A Formal Model of Checked C
We present a formal model of Checked C, a dialect of C that aims to enforce spatial memory safety. Our model pays particular attention to the semantics of dynamically sized, potentially null-terminated arrays. We formalize this model in Coq, and prove that any spatial memory safety errors can be bla...
Saved in:
| Published in | 2022 IEEE 35th Computer Security Foundations Symposium (CSF) pp. 49 - 63 |
|---|---|
| Main Authors | , , , , , |
| Format | Conference Proceeding |
| Language | English |
| Published |
IEEE
01.08.2022
|
| Subjects | |
| Online Access | Get full text |
| DOI | 10.1109/CSF54842.2022.9919657 |
Cover
Loading…
| Abstract | We present a formal model of Checked C, a dialect of C that aims to enforce spatial memory safety. Our model pays particular attention to the semantics of dynamically sized, potentially null-terminated arrays. We formalize this model in Coq, and prove that any spatial memory safety errors can be blamed on portions of the program labeled unchecked; this is a Checked C feature that supports incremental porting and backward compatibility. While our model's operational semantics uses annotated ("fat") pointers to enforce spatial safety, we show that such annotations can be safely erased. Using PLT Redex we formalize an executable version of our model and a compilation procedure to an untyped C-like language, as well as use randomized testing to validate that generated code faithfully simulates the original. Finally, we develop a custom random generator for well-typed and almost-well-typed terms in our Redex model, and use it to search for inconsistencies between our model and the Clang Checked C implementation. We find these steps to be a useful way to co-develop a language (Checked C is still in development) and a core model of it. |
|---|---|
| AbstractList | We present a formal model of Checked C, a dialect of C that aims to enforce spatial memory safety. Our model pays particular attention to the semantics of dynamically sized, potentially null-terminated arrays. We formalize this model in Coq, and prove that any spatial memory safety errors can be blamed on portions of the program labeled unchecked; this is a Checked C feature that supports incremental porting and backward compatibility. While our model's operational semantics uses annotated ("fat") pointers to enforce spatial safety, we show that such annotations can be safely erased. Using PLT Redex we formalize an executable version of our model and a compilation procedure to an untyped C-like language, as well as use randomized testing to validate that generated code faithfully simulates the original. Finally, we develop a custom random generator for well-typed and almost-well-typed terms in our Redex model, and use it to search for inconsistencies between our model and the Clang Checked C implementation. We find these steps to be a useful way to co-develop a language (Checked C is still in development) and a core model of it. |
| Author | Lampropoulos, Leonidas Liu, Yiyun Postol, Deena Li, Liyi Hicks, Michael Van Horn, David |
| Author_xml | – sequence: 1 givenname: Liyi surname: Li fullname: Li, Liyi organization: University of Maryland – sequence: 2 givenname: Yiyun surname: Liu fullname: Liu, Yiyun organization: University of Pennsylvania – sequence: 3 givenname: Deena surname: Postol fullname: Postol, Deena organization: University of Maryland – sequence: 4 givenname: Leonidas surname: Lampropoulos fullname: Lampropoulos, Leonidas organization: University of Maryland – sequence: 5 givenname: David surname: Van Horn fullname: Van Horn, David organization: University of Maryland – sequence: 6 givenname: Michael surname: Hicks fullname: Hicks, Michael organization: University of Maryland |
