Checked C. Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW)

Transcription

1 Checked C Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW) UM

2 Motivation - Lots of C/C++ code out there. - One open source code indexer (openhub.net) found 8.5 billion lines of C code. - Huge investment in existing (often unsafe) code - Many approaches saving C have been proposed: - Static/dynamic analysis (ASAN, Softbound), fuzzing, OS/HWlevel mitigations - Rewrite the code in a type-safe language (Java/Rust ) - New dialects of C (Cyclone, CCured, Deputy, ) 2

3 Checked C Checked C is another take at making system software written in C more reliable and secure. Approach: - Extend C so that type-safe programs can be written in it. - A new language risks introducing unnecessary differences. - Backward compatible, support incremental conversion of code to be type-safe. - Implement in widely used C compilers (Clang/LLVM) - Create automated conversion tools - Hypothesis: most source code behaves in a type-safe fashion. - Evaluate and get real-world use. Iterate based on experience

4 Making code type safe Design Static/dynamic bounds checking for pointers and arrays Initialization of data, type casts, explicit memory management No temporal safety enforcement at present (use GC) Backward compatibility All pointers binary-compatible (no fat pointers) Strict extension (parsing) of C Like Cyclone Unlike Cyclone Unchecked and checked code can co-exist (e.g., in a function) The former can use checked types in a looser manner Can prove a blame property that characterizes isolation Can work with improving hardware designs 4

5 Clang & LLVM Checked C's Clang Frontend Analyses LLVM IR Generator LLVM Analyses Optimizations Code Generators x86 / x64 / ARM / Other Assembly 5

6 Pointers T* val = malloc(sizeof(t)); Singleton Pointer ptr<t> val = malloc(sizeof(t)); T* vals = calloc(n, sizeof(t)); T vals[n] = {... ; Array Pointer array_ptr<t> vals = calloc(n, sizeof(t)); T vals checked[n] = {... ; 6

7 Bounds Declarations Declaration array_ptr<t> p : bounds(l, u) Invariant l p < u array_ptr<t> p : count(n) p p < p+n array_ptr<t> p : byte_count(n) p p < (char*)p + n Expressions in bounds(l, u) must be non-modifying - No Assignments or Increments/Decrements - No Calls 7

8 NUL Terminated Pointers char* str = calloc(n, sizeof(char)); char str[n] = {... ; NT Array Pointer nt_array_ptr<char> str : count(n-1) = calloc(n, sizeof(char)); char str checked[n+1] = {, \0 ; nt_array_ptr<t> p : bounds(l, u) l p u && c u. *c == \0 can read *u or write \0 to it 8

9 Bounds Expansion size_t my_strlcpy( nt_array_ptr<char> dst: count(dst_sz - 1), nt_array_ptr<char> src, size_t dst_sz) { size_t i = 0; nt_array_ptr<char> s : count(i) = src; while (s[i]!= \0 && i < dst_sz - 1) { //bounds on s may expand by 1 dst[i] = s[i]; ++i; dst[i] = \0 ; //ok to write to upper bound return i; 9

10 Where Dynamic Checks Occur int i = *p; *p = 0; Pointer Dereference Assignment p[n] p->field *p += 1; Compound Assignment (*p)++; Increment/Decrement Elided if the compiler can prove the access is safe 10

11 bool echo( int16_t user_length, size_t user_payload_len, char *user_payload, resp_t *resp) { char *resp_data = malloc(user_length); resp->payload_buf = resp_data; resp->payload_buf_len = user_length; Copy data from user_payload into new buffer in resp object Example inspired by Heartbleed error // memcpy(resp->payload_buf, user_payload_buf, user_length) for (int i = 0; i < user_length; i++) { resp->payload_buf[i] = user_payload_buf[i]; return true; user_length is provided by user user_payload_len is from the parser typedef struct { size_t payload_len; char *payload; //... resp_t; 11

12 bool echo( int16_t user_length, size_t user_payload_len, char *user_payload, resp_t *resp) { char *resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; Copy data from user_payload into new buffer in resp object // memcpy(resp->payload_buf, user_payload_buf, user_length) for (int i = 0; i malloc < user_length; could fail i++) { resp->payload_buf[i] = user_payload_buf[i]; return true; user_length is provided by user user_payload_len is from the parser typedef struct { size_t payload_len; char *payload; //... resp_t; 12

