the interface definition language for fail-safe c kohei suenaga, yutaka oiwa, eijiro sumii, akinori...
TRANSCRIPT
![Page 1: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/1.jpg)
The Interface Definition Language for Fail-Safe C
Kohei Suenaga, Yutaka Oiwa,Eijiro Sumii, Akinori Yonezawa
University of Tokyko
![Page 2: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/2.jpg)
International Symposium on Software Security
2
In this presentation…
We introduce the IDL for Fail-Safe C With our IDL, we can…
Easily generate wrappers for external functions
Safely interface Fail-Safe C with external functions
Our approach can be used to other safe languages
![Page 3: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/3.jpg)
International Symposium on Software Security
3
Background
![Page 4: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/4.jpg)
International Symposium on Software Security
4
Fail-Safe C
Safe implementation of C Translates C sources to fail-safe ones
Inserts safety checks such as boundary checks
Ensures safety focusing on types of objects
Prevents programs from performing unsafe operations
![Page 5: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/5.jpg)
International Symposium on Software Security
5
Problems of Fail-Safe C
Cooperation with external functions Data representation problem
Fail-Safe C uses its original data representation Cannot call external functions directly
Safety problemMany external functions require
preconditions for safety
![Page 6: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/6.jpg)
International Symposium on Software Security
6
Solution
To prepare a wrapper for each function Checks preconditions, converts
representation, …
We want to automatically generate such wrappers
![Page 7: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/7.jpg)
International Symposium on Software Security
7
Approach
Interface Definition Language (IDL) Describe preconditions and behavior of
external functions with the IDL
IDL processorInterfaceDefinition Wrappers
![Page 8: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/8.jpg)
wrapper(…){………memcpy(…)………
wrapper(…){………memcpy(…)………
int main(…){………memcpy(…)………
int main(…){………memcpy(…)………
memcpy(…){……………return;}
memcpy(…){……………return;}
ChecksPreconditionsConverts
Arguments
ConvertsReturn value
![Page 9: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/9.jpg)
International Symposium on Software Security
9
Outline of the Presentation
Safety Fail-Safe C and our IDL guarantees Internal data representation of Fail-Safe C Wrappers’ behavior Experiment Related work Future work
![Page 10: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/10.jpg)
International Symposium on Software Security
10
The Safety Fail-Safe C Guarantees
If a program attempts to perform undefined behavior, Fail-Safe C aborts the program
before the operation is performed
Not fully formal, but sufficient for our aim
![Page 11: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/11.jpg)
International Symposium on Software Security
11
The Safety Fail-Safe C Guarantees
void strcpy(char *s1, char *s2) {while (*s1++ = *s2++)
;}
Out-of-bound access may occur here
The result of out-of-bound access is
Undefined
Usual C compiler
![Page 12: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/12.jpg)
International Symposium on Software Security
12
The Safety Fail-Safe C Guarantees
void strcpy(char *s1, char *s2) {while (*s1++ = *s2++)
;}
Attempts to perform out-of-bound access
Aborts the program
Fail-Safe C compiler
![Page 13: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/13.jpg)
International Symposium on Software Security
13
The Safety Fail-Safe C Guarantees (again)
If a program attempts to perform undefined behavior, Fail-Safe C aborts the program
before the operation is performed
Not fully formal, but sufficient for our aim
![Page 14: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/14.jpg)
International Symposium on Software Security
14
The Safety our IDL Guarantees
Two assumptions Fail-Safe C does not contain bugs
The safety of Fail-Safe C does hold just before wrappers are called
Interface definitions correctly reflect the implementation of external functions
If these two assumptions hold, our IDL guarantees thatFail-Safe C’s safety holds after external functions return
![Page 15: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/15.jpg)
International Symposium on Software Security
15
Internal Data Representationof Fail-Safe C
Fail-Safe C differs from usual C in representation of… Memory blocks Pointers Integers
![Page 16: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/16.jpg)
