www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - SoftBound

reply bearophile <bearophileHUGS lycos.com> writes:
"SoftBound: Highly Compatible and Complete Spatial Memory Safety for C" by 
Santosh Nagarakatte, Jianzhou Zhao, Milo M K Martin and Steve Zdancewic:
http://llvm.org/pubs/2009-06-PLDI-SoftBound.html

It's a block of about 6000 lines of C++ code that augment the LLVM compiler,
adding extra tests. It avoids out-of-bound situations with pointers. It works
after the compilation stage, on the LL code produced by LLVM, so it can be used
equally for C or D. Conceptually looks like a simple thing. Currently can't be
used yet, but I'd like to have a compilation flag in LDC to activate this. In
in nonrelease mode some of the tests are already present (the bound tests of
arrays), so it can avoid to put them in twice (in LDC you can disable only
bound tests, and keep assertions, etc).

From the abstract:
SoftBound similarly records base and bound information for every pointer as
disjoint metadata. This decoupling enables SoftBound to provide spatial safety
without requiring changes to C source code. Unlike HardBound, SoftBound is a
software-only approach and performs metadata manipulation only when loading or
storing pointer values. A formal proof shows that this is sufficient to provide
spatial safety even in the presence of arbitrary casts. SoftBound's full
checking mode provides complete spatial violation detection with 67% runtime
overhead on average. To further reduce overheads, SoftBound has a store-only
checking mode that successfully detects all the security vulnerabilities in a
test suite at the cost of only 21% runtime overhead on average.<

Bye, bearophile
Oct 01 2009
parent reply Walter Bright <newshound1 digitalmars.com> writes:
bearophile wrote:
 "SoftBound: Highly Compatible and Complete Spatial Memory Safety for
 C" by  Santosh Nagarakatte, Jianzhou Zhao, Milo M K Martin and Steve
 Zdancewic: http://llvm.org/pubs/2009-06-PLDI-SoftBound.html
 
 It's a block of about 6000 lines of C++ code that augment the LLVM
 compiler, adding extra tests. It avoids out-of-bound situations with
 pointers. It works after the compilation stage, on the LL code
 produced by LLVM, so it can be used equally for C or D. Conceptually
 looks like a simple thing. Currently can't be used yet, but I'd like
 to have a compilation flag in LDC to activate this. In in nonrelease
 mode some of the tests are already present (the bound tests of
 arrays), so it can avoid to put them in twice (in LDC you can disable
 only bound tests, and keep assertions, etc).

I don't think there's much point to this in D. You rarely need to deal with pointers directly. Arrays are already checked.
Oct 01 2009
parent bearophile <bearophileHUGS lycos.com> writes:
Walter Bright:

 I don't think there's much point to this in D. You rarely need to deal 
 with pointers directly. Arrays are already checked.

In D pointers are quite less common than in C, but half of the point of using D is to be able to use pointers too, when you want to implement your own data structures, otherwise it may be better to just use Java in the first place. So in my opinion adding optional safeties to D pointers can be useful. The good things of the design of SoftBound is that it looks simple to implement (and probably LDC may just use/adapt the already existing implementation), it's logically sound, it doesn't change the behaviour of the C/D program and works with most or all programs, it's safe, it doesn't need changes to the source code of programs to be used, and the performance&memory overhead it introduces is usually acceptable in nonrelease mode (there are two different usage modes). I have seen more than ten similar systems for C, this one looks like being simple and effective enough. Bye, bearophile
Oct 01 2009