13 bool echo( int16_t user_length, size_t user_payload_len, char *user_payload, resp_t *resp) { char *resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; Copy data from user_payload into new buffer in resp object // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { resp->payload[i] = user_payload[i]; return true; user_length is user_payload_len is user_length provided by could from the be parser larger than user_payload_len typedef struct { size_t payload_len; char *payload; //... resp_t; 13

14 bool echo( int16_t user_length, size_t user_payload_len, array_ptr<char> user_payload, ptr<resp_t> resp) { array_ptr<char> resp_data = malloc(user_length); resp->payload = resp_data; resp->payload_len = user_length; Step 1: Manually Convert to Checked Types // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { resp->payload[i] = user_payload[i]; return true; typedef struct { size_t payload_len; array_ptr<char> payload; //... resp_t; 14

15 bool echo( int16_t user_length, size_t user_payload_len, array_ptr<char> user_payload : count(user_payload_len), ptr<resp_t> resp) { array_ptr<char> resp_data : count(user_length) = malloc(user_length) resp->payload = resp_data; resp->payload_len = user_length; Step 2: Manually // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; Add i++) Bounds { resp->payload[i] = user_payload[i]; Declarations return true; typedef struct { size_t payload_len; array_ptr<char> payload : count(payload_len); //... resp_t; 15

16 bool echo( int16_t user_length, Step 3: size_t user_payload_len, Compiler Inserts array_ptr<char> user_payload : count(user_payload_len), ptr<resp_t> resp) { Checks Automatically array_ptr<char> resp_data : count(user_length) = malloc(user_length) dynamic_check(resp!= NULL); resp->payload = resp_data; resp->payload_len = user_length; malloc now checked // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { dynamic_check(user_payload!= NULL); dynamic_check(user_payload <= &user_payload[i]); dynamic_check(&user_payload[i] < user_payload + user_payload_len); dynamic_check(resp->payload!= NULL); dynamic_check(resp->payload <= &resp->payload[i]); dynamic_check(&resp->payload[i] < resp->payload + resp->payload_le resp->payload[i] = user_payload[i]; No Memory Disclosure return true; 16

17 bool echo( int16_t user_length, Step 3: size_t user_payload_len, Compiler Inserts array_ptr<char> user_payload : count(user_payload_len), ptr<resp_t> resp) { Checks Automatically array_ptr<char> resp_data : count(user_length) = malloc(user_length) Code Not Bug-Free: Will signal run-time error if either dynamic_check(resp!= NULL); resp->payload = resp_data; resp->payload_len = user_length; - malloc(user_length) fails malloc now checked // memcpy(resp->payload, user_payload, user_length) for (size_t - user_length i = 0; i < user_length; > user_payload_len i++) { dynamic_check(user_payload!= NULL); dynamic_check(user_payload <= &user_payload[i]); dynamic_check(&user_payload[i] But: Vulnerable Executions < user_payload Prevented + user_payload_len); dynamic_check(resp->payload!= NULL); dynamic_check(resp->payload <= &resp->payload[i]); dynamic_check(&resp->payload[i] < resp->payload + resp->payload_le resp->payload[i] = user_payload[i]; No Memory Disclosure return true; 17

18 Step 4: bool echo( int16_t user_length, Restrictions on bounds size_t user_payload_len, array_ptr<char> user_payload : count(user_payload_len), ptr<resp_t> resp) { expressions may allow removal array_ptr<char> resp_data : count(user_length) = malloc(user_length) dynamic_check(resp!= NULL); resp->payload = resp_data; resp->payload_len = user_length; malloc still checked dynamic_check(user_payload!= NULL); dynamic_check(resp->payload!= NULL); // memcpy(resp->payload, user_payload, user_length) for (size_t i = 0; i < user_length; i++) { dynamic_check(i <= user_payload_len); resp->payload[i] = user_payload[i]; return true; No Memory Disclosure 18

19 Partially Converted Code - We may not want (or be able) to port all at once - Can use checked types wherever we want - Allows some hard-to-prove-safe idioms - But adds risk void more(int *b, int idx, ptr<int *>out) { int oldidx = idx, c; do { c = readvalue(); b[idx++] = c; //could overflow b? while (c!= 0); *out = b+idx-oldidx; //bad if out corrupted 19

20 Checked Regions - Checked regions are scopes (or functions or files) that are internally safe. Made so by disallowing - Explicit casts to checked pointers - Reads/writes via unchecked pointers - Use of varargs, or K&R prototypes - Calls to unchecked functions - Keep in mind checked pointers can appear anywhere - Different than prior systems which strongly partition safe and unsafe code 20

