Skip to main content
SpringerLink
Log in

Interprocedural and Flow-Sensitive Type Analysis for Memory and Type Safety of C Code

  • Published:
Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

The explicit memory management and type conversion endow the C language with flexibility and performance that render it the de facto language for system programming. However, these appealing features come at the cost of programs’ safety. Due to the C language permissiveness, highly skilled but inadvertent programmers often spawn insidious programming errors that yield exploitable code. In this paper, we present a novel type and effect analysis for detecting memory and type errors in C source code. We extend the standard C type system with effect, region, and host annotations that hold valuable safety information. We also define static safety checks to detect safety errors using the aforementioned annotations. Our analysis performs in an intraprocedural phase and an interprocedural phase. The flow-sensitive and alias-sensitive intraprocedural phase propagates type annotations and applies safety checks at each program point. The interprocedural phase generates and propagates unification constraints on type annotations across function boundaries. We present an inference algorithm that automatically infers type annotations and applies safety checks to programs without programmers’ interaction.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Aggarwal, A., Jalote, P.: Integrating static and dynamic analysis for detecting vulnerabilities. In: COMPSAC ’06: Proceedings of the 30th Annual International Computer Software and Applications Conference, pp. 343–350. IEEE Computer Society, Washington, DC (2006)

    Chapter  Google Scholar 

  2. Aiken, A., Bugrara, S., Dillig, I., Dillig, T., Hackett, B. Hawkins, P.: An overview of the Saturn project. In: PASTE ’07: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pp. 43–48. ACM, New York (2007)

    Chapter  Google Scholar 

  3. Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 143–159. IEEE Computer Society, Washington, DC (2002)

    Chapter  Google Scholar 

  4. Todd, M. Scott, A., Breach, E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: PLDI ’94: Proceedings of the ACM SIGPLAN 1994 conference on Programming Language Design and Implementation, pp. 290–301. ACM, New York (1994)

    Google Scholar 

  5. Avots, D., Dalton, M., Livshits, V.B., Lam, M.S.: Improving software security with a C pointer analysis. In: ICSE ’05: Proceedings of the 27th International Conference on Software Engineering, pp. 332–341. ACM, New York (2005)

    Google Scholar 

  6. Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: PLDI ’01: Proceedings of the ACM SIGPLAN 2001 conference on Programming Language Design and Implementation, pp. 203–213. ACM, New York (2001)

    Chapter  Google Scholar 

  7. Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: Checking memory safety with BLAST. In: FASE ’05: Proceedings of the 8th International Conference on Fundamental Approaches to Software Engineering. LNCS, vol. 3442, pp. 2–18. Springer, Edinburgh (2005)

    Google Scholar 

  8. Bovet, D., Cesati, M.: Understanding the Linux Kernel, 3rd edn. O’Reilly Media, Sebastopol (2005)

    Google Scholar 

  9. Chen, H., Wagner, D.A.: MOPS: an infrastructure for examining security properties of Software. In: CCS ’02: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 235–244. ACM, New York (2002)

    Chapter  Google Scholar 

  10. Choi, J.-D., Burke, M., Carini, P.: Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In: POPL ’93: Proceedings of the 20th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, pp. 232–245. ACM, New York (1993)

    Chapter  Google Scholar 

  11. Clarke, E., Kroening, D., Sharygina, N., Yorav, K.: Predicate abstraction of ANSI-C programs using SAT. Form. Methods Syst. Des. 25(2–3), 105–127 (2004)

    Article  MATH  Google Scholar 

  12. Corbin, J., Bidoit, M.: A rehabilitation of Robinson’s unification algorithm. In: IFIP Congress, pp. 909–914, Paris, 19–23 September 1983

  13. Debbabi, M., Aidoud, Z., Faour, A.: On the inference of structured recursive effects with subtyping. J. Funct. Logic Program. 1997(5), 1–15 (1997)

    MathSciNet  Google Scholar 

  14. Evans, D.: Static detection of dynamic memory errors. In: PLDI ’96: Proceedings of the ACM SIGPLAN 1996 conference on Programming Language Design and Implementation, pp. 44–53. ACM, New York (1996)

    Chapter  Google Scholar 

  15. Fagan, M.E.: Advances in Software Inspections. IEEE Trans. Softw. Eng. SE-12, 744–751 (1986)

    Google Scholar 

  16. Fähndrich, M., DeLine, R.: Adoption and focus: practical linear types for imperative programming. In: PLDI ’02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, pp. 13–24. ACM, New York (2002)

    Chapter  Google Scholar 

  17. Grossman, D., Morrisett, G., Jim, T., Hicks, M., Wang, Y. Cheney, J.: Region-based memory management in cyclone. In: PLDI ’02: Proceedings of the ACM SIGPLAN 2002 conference on Programming Language Design and Implementation, pp. 282–293. ACM, New York (2002)

    Chapter  Google Scholar 

  18. Foster, J.S., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI ’02: Proceedings of the ACM SIGPLAN 2002 conference on Programming Language Design and Implementation, pp. 1–12. ACM, New York (2002)