| BookMark | eNotjk1Lw0AQQFfQg9b-giLsH0ic2dnPY1mMChUP6rlssjMYTBuJXvz3Ivb0Dg8e70qdH-cjK3WD0CJCus0vnbPRmtaAMW1KmLwLZ2qdQkTv_xQGf6k2W93Ny6FM-mmuPOlZdH7n4YOrztfqQsr0xesTV-qtu3vND83u-f4xb3fNiETfTeglRCcFBHFAC5akd76aAUjIBKrQ11qTc1AhRiOQiEswSFKsH4LQSm3-uyMz7z-X8VCWn_1pmX4BmhY4Lg |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/CSF54842.2022.9919657 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| EISBN | 9781665484176 1665484179 |
| EndPage | 63 |
| ExternalDocumentID | 9919657 |
| Genre | orig-research |
| GrantInformation_xml | – fundername: Microsoft funderid: 10.13039/100004318 |
| GroupedDBID | 6IE 6IL CBEJK RIE RIL |
| ID | FETCH-LOGICAL-i133t-7bf785fa0f11c14043fb56d2c03f3273d0bddd9550d0882f093ea7213fa46c7f3 |
| IEDL.DBID | RIE |
| IngestDate | Thu Jan 18 11:14:01 EST 2024 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i133t-7bf785fa0f11c14043fb56d2c03f3273d0bddd9550d0882f093ea7213fa46c7f3 |
| PageCount | 15 |
| ParticipantIDs | ieee_primary_9919657 |
| PublicationCentury | 2000 |
| PublicationDate | 2022-Aug. |
| PublicationDateYYYYMMDD | 2022-08-01 |
| PublicationDate_xml | – month: 08 year: 2022 text: 2022-Aug. |
| PublicationDecade | 2020 |
| PublicationTitle | 2022 IEEE 35th Computer Security Foundations Symposium (CSF) |
| PublicationTitleAbbrev | CSF |
| PublicationYear | 2022 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| Score | 2.205245 |
| Snippet | We present a formal model of Checked C, a dialect of C that aims to enforce spatial memory safety. Our model pays particular attention to the semantics of... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 49 |
| SubjectTerms | Analytical models Annotations C Semantics Checked C Codes compiler verification Computational modeling Generators Memory Safety Safety Semantics Spatial Safety static analysis type soundness |
| Title | A Formal Model of Checked C |
| URI | https://ieeexplore.ieee.org/document/9919657 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3PS8MwFH5sO3lS2USdSg4eTdc1TZoepViGMBF0sNto815QHJtIe9lfb9LWieLBWwgJ-UV430u-7z2A60ISOViBnKRG7rXWXFubcKnIYKR0JGKvRp4_qNkivl_KZQ9u9loYImrIZxT4YvOXj1tT-6eyicMyqZJJH_rOcWu1Wp0oZxqmk-wpd_A79uqqKAq6tj-SpjQ2Iz-E-ddoLVXkLairMjC7X4EY_zudIxh9q_PY497uHEOPNkMY37Lcw88189nN1mxrWfZC7ooiy0awyO-esxnvEh_wV-cyVjwpbaKlLUI7nZom_o0tpcLIhMIKhzcwLBExdc4FeoRsw1RQ4Vw5YYtYmcSKExhsths6BeY6lsoiFYXGONE21eiJo5HClDA04gyGfmGr9za2xapb0_nf1WM48JvbEuAuYFB91HTpjHJVXjWn8Qn0rIwG |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3PS8MwFH7MedCTyibq_JGDR9O1TZO2RymWqdsQ3GC30fa9oDi2Id3Fv96krRPFg7cQEvKL8L6XfN97ANeZJDKwAjnJCLnVWvNI65BLRQX6KvJFYNXIo7EaTIOHmZy14GarhSGiinxGji1Wf_m4Kjb2qaxvsEysZLgDu8buS69WazWyHM-N-8lzagB4YPVVvu80rX-kTamsRnoAo6_xarLIm7Mpc6f4-BWK8b8TOoTutz6PPW0tzxG0aNmB3i1LLQBdMJvfbMFWmiUvZC4psqQL0_Rukgx4k_qAvxqnseRhrsNI6szVnldUEXB0LhX6hSu0MIgD3RwRY-NeoMXI2o0FZcaZEzoLVBFqcQzt5WpJJ8BMx1xppCyLMAgjHUdoqaO-wpjQLcQpdOzC5us6usW8WdPZ39VXsDeYjIbz4f34sQf7dqNrOtw5tMv3DV0YE13ml9XJfAJ6vo9P |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2022+IEEE+35th+Computer+Security+Foundations+Symposium+%28CSF%29&rft.atitle=A+Formal+Model+of+Checked+C&rft.au=Li%2C+Liyi&rft.au=Liu%2C+Yiyun&rft.au=Postol%2C+Deena&rft.au=Lampropoulos%2C+Leonidas&rft.date=2022-08-01&rft.pub=IEEE&rft.spage=49&rft.epage=63&rft_id=info:doi/10.1109%2FCSF54842.2022.9919657&rft.externalDocID=9919657 |