International Symposium on Software Security
16
Internal Data Representationof Fail-Safe C
Every memory block has a header
size
Data
TypeInfo
Header
![Page 17: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/17.jpg)
International Symposium on Software Security
17
Internal Data Representationof Fail-Safe C
Every pointer is represented in 2 words
size
Data
base
offset
TypeInfo
![Page 18: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/18.jpg)
International Symposium on Software Security
18
Internal Data Representationof Fail-Safe C
Every integer is also represented in 2 words (pointers may be cast to integers)
base
offset
pointer integer
cast
![Page 19: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/19.jpg)
International Symposium on Software Security
19
Summary of Data Representation
Pointers Represented in 2 words
Integers Represented in 2 words
Memory blocks Have metadata Contents has Fail-Safe
C’s representation
Wrappers have to convert the representation of arguments
![Page 20: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/20.jpg)
International Symposium on Software Security
20
Behavior of the Wrapper of memcpy
char *memcpy(char *s1, char *s2, int n);
![Page 21: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/21.jpg)
International Symposium on Software Security
21
Behavior of the Wrapper of memcpy
char *memcpy(char *s1, char *s2, int n);
Preconditions
n > 0
1. s1 != NULL, s2 != NULL2. First n bytes of memory blocks has
to be accessible
n bytes from s1 and s2 cannot overlap each other
![Page 22: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/22.jpg)
International Symposium on Software Security
22
Behavior of the Wrapper of memcpy
char *memcpy(char *s1, char *s2, int n);
Converting representation (before call) 2-word repr. →
1-word repr.
1. Allocates new memory block in C’s image
2. Copies contents to it converting repr.
![Page 23: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/23.jpg)
International Symposium on Software Security
23
Behavior of the Wrapper of memcpy
char *memcpy(char *s1, char *s2, int n);
Converting representation (after returns)
1. Writes back update of the memory block2. Deallocates the newly allocated memory
block
Encodes return value maintaining the distance from s1
![Page 24: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/24.jpg)
International Symposium on Software Security
24
Behavior of Wrappers
1. Precondition Checking2. Decoding and Allocation
Integers are converted to 1-word repr. Allocates a memory block and copies to
it for each pointer-type argument
3. Call Safe if assumptions appeared before
hold
![Page 25: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/25.jpg)
International Symposium on Software Security
25
Behavior of Wrappers
4. Encoding and Deallocation Converts the return value to Fail-Safe
C’s repr. Reflect update of passed memory
blocks Reflect update of global variables (Fail-
Safe C allocates two regions for each global variable)
Deallocates memory blocks allocated in the wrapper
![Page 26: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/26.jpg)
International Symposium on Software Security
26
An Example of Interface Definition
Add supplemental information to C’s declaration in the form of attributes
[points_in(s1)]char *memcpy([never_null, can_access(0, n-1), write(true, 0, n-1)] char *s1,
[never_null, can_access(0, n-1)] const char *s2 int n) [precond(n > 0), no_overlap(s1, 0, n-1, s2, 0, n-1)];
![Page 27: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/27.jpg)
International Symposium on Software Security
27
Experiments
Measured overhead with four micro-benchmarks In each benchmark, we used…
Programs compiled with Fail-Safe C and used wrappers to call external functions
Programs compiled with gcc and called wrappers directly
Environment: UltraSPARC-II 400 MHz CPU, 13.0 GB RAM
![Page 28: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/28.jpg)
International Symposium on Software Security
28
Benchmark 1: succ
Takes one integer, adds 1 to it and return it
Measured time spent in calling this function 107 times as an external function
Give information about the overhead of converting integers
![Page 29: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/29.jpg)
International Symposium on Software Security
29
Benchmark 2: arraysucc
Takes an array of 107 characters Measured time spent in calling this
function once as an external function
Give information about the overhead of converting pointer-type arguments
![Page 30: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/30.jpg)
International Symposium on Software Security
30
Benchmark 3: cp
