Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Programming Microsoft

Microsoft Research Touts Its 'Checked C' Extension For 'Making C Safe' (microsoft.com) 181

Microsoft Research has pre-published a new paper to be presented at the IEEE Cybersecurity Development Conference 2018 describing their progress on Checked C, "an extension to C designed to support spatial safety, implemented in Clang and LLVM."

From "Checked C: Making C Safe By Extension": Checked C's design is distinguished by its focus on backward-compatibility, incremental conversion, developer control, and enabling highly performant code... Any part of a program may contain, and benefit from, checked pointers. Such pointers are binary-compatible with legacy, unchecked pointers but have explicitly annotated and enforced bounds. Code units annotated as checked regions provide guaranteed safety: The code within may not use unchecked pointers or unsafe casts that could result in spatial safety violations.

Checked C's bounds-safe interfaces provide checked types to unchecked code, which is useful for retrofitting third party and standard libraries. Together, these features permit incrementally adding safety to a legacy program, rather than making it an all-or-nothing proposition. Our implementation of Checked C as an LLVM extension enjoys good performance, with relatively low run-time and compilation overheads. It is freely available at https://github.com/Microsoft/checkedc and continues to be actively developed.

The extension is enabled as a flag passed to Clang -- the average run-time overhead introduced by adding dynamic checks was 8.6%, though in more than half of the benchmarks the overhead was less than 1%. They also note that from 2012 to 2018, buffer overruns were the leading single cause of CVEs.

Microsoft Research says they're now evaluating Checked C, formalizing a proof of its safety guarantee -- and developing a tool to semi-automatically rewrite legacy C programs.
This discussion has been archived. No new comments can be posted.

Microsoft Research Touts Its 'Checked C' Extension For 'Making C Safe'

Comments Filter:
  • Funny ... (Score:4, Informative)

    by Misagon ( 1135 ) on Saturday September 08, 2018 @06:46PM (#57277634)

    clang/LLVM had been developed in tandem with, practically for a project for making C code safer in the first place: SAFECode [illinois.edu].

    • by HiThere ( 15173 )

      Well, this isn't quite the same comment, but if the language is compatible with C, or some subset of C, couldn't you compile the "safe version", run your tests, and then, when you were satisfied, compile with standard C? Surely the answers ought to be guaranteed to be the same if there's no error.

      • by jd ( 1658 )

        You are correct.

        In the case of Verified C, it's slightly different - they've proven the optimizer will generate code that is functionally identical to the source, so you can't be sure if another compiler will generate equivalent binary.

        However, whether talking about Checked C, Verified C, SAFERCode or any other validation system, validated source is validated. Furthermore, once you've done any runtime testing and shown no errors occur when in operation, that should hold true for compiled code from any compi

      • by dryeo ( 100693 )

        I'd guess that there is a compiler switch to turn it off.

      • Well, this isn't quite the same comment, but if the language is compatible with C, or some subset of C, couldn't you compile the "safe version", run your tests, and then, when you were satisfied, compile with standard C? Surely the answers ought to be guaranteed to be the same if there's no error.

        Only for real world inputs that match your test inputs. If you compile with standard C you lose the run time checks, array bounds for example. If these check only have a 1% penalty then for many apps that might be quite acceptable.

      • by MrMr ( 219533 )
        Yes, that's what old programmers used to do: build and test with efence and valgrid, and recompile
        https://linux.die.net/man/3/li... [die.net]
        http://valgrind.org/ [valgrind.org]
        Interestingly neither of these lang standing approaches (Hi Bruce) appears to be mentioned in the IEEE paper.
        Peer review ain't what she used to be.
        • Some of us used to run lint on our code too. Is that still a thing?
        • by HiThere ( 15173 )

          IIUC efence and valgrind don't check for references beyond array bounds, but only for references beyond allocated memory. So this is different (and less expensive) than what they're proposing.

      • No, that won't work because the checks happen at runtime, not compile time ... thus the increases overhead of approximately 8%.
    • by haruchai ( 17472 )

      clang/LLVM had been developed in tandem with, practically for a project for making C code safer in the first place: SAFECode [illinois.edu].

      AT&T had a safe C variant called Cyclone but haven't heard anything about it in over a decade

      • by AmiMoJo ( 196126 )

        The problem with all these attempts to make C safe is that they tend to break all the stuff that makes C useful. Type punning is the classic example, or pointer manipulation.

        There are better languages if you need that kind of thing. For other purposes C is the only option precisely because it isn't safe.

  • by david.emery ( 127135 ) on Saturday September 08, 2018 @07:24PM (#57277770)

    How many errors are due to C syntax, e.g. "=" vs "=="?

    At what point do we finally decide that C just wasn't the best choice for large scale long lived systems?

    (And don't tell me about "experts don't make those mistakes". See, for instance https://www.researchgate.net/p... [researchgate.net] )

    • by phantomfive ( 622387 ) on Saturday September 08, 2018 @07:29PM (#57277776) Journal

      How many errors are due to C syntax, e.g. "=" vs "=="?

