Ironclad C++ A Library-Augmented Type-Safe Subset of C++

Size: px

Start display at page:

Download "Ironclad C++ A Library-Augmented Type-Safe Subset of C++"

Grant Ambrose Ellis
6 years ago
Views:

1 Ironclad C++ A Library-Augmented Type-Safe Subset of C++ Christian DeLozier, Richard Eisenberg, Peter-Michael Osera, Santosh Nagarakatte*, Milo M. K. Martin, and Steve Zdancewic October 30, 2013 University of Pennsylvania *Rutgers University

2 This work licensed under the Creative Commons Attribution-Share Alike 3.0 United States License You are free: to Share to copy, distribute, display, and perform the work to Remix to make derivative works Under the following conditions: Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same, similar or a compatible license. For any reuse or distribution, you must make clear to others the license terms of this work. The best way to do this is with a link to: Any of the above conditions can be waived if you get permission from the copyright holder. Apart from the remix rights granted under this license, nothing in this license impairs or restricts the author's moral rights. 2 2

Lack of Type Safety is Still a Security Problem CVE-2013-2919

66, allows remote attackers to cause a denial of service (memory

vulnerability in the mozilla::layout::scrollbaractivity function

3 Lack of Type Safety is Still a Security Problem CVE Summary: Google V8, as used in Google Chrome before , allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. Published: 10/02/2013 CVE Summary: Use-after-free vulnerability in the mozilla::layout::scrollbaractivity function in Mozilla Firefox allows remote attackers to execute arbitrary code via vectors related to image-document scrolling. Published: 09/18/2013 3

4 Transforming C++ into Ironclad C++ Performance Efficient object layout Stack allocation Developer tools Unchecked Casts void * Widely used USS C++ Dangling Pointers Buffer Overflows 4

5 Transforming C++ into Ironclad C++ Performance Efficient object layout Stack allocation Developer tools Unchecked Strong Casts static typing void * Widely used Heap-precise garbage collection Dangling Pointers Local pointers USS C++ BoundsBuffer checked Overflows Smart pointers 5

6 Enforcing Type Safety in C-Like Languages Prior works: CCured [Necula 05] and Cyclone [Jim 02] Required abstractions not provided by C RTTI, generics, and new type decorators C++ already provides safe abstractions Templates and dynamically checked casts Modern C++ code is often already strongly typed Avoids void* and unchecked casts Our approach: C++ without unsafe constructs Define a type-safe subset of C++ 6

7 Source Original C++ Code Source Code Code Changes Ironclad C++ Overview Refactor Code No Refactoring Tool Source Ironclad C++ Code Source Code Validator Is Valid? Yes (Safe?) (Safe!) Ironclad Ironclad Library Library C++ Compiler (unmodified) Executable 7

8 Checklist for Type-Safety in Ironclad C++ Strong static typing Bounds safety Heap deallocation safety Stack deallocation safety 8

9 Can we trust types in C/C++? What type does p point to? Circle* p = (Circle*)rectangle;! Circle* p... float int width radius Point height * point Point* point

10 Can we trust types in C/C++? What type does p point to? Circle* p = (Circle*)rectangle;! How many objects does p point to? Circle* p = new Circle;! Circle[2];! Circle* p... float radius Point* point float radius Point*... point... 10

ptr<square> s =! cast<square>(p);! cout << p->r;!

11 Smart Pointers for Strong Static Typing C++ Circle* p =!!new Circle(r,x,y);! Ironclad C++ ptr<circle> p =!!new_obj<circle>(r,x,y);! Square* s =! static_cast<square>(p);! ptr<square> s =! cast<square>(p);! cout << p->r;! cout << p[5].r;! cout << p->r;! cout << p[5].r;! Smart pointers disallow unchecked casts & void* Smart pointer dereference performs a null check 11

12 Checklist for Type-Safety in Ironclad C++ Strong static typing (Smart pointers, checked casts) Bounds safety Heap deallocation safety Stack deallocation safety 12

13 Smart Pointers for Bounds Safety C++ Circle* a =!!new Circle[2];! a++;! cout << a[10].r;! Ironclad C++ aptr<circle> a =!!new_array<circle>(2);! a++;! cout << a[10].r;! Bounds-checked smart pointers Includes size and index fields Dereference operators perform checking ptr and aptr allow distinction between pointers to singletons and pointers to arrays No bounds checking of pointers to singletons Previously found to be efficient [Necula 05, Jim 02] 13

