skip to main content
10.1145/1449764.1449791acmconferencesArticle/Chapter ViewAbstractPublication PagessplashConference Proceedingsconference-collections
research-article

Safer unsafe code for .NET

Published: 19 October 2008 Publication History

Abstract

The .NET intermediate language (MSIL) allows expressing both statically verifiable memory and type safe code (typically called managed), as well as unsafe code using direct pointer manipulations. Unsafe code can be expressed in C# by marking regions of code as unsafe. Writing unsafe code can be useful where the rules of managed code are too strict. The obvious drawback of unsafe code is that it opens the door to programming errors typical of C and C++, namely memory access errors such as buffer overruns. Worse, a single piece of unsafe code may corrupt memory and destabilize the entire runtime or allow attackers to compromise the security of the platform.
We present a new static analysis based on abstract interpretation to check memory safety for unsafe code in the .NET framework. The core of the analysis is a new numerical abstract domain, Strp, which is used to efficiently compute memory invariants. Strp is combined with lightweight abstract domains to raise the precision, yet achieving scalability.
We implemented this analysis in Clousot, a generic static analyzer for .NET. In combination with contracts expressed in FoxTrot, an MSIL based annotation language for .NET, our analysis provides static safety guarantees on memory accesses in unsafe code. We tested it on all the assemblies of the .NET framework. We compare our results with those obtained using existing domains, showing how they are either too imprecise (e.g., Intervals or Octagons) or too expensive (Polyhedra) to be used in practice.

References

[1]
R. Bagnara, P.M. Hill, and E. Zaffanella. The Parma Polyhedra Library. http://www.cs.unipr.it/ppl/.
[2]
M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for Object-Oriented programs. In FMCO'05. Springer-Verlag, November 2005.
[3]
M. Barnett, M. Fähndrich, and F. Logozzo. Foxtrot and Clousot: Language Agnostic Dynamic and Static Contract Checking for .Net. Technical Report MSR-TR-2008-105, Microsoft Research, Redmond, WA, August 2008.
[4]
M. Barnett, K.R.M. Leino, and W. Schulte. The Spec# programming system: An overview. In CASSIS 2004, 2004.
[5]
G. P. Brat and A. Venet. Precise and scalable static program analysis at NASA. In IEEE Aerospace Conference. IEEE, 2005.
[6]
D. R. Cok and J. Kiniry. ESC/Java 2: Uniting ESC/Java and JML. In CASSIS 2004, 2004.
[7]
P. Cousot. The calculational design of a generic abstract interpreter. In Calculational System Design. NATO ASI Series F. IOS Press, Amsterdam, 1999.
[8]
P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL'77. ACM Press, January 1977.
[9]
P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In POPL '79, pages 269--282. ACM Press, January 1979.
[10]
P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In POPL '78. ACM Press, January 1978.
[11]
Manuvir Das. Unification-based pointer analysis with directional assignments. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation (PLDI-00), pages 35--46. ACM, 2000.
[12]
N. Dor, M. Rodeh, and M. Sagiv. Cleanness checking of string manipulations in C programs via integer analysis. In SAS'01, LNCS. Springer-Verlag, June 2001.
[13]
N. Dor, M. Rodeh, and M. Sagiv. CSSV: towards a realistic tool for statically detecting all buffer overflows in c. In PLDI'03. ACM Press, 2003.
[14]
M. Furr and J. S. Foster. Polymorphic type inference for the JNI. In ESOP'06. Springer-Verlag, April 2006.
[15]
B. Hackett, M. Das, D. Wang, and Z. Yang. Modular checking for buffer overflows in the large. In ACM ICSE'06. ACM Press, 2006.
[16]
M. Hirzel and R. Grimm. Jeannie: granting Java native interface developers their wishes. In OOPSLA'07. ACM, October 2007.
[17]
R. N. Horspool and J. Vitek. Static analysis of postscript code. In ICCL'92. IEEE, 1992.
[18]
M. Karr. On affine relationships among variables of a program. Acta Informatica, 6(2):133--151, July 1976.
[19]
L. Khachiyan, E. Boros, K. Borys, K. M. Elbassioni, and M. Gurvich. Generating all vertices of a polyhedron is hard. In ACM SODA'06. ACM Press, 2006.
[20]
S. Liang. Java Native Interface: Programmer's Guide and Specification. Sun Microsystems, 2001.
[21]
F. Logozzo. Cibai: An abstract interpretation-based static analyzer for modular analysis and verification of Java classes. In VMCAI'07. Springer-Verlag, January 2007.
[22]
F. Logozzo and M. A. Fähndrich. On the relative completeness of bytecode analysis versus source code analysis. In CC'08, LNCS. Springer-Verlag, March 2008.
[23]
F. Logozzo and M. A. Fähndrich. Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. In ACM SAC'08 - OOPS. ACM Press, March 2008.
[24]
J. Matthews and R. B. Findler. Operational semantics for multi-language programs. In POPL'07. ACM, January 2007.
[25]
B. Meyer. Object-Oriented Software Construction (2nd Edition). Professional Technical Reference. Prentice Hall, 1997.
[26]
A. Miné. The octagon abstract domain. In WCRE 2001. IEEE Computer Society, October 2001.
[27]
M. Müller-Olm and H. Seidl. A note on karr's algorithm. In Springer-Verlag, editor, ICALP'04, LNCS, 2004.
[28]
R. Rugina and C. R. Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation (PLDI-00), volume 35.5 of ACM Sigplan Notices, pages 182--195, N.Y., June 18-21 2000. ACM Press.
[29]
R. Rugina and M. C. Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. ACM Transactions on Programming Languages and Systems, 27(2):185--235, 2005.
[30]
D. A. Schmidt. The internal and external logic of abstract interpretations. In VMCAI'08. Springer-Verlag, January 2008.
[31]
A. Simon and A. King. Analyzing string buffers in c. In AMAST'02, LNCS. Springer-Verlag, September 2002.
[32]
A. Simon, A. King, and J. Howe. Two variables per linear inequality as an abstract domain. In LOPSTR'02, LNCS. Springer-Verlag, September 2002.
[33]
G. Tan and G. Morrisett. Ilea: inter-language analysis across java and c. In OOPSLA'07. ACM, October 2007.
[34]
D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In NDSS'00, 2000.