    Chapter  Google Scholar 

  19. Johnson, R., Wagner, D.: Finding user/kernel pointer bugs with type inference. In: SSYM’04: Proceedings of the 13th conference on USENIX Security Symposium, pp. 119–134. USENIX, Berkeley (2004)

    Google Scholar 

  20. Kfoury, A.J., Ronchi della Rocca, S., Tiuryn, J., Urzyezyn, P.: Alpha-conversion and typability. Inf. Comput. 150(1), 1–21 (1999)

    Article  Google Scholar 

  21. Larochelle, D., Evans, D.: Statically detecting likely buffer overflow vulnerabilities. In: SSYM’01: Proceedings of the 10th conference on USENIX Security Symposium, pp. 14–14. USENIX, Berkeley (2001)

    Google Scholar 

  22. Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: Ccured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27(3), 477–526 (2005)

    Article  Google Scholar 

  23. Nielson, F., Nielson H.R.: Type and effect systems. In: Correct System Design, Recent Insight and Advances, pp. 114–136. Springer, London (1999)

    Google Scholar 

  24. Novillo, D.: Tree-SSA: a new optimization infrastructure for GCC. In: Proceedings of the GCC Developers Summit3, pp. 181–193. Ottawa, June 2003

  25. Popeea, C., Xu, D.N., Chin, W.-N.: A practical and precise inference and specializer for array bound checks elimination. In: PEPM ’08: Proceedings of the 2008 ACM SIGPLAN symposium on Partial Evaluation and Program Manipulation, pp. 177–187. ACM, New York (2008)

    Chapter  Google Scholar 

  26. Robinson, J.A.: A machine-oriented logic based on the resolution Principle. J. ACM 12(1), 23–41 (1965)

    Article  MATH  Google Scholar 

  27. Rugina, R., Cherem, S.: Region inference for imperative languages. Technical report CS TR2003-1914, Computer Science Department, Cornell University (2003)

  28. Sankaranarayanan, S., Ivancic, F., Gupta, A.: Program Analysis Using Symbolic Ranges. In: SAS ’07: Proceedings of the 14th International Static Analysis Symposium, pp. 366–383. Springer, Kongens Lyngby (2007)

    Google Scholar 

  29. Siff, M., Chandra, S., Ball, T., Kunchithapadam, K., Reps, T.: Coping with type casts in C. In: ESEC/FSE-7: Proceedings of the 7th European software engineering conference held jointly with the 7th ACM SIGSOFT international symposium on Foundations of software engineering, pp. 180–198. Springer, London (1999)

    Google Scholar 

  30. Steensgaard, B.: Points-to analysis in almost linear time. In: POPL ’96: Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, pp. 32–41. ACM, New York (1996)

    Chapter  Google Scholar 

  31. Talpin, J.-P., Jouvelot, P.: Polymorphic type, region and effect inference. J. Funct. Program. 2, 245–271 (1992)

    Article  MATH  MathSciNet  Google Scholar 

  32. Talpin, J.-P., Jouvelot, P.: The type and effect discipline. In: Information and Computation, pp. 162–173. IEEE, Piscataway (1992)

    Google Scholar 

  33. Tlili, S., Yang, Z., Ling, H.Z., Debbabi, M.: A hybrid approach for safe memory management in C. In: AMAST’08: Proceedings of the 12th international conference on Algebraic Methodology and Software Technology, pp. 377–391. Springer, Urbana (2008)

    Chapter  Google Scholar 

  34. Visser, W., Havelund, K., Brat, G., Park, S.: Model checking programs. In: ASE ’00: Proceedings of the 15th IEEE international conference on Automated Software Engineering, pp. 3–12. IEEE Computer Society, Washington, DC (2000)

    Google Scholar 

  35. Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: NDSS’00: Proceedings of the Network and Distributed System Security Symposium, pp. 3–17. The Internet Society, San Diego (2000)

    Google Scholar 

  36. Wilson, R.P., Lam, M.S.: Efficient context-sensitive pointer analysis for C programs. In: PLDI ’95: Proceedings of the ACM SIGPLAN 1995 conference on Programming Language Design and Implementation, pp. 1–12. ACM, New York (1995)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Concordia University, 1455 De Maisonneuve Blvd. West, Montreal, Quebec, Canada, H3G 1M8

    Syrine Tlili & Mourad Debbabi

Authors
  1. Syrine Tlili
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mourad Debbabi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Syrine Tlili.

Additional information

This research is the result of a fruitful collaboration between CSL (Computer Security Laboratory) of Concordia University, DRDC (Defense Research and Development Canada) Valcartier and Bell Canada under the NSERC DND Research Partnership Program.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Tlili, S., Debbabi, M. Interprocedural and Flow-Sensitive Type Analysis for Memory and Type Safety of C Code. J Autom Reasoning 42, 265–300 (2009). https://doi.org/10.1007/s10817-009-9121-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10817-009-9121-1

Keywords

Search

Navigation