14 Ironclad C++ Pointer Types ptr<t> aptr<t> Allows dereference Allows indexing X Allows pointer arithmetic X Null checked Avoids bounds check? X Size One word Three words 14

15 Checklist for Type-Safety in Ironclad C++ Strong static typing (Smart pointers, checked casts) Bounds safety (Bounds-checked smart pointers) Heap deallocation safety Stack deallocation safety 15

16 Garbage Collection for Ironclad C++ Garbage collection prevents dangling pointers Conservative garbage collection? [Boehm 88] In C++, no trustworthy type information Conservatively assume that if it looks like a pointer, it is Problem with conservative GC: memory leaks Not everything that looks like a pointer is a pointer Problem in practice [Hirzel 00, Rafkind 09] But, in Ironclad C++, we can trust the types Users provide mark() methods [Bartlett 89, Rafkind 09] Statically validate mark() methods Reduces memory overhead from 85% to 19% for leveldb Not always appropriate, but okay for many applications 16

17 Checklist for Type-Safety in Ironclad C++ Strong static typing (Smart pointers, checked casts) Bounds safety (Bounds-checked smart pointers) Heap deallocation safety (Garbage collection) Stack deallocation safety 17

18 Preventing Dangling Pointers to the Stack General approach: disallow stack allocations Java: conceptually, all objects allocated on heap For CCured: Heapification [CCured 05] Allocates any escaping stack object on heap Example case: sjeng Frequent function calls using stack arrays Heapification: 2x runtime performance GC + Heapification: 27x runtime performance! How can we provide safe stack allocation? 18

19 Local Pointers (lptr<t>) Prevent dangling pointers to the stack Avoids heapification in almost all cases Invariant. The lifetime of a pointer may not exceed the lifetime of the value that it points to. Garbage collection enforces this invariant for pointers to the heap Local pointers enforce this invariant for pointers to the stack Using a hybrid static/dynamic checking approach 19

20 Local Pointers (lptr<t>) What stack frames can a pointer point to? It s own stack frame and any earlier stack frames How can we prevent pointers from pointing to later stack frames? Only lptr<t> s can point to the stack Record the stack frame in which it was allocated Check assignment operations Statically ensure that all suspect assignments are checked Negligible performance penalty 20

21 Formalism Invariant. The lifetime of a pointer may not exceed the lifetime of the value that it points to. Formalized a core subset of Ironclad C++ Focused on local pointers Proved invariant holds for all program steps See Core Ironclad technical report #MS

22 Ironclad C++ Pointer Types ptr<t> lptr<t> aptr<t> laptr<t> Holds stack addresses? X X Allows dereference Allows indexing X Allows pointer arithmetic X Null checked Avoids bounds check? X Size (in words) One word Two words Three words Four words 22

23 Checklist for Type-Safety in Ironclad C++ Strong static typing (Smart pointers, checked casts) Bounds safety (Bounds-checked smart pointers) Heap deallocation safety (Garbage collection) Stack deallocation safety (Local pointers) 23

24 Static Validation Checks that code conforms to Ironclad C++ rules Just syntax validation, no deep analysis Rule: No raw pointers int* p; 24

25 Refactoring to Ironclad C++ 10 C/C++ benchmarks Open source key-store database (leveldb) 50k total lines of code 6% 2% 92% Untouched Automatic Manual Refactoring is a one time process 25

% Performance Overhead 50 45 40 35 30 25 20 15 10 5 0 Performance Overhead Ironclad C++

26 % Performance Overhead Performance Overhead Ironclad C++ 14% runtime performance overhead on average Overhead dominated by bounds checking (not GC) 26

27 See Paper For Handling aspects of C++ References Pointer initialization Standard libraries Multithreading Formalism Experiences refactoring to Ironclad C++ Memory overheads 27

28 Ironclad C++ Type-safe subset of C++ Static validation to ensure correctness Smart pointers: strong static typing and bounds safety Heap-precise garbage collection Local pointers Prevent dangling pointers to the stack Negligible runtime overhead Type safety in C++ can be fast 28

29 Thank you for listening! 29

30 Links

Ironclad C++: A Library-Augmented Type-Safe Subset of C++

University of Pennsylvania ScholarlyCommons Technical Reports (CIS) Department of Computer & Information Science 3-28-2013 Ironclad C++: A Library-Augmented Type-Safe Subset of C++ Christian DeLozier University