Cyclone a safe dialect of C

Transcript

1. Cyclone a safe dialect of C Prepared by: Ahmed Magdy

   Ezzeldin

2. What is CYCLONE  Cyclone is a safer dialect of

   C that is not vulnerable to buffer overflows, format string attacks, double free bugs, dangling pointer accesses, etc...  It qualifies ordinary C code with some annotations to make it safer.  Cyclone has a special C compiler named ”cyclone” (built on GCC) which supports the special annotations of Cyclone.

3. How it works Cyclone works on the following aspects to

   make C safer.  Pointers  Regions  Arrays  Structs  Unions  Exceptions  Subtyping  Other Restrictions

4. Pointers  @nullable : forces NULL-Check when dereferenced  @thin

   : 1 machine word. It does not allow pointer arithmetics.  @fat : 3 machine words. It allows pointer arithmetics forces NULL-Check and Bounds check when dereferenced.  @notnull : It can never be NULL, so it does not need a NULL- Check.  @zeroterm : It is used with strings to do safe pointer arithmetics on pointers by knowing the place of the zero byte delimiter.  @effect(`e) : used to set the memory regions that this pointer can work.  @aqual : used to define aliasability.

5. Regions  Every pointer is assigned to a region 

   Before dereferencing a pointer cyclone checks if its region is deallocated.  Helps to secure against dangling pointers.  Also important for securing against memory leaks as a data structure like a list or a queue can be assigned to one region, so when we free the region the whole data structure is freed without looping on pointers to free them.

6. Arrays  Stack Arrays like in C  Heap arrays

   using the word ”new”  Arrays of pointers all pointers must be initialized which make it safer.  Arrays can have the same annotations (qualifiers) as pointers.

7. Structs  Cyclone structs are like C structs.  Tuples

   is a form of structs that is not parameterized which means that its fields are accessed by their position (offset) $(int,char,bool) x = $(42,'z',true); if (x[2]) x[0]++;  Tuples are equivalent if they are structurally equivalent.

8. Unions  Tagged Unions: are unions that save the last

   written field identifier in a tag so that if we try to get the value of another field an exception is thrown. union T a; int x; a.String = "hello, world"; /* Next line fails */ x = a.Integer + 3;  Untagged Pointers: It has no tag to know the last written field but It does not allow to have a pointer as one of its fields to be safer.

9. Exceptions  Pointers NULL-Check and Bounds check and many other

   checks throw exceptions when they fail.  Makes it easy for the developer to write robust code and take corrective measures on error. FILE *f = fopen("/etc/passwd","r"); int c; try { c = getc((FILE *@notnull)f); } catch { case &Null_Exception: printf("Error: can't open /etc/passwd\n"); exit(1); case &Invalid_argument(s): printf("Error: Invalid_argument(%s)\n",s); exit(1); }

10. Subtyping  Cyclone allows structural subtyping which allows polymorphism which

    is not allowed in C. typedef struct Point {float x,y;} *point; typedef struct CPoint {float x,y; int color;} *cpoint; float xcoord(point p) { return p->x; }  Note that both Point and CPoint are equal in structure with the exception of the last field in CPoint.

11. Other Restrictions  Can't cast an integer to a pointer

     Can't do pointer arithmetic on a pointer unless the pointer performs bounds check  Cyclone does not permit gotos from one scope into another.  Can't explicitly free a heap-allocated object, but you can either use regions or the garbage collector to free memory.

12. References  http://cyclone.thelanguage.org:8181/  "Cyclone: A Type-Safe Dialect of C"

    by Dan Grossman, Michael Hicks, Trevor Jim, and Greg Morrisett  "Region-Based Memory Management in Cyclone" by Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney (Computer Science Department, Cornell University)

13. Thank you