File-copying program that uses open, read and write system calls
Measured time spent in copying a 100K-byte file
Give information about the overhead of pretty practical programs
![Page 31: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/31.jpg)
International Symposium on Software Security
31
Benchmark 4: echo
A simple echo server that uses socket, bind, listen, accept, recv and send system calls (with 1K-byte buffer)
Measured time spent in sending/receiving 100K-byte data between two machines connected with 100BASE-T
Give information about the overhead under existence of network delay
![Page 32: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/32.jpg)
International Symposium on Software Security
32
Overall Result
The overhead of memory allocation is large
Execution time (msec)suc
carraysucc
cp echo
With wrappers 234 597 144 2498Without wrappers
220 200 91 2494
Overhead (%) 6 199 58 0.16
![Page 33: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/33.jpg)
International Symposium on Software Security
33
Breakdown of arraysucc
Pre Decode
Call Encode
Total
Time (msec)
0 326 110 160 596
proportion(%)
0 54.7 18.5 26.8
Time spent in each phase of arraysucc
More than half of wrapper’s execution time is spent in Decoding
and Allocation
![Page 34: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/34.jpg)
International Symposium on Software Security
34
Breakdown of cp
Execution time of each phase of read/write’s wrapper
Pre Decode
Call Encode
Total
read 1 16 46 14 77write 1 16 73 4 94Call phase takes most of time due to file access.
However, Decoding and Allocation phase takes much timein wrapper’s execution time
![Page 35: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/35.jpg)
International Symposium on Software Security
35
Overall Result (again)
Execution time (msec)
succ
arraysucc
cp echo
With wrappers 234 597 144 2498Without wrappers
220 200 91 2494
Overhead (%) 6 199 58 0.16The overhead of echo is very small
![Page 36: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/36.jpg)
International Symposium on Software Security
36
Breakdown of echo
Time spent in each phase of recv/send system calls
Pre/Decode Call Encode
Total
recv 1 2485 1 2487send 1 4 0 5
Under existence of network delay, wrappers’ overhead is relatively small
![Page 37: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/37.jpg)
International Symposium on Software Security
37
Discussion
The overhead of Decoding and Allocation is dominant
To reduce this overhead… Omit copying contents of memory
block if the block is not read Omit allocating new memory block if
the block has the same image as usual C’s one
![Page 38: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/38.jpg)
International Symposium on Software Security
38
Related Work
CamlIDL [Leroy 01], H/Direct [Finne et.al. 98] IDL for OCaml and Haskell The syntax of our IDL is based on
CamlIDL Pay less attention to safety
External function call is not always safe if preconditions do not hold
![Page 39: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/39.jpg)
International Symposium on Software Security
39
Related Work
CCured [Necula et.al. 02, Condit et.al. 03] Analyses pointer usage statically and cuts off
unnecessary safety checks Two ways to call external functions
Tell the compiler which functions are external ones Cannot check preconditions, cannot deal with memory
blocks allocated in external functions Provide wrappers for each external function
Have to write wrappers manually
![Page 40: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/40.jpg)
International Symposium on Software Security
40
Future Work
Implementing optimizations Applying our approach to existing
programs As soon as the implementation of Fail-
Safe C is complemeted Target: sendmail
![Page 41: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/41.jpg)
International Symposium on Software Security
41
Conclusion
We designed an IDL for Fail-Safe C to call external functions safely
![Page 42: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/42.jpg)
International Symposium on Software Security
42
Fin
![Page 43: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/43.jpg)
International Symposium on Software Security
43
Internal Data Representationof Fail-Safe C
TypeInfo contains typename and handler methods
size
Data
Type name
read_word()write_word()
Handler methods:Functions that access memory according to the memory block’s type
![Page 44: The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649c7d5503460f94931e76/html5/thumbnails/44.jpg)
International Symposium on Software Security
44
Why we don’t need to check
postconditions?