Cited By

View all
  • (2024)Performance Measurement in Optimizing Customer Relationship Management Systems through Robotic Process Automation with FlaUI2024 7th International Conference on Information and Computer Technologies (ICICT)10.1109/ICICT62343.2024.00096(549-556)Online publication date: 15-Mar-2024
  • (2022)Relational String Abstract DomainsVerification, Model Checking, and Abstract Interpretation10.1007/978-3-030-94583-1_2(20-42)Online publication date: 14-Jan-2022
  • (2016)An approach to error correction in program code using dynamic optimization in a virtual execution environmentThe Journal of Supercomputing10.1007/s11227-015-1616-472:3(845-873)Online publication date: 1-Mar-2016
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
OOPSLA '08: Proceedings of the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications
October 2008
654 pages
ISBN:9781605582153
DOI:10.1145/1449764
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 43, Issue 10
    September 2008
    613 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/1449955
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 October 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. .NET
  2. abstract domains
  3. abstract interpretation
  4. bounds checking
  5. design by contract
  6. pointer indexing
  7. static analysis

Qualifiers

  • Research-article

Conference

OOPSLA08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 268 of 1,244 submissions, 22%

Upcoming Conference

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)1
Reflects downloads up to 10 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Performance Measurement in Optimizing Customer Relationship Management Systems through Robotic Process Automation with FlaUI2024 7th International Conference on Information and Computer Technologies (ICICT)10.1109/ICICT62343.2024.00096(549-556)Online publication date: 15-Mar-2024
  • (2022)Relational String Abstract DomainsVerification, Model Checking, and Abstract Interpretation10.1007/978-3-030-94583-1_2(20-42)Online publication date: 14-Jan-2022
  • (2016)An approach to error correction in program code using dynamic optimization in a virtual execution environmentThe Journal of Supercomputing10.1007/s11227-015-1616-472:3(845-873)Online publication date: 1-Mar-2016
  • (2013)Practical specification and verification with code contractsACM SIGAda Ada Letters10.1145/2658982.253418833:3(7-8)Online publication date: 10-Nov-2013
  • (2013)Practical specification and verification with code contractsProceedings of the 2013 ACM SIGAda annual conference on High integrity language technology10.1145/2527269.2534188(7-8)Online publication date: 10-Nov-2013
  • (2013)Theories, solvers and static analysis by abstract interpretationJournal of the ACM10.1145/2395116.239512059:6(1-56)Online publication date: 9-Jan-2013
  • (2011)Generalizing the template polyhedral domainProceedings of the 20th European conference on Programming languages and systems: part of the joint European conferences on theory and practice of software10.5555/1987211.1987221(176-195)Online publication date: 26-Mar-2011
  • (2011)Practical verification for the working programmer with codecontracts and abstract interpretationProceedings of the 12th international conference on Verification, model checking, and abstract interpretation10.5555/1946284.1946287(19-22)Online publication date: 23-Jan-2011
  • (2011)SubPolyhedra: a family of numerical abstract domains for the (more) scalable inference of linear inequalitiesInternational Journal on Software Tools for Technology Transfer10.1007/s10009-011-0199-513:6(585-601)Online publication date: 24-May-2011
  • (2011)The Reduced Product of Abstract Domains and the Combination of Decision ProceduresFoundations of Software Science and Computational Structures10.1007/978-3-642-19805-2_31(456-472)Online publication date: 2011
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media