      I haven't seen that error in many many years. The compiler gives you a warning in most cases, when you look at code with that mistake it really jumps out at you, and if it somehow does get through the compile phase, rudimentary testing will catch it. You are testing both branches of your if statements, aren't you?

    • by gweihir ( 88907 )

      When compiling with "-Wall" and using reasonable style, basically none.

      • by theweatherelectric ( 2007596 ) on Saturday September 08, 2018 @08:28PM (#57277918)
        Why not simply use a language that avoids the problem in the first place? In Pascal, for example, you can't do an assignment inside an if test. It's a wiser design choice.
        • Because its convenient sometimes and not a problem. "Giving up convenience for things that are not a problem" may be the source of everything wrong in Pascal.
          • Because its convenient sometimes

            When?

            everything wrong in Pascal

            Like what?

            • it's convenient for functions whose result you want to check before going further.

              e.g. with file operations:

              if (NULL == (in = fopen(filename, "r"))) {
              fprintf(stderr, "cannot open input %s\n", filename); exit(2);
              } /* process input from in */

        • by gweihir ( 88907 )

          I do not use toy-languages.

    • by Jeremi ( 14640 )

      At what point do we finally decide that C just wasn't the best choice for large scale long lived systems?

      We can decide that whenever you like; unless you've got a time machine handy, it doesn't really change anything now, because all of those systems are still out there and aren't going anywhere. Even if you aren't working on the C code directly, you're likely going to want to link to a C library, or run on a C-based operating system.

      C, like the faint scent of urine on the subway, is there, and there's nothing anybody can do about it.

    • by swilver ( 617741 )

      Experts donot make that mistake. In fact, the question makes your look rather dumb.

    • Considering C is the language that the Linux kernel which runs the internet and most cell phones is written in, and it works quite well when used by professionals qualified to use it properly, never. If you make the error you cited you have no business developing such systems in any language.
    • "At what point do we finally decide that C just wasn't the best choice for large scale long lived systems?"

      So what choice should have been made... in 1972? (early days of Unix).

      Seems like it was an excellent choice for 1972 and survive nearly 50 years (i.e. your "long lived" criterion).
      Was there another choice in 1972 that was a better choice in 1972 that has shown itself to be a popular (i.e. grown in usage by leaps and bounds since 1972 or earlier) and solid choice in 2018?

  • by 0100010001010011 ( 652467 ) on Saturday September 08, 2018 @08:12PM (#57277870)

    Can anyone compare this to what Embedded has been doing for a while in functional safety?

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    It's why Mathworks makes stupid money off of Polyspace Static Analyzer.

    https://www.mathworks.com/prod... [mathworks.com]

    https://www.mathworks.com/prod... [mathworks.com]

    On top of that there's also the Barr Group's Embedded C Coding Standard.

    https://barrgroup.com/Embedded... [barrgroup.com]

    • The fact that the Joint Strike Fighter's coding standards [stroustrup.com] are based on MISRA C is not a good advertisement for it. The JSF's software still doesn't work right [washingtontimes.com] and they've been working on it for 20 years. Following MISRA C didn't avoid those problems.
      • by phantomfive ( 622387 ) on Saturday September 08, 2018 @08:34PM (#57277930) Journal
        tbh honest, I don't think MISRA is that great. It's a grab-bag of miscellaneous error prevention ideas, but without a clear conception of how to avoid bugs, it prohibits some things that aren't a problem, and allows things that are.
        • by jd ( 1658 )

          Agreed. And quite a few studies of MISRA say likewise.

          There's probably a subset that is genuinely useful, simply because it does seem to work when selectively applied.

      • Bugs are not always coding errors, bugs may also be in the design and correct code of any language can manifest such design bugs
        • Of course not, but why have coding problems in addition to design problems? If you want to get your project done you always want fewer problems, not more problems.
          • The point of my post is that JSF software problems are not necessarily evidence of language based coding difficulties.

            Regarding your question of adding coding problems into the mix, the answer is a common one. Tradeoffs. For performance reasons you may need to use C. There is no universal answer to what language to use, its a matter of best fit, and sometimes that best fit is C. I realize some might argue otherwise, but I've also noticed that many people merely argue for the language they are most famili
  • by roca ( 43122 ) on Saturday September 08, 2018 @09:40PM (#57278102) Homepage

    Pretty major error right in the introduction:

    > Legacy programs would need to be ported wholesale to take advantage of these languages,

    Not true for Rust. C libraries and applications can be ported to Rust incrementally and, in fact, some examples have already been done and shipped! See Federico's work on librsvg for example: https://people.gnome.org/~fede... [gnome.org]

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Rust is a horrible clusterfuck of a language.

      Apart from a cumbersome syntax, traits hide implementation details, so you have to look up the implementation or (worse!) take a look at the implementation of a type in order to know what it will actually do memory-wise, information you need to know in order to use the type in any realistic way. Rust also doesn't have proper classes, which together with the overly complex borrow-checker makes it essentially impossible to write glue libraries to object-oriented fo

  • Comment removed based on user account deletion

Life is a whim of several billion cells to be you for a while.

Working...