the formally verified CompCert compiler. CCS CONCEPTS• Software and its engineering → Language features; Compilers.

show abstract

Into the depths of C: elaborating the de facto standards

Cited by 62 publications

References 40 publications

EffectiveSan: type and memory error detection using dynamically typed C/C++

EffectiveSan: type and memory error detection using dynamically typed C/C++

SoK: Sanitizing for Security

Understanding GCC builtins to develop better tools

Contact Info

Product

Resources

About