Results 1 - 10
of
20
Beyond the PDP-11: Architectural support for a memory-safe C abstract machine
- In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems
, 2015
"... We propose a new memory-safe interpretation of the C ab-stract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specifi-cation intended to provide implementation flexibility, con-temporary implementations of C have converged on a mem-ory model s ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
We propose a new memory-safe interpretation of the C ab-stract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specifi-cation intended to provide implementation flexibility, con-temporary implementations of C have converged on a mem-ory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite well-documented impacts on security and reliability. Attempts to change this model are often hampered by as-sumptions embedded in a large body of existing C code, dat-ing back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI ex-perimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their in-teraction with existing memory safety schemes and the as-sumptions that they make beyond the requirements of the C model for C, by combining elements of the CHERI capabil-ity model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees. 1.
4Faults in Linux 2.6
"... In August 2011, Linux entered its third decade. Ten years before, Chou et al. published a study of faults found by applying a static analyzer to Linux versions 1.0 through 2.4.1. A major result of their work was that the drivers directory contained up to 7 times more of certain kinds of faults than ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
(Show Context)
In August 2011, Linux entered its third decade. Ten years before, Chou et al. published a study of faults found by applying a static analyzer to Linux versions 1.0 through 2.4.1. A major result of their work was that the drivers directory contained up to 7 times more of certain kinds of faults than other directories. This result inspired numerous efforts on improving the reliability of driver code. Today, Linux is used in a wider range of environments, provides a wider range of services, and has adopted a new development and release model. What has been the impact of these changes on code quality? To answer this question, we have transported Chou et al.’s experiments to all versions of Linux 2.6, released between 2003 and 2011. We find that Linux has more than doubled in size during this period, but the number of faults per line of code has been decreasing. And the fault rate of drivers is now below that of other directories, such as arch. These results can guide further development and research efforts for the decade to come. To allow updating these results as Linux evolves, we define our experimental protocol and make our checkers available.
A Formal C Memory Model Supporting Integer-Pointer Casts
"... ns iste nt * Complete * W ell D ocumented*Easyto ..."
(Show Context)
Verification of a Cryptographic Primitive: SHA-256
"... is an interactive proof of functional correctness in the Coq proof assistant, using the Verifiable C program logic. Verifiable C is a separation logic for the C language, proved sound w.r.t. the operational semantics for C, connected to the CompCert verified optimizing C compiler. ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
is an interactive proof of functional correctness in the Coq proof assistant, using the Verifiable C program logic. Verifiable C is a separation logic for the C language, proved sound w.r.t. the operational semantics for C, connected to the CompCert verified optimizing C compiler.
A Precise and Abstract Memory Model for C using Symbolic Values ∗
"... Abstract. Real life C programs are often written using C dialects which, for the ISO C standard, have undefined behaviours. In particular, ac-cording to the ISO C standard, reading an uninitialised variable has an undefined behaviour and low-level pointer operations are implementa-tion defined. We p ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Real life C programs are often written using C dialects which, for the ISO C standard, have undefined behaviours. In particular, ac-cording to the ISO C standard, reading an uninitialised variable has an undefined behaviour and low-level pointer operations are implementa-tion defined. We propose a formal semantics which gives a well-defined meaning to those behaviours for the C dialect of the CompCert compiler. Our semantics builds upon a novel memory model leveraging a notion of symbolic values. Symbolic values are used by the semantics to delay the evaluation of operations and are normalised lazily to genuine values when needed. We show that the most precise normalisation is computable and that a slightly relaxed normalisation can be efficiently implemented using an SMT solver. The semantics is executable and our experiments show that the enhancements of our semantics are mandatory to give a mean-ing to low-levels idioms such as those found in the allocation functions of a C standard library. 1
Mind your languages: A discussion about languages and security
- In IEEE Security and Privacy LangSec workshop
, 2014
"... Abstract—Following several studies conducted by the French ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Following several studies conducted by the French
Conflict-Directed Graph Coverage
"... Abstract. Many formal method tools for increasing software reliability apply Satisfiability Modulo Theories (SMT) solvers to enumerate feasible paths in a program subject to certain coverage criteria. Examples include inconsistent code detection tools and concolic test case generators. These tools ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Many formal method tools for increasing software reliability apply Satisfiability Modulo Theories (SMT) solvers to enumerate feasible paths in a program subject to certain coverage criteria. Examples include inconsistent code detection tools and concolic test case generators. These tools have in common that they typically treat the SMT solver as a black box, relying on its ability to efficiently search through large search spaces. However, in practice the performance of SMT solvers often degrades significantly if the search involves reasoning about complex control-flow. In this paper, we open the black box and devise a new algorithm for this problem domain that we call conflict-directed graph coverage. Our algorithm relies on two core components of an SMT solver, namely conflict-directed learning and deduction by propagation, and applies domain-specific modifications for reasoning about controlflow graphs. We implemented conflict-directed coverage and used it for detecting code inconsistencies in several large Java open-source projects with over one million lines of code in total. The new algorithm yields significant performance gains on average compared to previous algorithms and reduces the running times on hard search instances from hours to seconds.
Acknowledgements
, 2004
"... I have benefited greatly from the help of many people. First and foremost, I would like to thank Professor Frank Calegari for his guidance and encouragement through every stage of the process. Without his extensive knowledge and incredible patience this paper would not have been possible. I would al ..."
Abstract
- Add to MetaCart
(Show Context)
I have benefited greatly from the help of many people. First and foremost, I would like to thank Professor Frank Calegari for his guidance and encouragement through every stage of the process. Without his extensive knowledge and incredible patience this paper would not have been possible. I would also like to thank Professor Noam Elkies for his prominent role in my mathematics education these past four years, as well as the rest of the Harvard Mathematics Department. Finally, I thank my parents for their support during the thesis process and always. This paper gives a proof of Mazur’s Theorem, which classifies the possible torsion subgroups of rational elliptic curves. We begin with a reasonably comprehensive introduction to the theory of elliptic curves, including proofs of most of the relevant results. We proceed to review many additional topics in modern number theory and algebraic geometry, including group schemes, Néron models, and modular curves. Finally,
Java Program Analysis by Symbolic Execution
"... Program analysis has a long history in computer science. Even when only considering the important aspect of termination analysis, in the past decades an overwhelming number of different techniques has been developed. While the programming languages considered by these approaches initially were more ..."
Abstract
- Add to MetaCart
Program analysis has a long history in computer science. Even when only considering the important aspect of termination analysis, in the past decades an overwhelming number of different techniques has been developed. While the programming languages considered by these approaches initially were more of theoretical importance than of practical use, recently also automated analyses for imperative programming languages like C or Java have been developed. Here, a major challenge is to deal with language constructs and concepts which do not exist in simpler languages. For example, in Java one often uses dy-namic dispatch, complex object hierarchies, or side-effects with far-reaching consequences involving the global heap. In this thesis, we present a preprocessing step for Java Bytecode programs in which all such complicated language constructs are handled. This way, subsequent analyses do not need to be concerned with these, and making use of existing techniques is easy. In particular, we show how Symbolic Execution Graphs can be constructed which contain an over-approximation of all possible program runs. This way, and by taking care of having