21 Checked Regions void foo(int *out) { _Ptr<int> ptrout; if (out!= (int *)0) { ptrout = (_Ptr<int>)out; // cast OK else { return; checked { int b checked[5][5]; for (int i = 0; i < 5; i++) { for (int j = 0; j < 5; j++) { b[i][j] = -1; // access safe *ptrout = b[0][0]; unchecked code checked code 21

22 Blame What assurance do checked regions give us? 1. Assuming accessible pointers well-formed, checked region pointer accesses are safe 2. Checked regions preserve well-formedness 3. Hence: Checked code cannot be blamed Proved this property in a simple formalization of the Checked C type system 22

23 Checked Interfaces Annotate Unchecked Pointers with Bounds, in code and in library function prototypes T* val : itype(ptr<t>) = malloc(sizeof(t)); T* vals : count(n) = calloc(n, sizeof(t)); size_t fwrite(void *p : byte_count(s*n), size_t s, size_t n, FILE *st : itype(_ptr<file>)); 23

24 Implementation 24

25 Implementation - Extended C grammar recognized by Clang (not easy!) - Guts of the implementation includes type checking, bounds inference, subsumption checking, dynamic check insertion - Dynamic checks placed so that subsequent LLVM optimization passes can eliminate redundant ones - Put serious effort into this, to get good performance 25

26 Preliminary Evaluation - How much code must be changed to port? - How hard is it to do? - What is the overhead on the converted code? - Running time, compilation time, executable size 26

27 Experimental Setup - Olden and Ptrdist Suites: 15 Programs - Used by CCured, Deputy, others - Converted by hand - 2 Conversions Incomplete - 12 Core Intel Xeon X5650, 2.66GHz, 32GB RAM 27

28 Benchmarks Benchmark LoC Description Barnes & Hut N-body force computation Olden: bh 1,162 Olden: bisort 263 Forward & Backward Bitonic Sort Olden: em3d 478 3D Electromagnetic Wave Propagation Olden: health 389 Columbian Health Care Simulation Olden: mst 328 Minimum Spanning Tree Olden: perimeter 399 Perimeters of Regions on Images Olden: power 458 Power Pricing Optimisation Solver Olden: treeadd 180 Recursive Sum over Tree Olden: tsp 420 Travelling Salesman Problem Computes voronoi diagram of a set of points Olden: voronoi 814 Ptrdist: anagram 362 Finding Anagrams from a Dictionary Arbitrary precision calculator Minimum Spanning Tree using Fibonacci heaps Ptrdist: bc 5,194 Ptrdist: ft 893 Ptrdist: ks 552 Schweikert-Kernighan Graph Partitioning Ptrdist: yacr2 2,529 VSLI Channel Router 28

29 Code Modifications Benchmark bh bisort em3d health mst perimeter power treadd tsp anagram ft ks yacr2 14.6% 0% 10% 20% 30% Lines Modified (%) Benchmark bh bisort em3d health mst perimeter power treadd tsp anagram ft ks yacr2 10.6% bh bisort em3d health mst perimeter power treadd tsp anagram ft ks yacr2 83.9% 0% 20% 40% 60% 80% 100% Easy Modifications (%) Suite Olden Ptrdist 0% 10% 20% 30% Lines Unchecked (%) 29

30 Performance Overhead Benchmark bh bisort em3d health mst perimeter power treadd tsp anagram ft ks yacr % 20% 0% + 20% + 40% + 60% Runtime Slowdown (±%) Benchmark bh bisort em3d health mst perimeter power treadd tsp anagram ft ks yacr % bh bisort em3d health mst perimeter power treadd tsp anagram ft ks yacr2 20% 0% + 20% + 40% + 60% Executable Size Change (±%) % 25% 0% + 25% + 50% + 75% Compile Time Slowdown (±%) Suite Olden Ptrdist 30

31 In Progress - Full implementation of NUL-terminated arrays, general pointer arithmetic - Need data flow analysis to handle changing bounds via pointer arithmetic (flow-sensitive types) - Automated conversion of C code - Partially complete inference of ptr<t> types (based on CCured) - Working on inference of bounds expressions via abstract interpretation framework - Smaller stuff - Definite initialization, better subsumption checks, - More experience (and then some) - Temporal safety (longer term) 31

32 Summary - Checked C is a new effort to make C safe. Key design choices - Binary compatible with C pointers annotated with bounds declarations, not made fat - An extension, not a replacement, with a design to help reason about mixed code - Part of LLVM, to encourage production use - Focus on spatial safety for now; temporal safety via GC in meantime