Cyclone a safe dialect of C

Prepared by: Ahmed Magdy Ezzeldin

What is CYCLONE

Cyclone is a safer dialect of C that is not vulnerable to buffer overflows, format string attacks, double free bugs, dangling pointer accesses, etc...

It qualifies ordinary C code with some annotations to make it safer.

Cyclone has a special C compiler named ”cyclone” (built on GCC) which supports the special annotations of Cyclone.

How it works

Cyclone works on the following aspects to make C safer.

Pointers

Regions

Arrays

Structs

Unions

Exceptions

Subtyping

Other Restrictions

Pointers

@nullable : forces NULL-Check when dereferenced

@thin : 1 machine word. It does not allow pointer arithmetics.

@fat : 3 machine words. It allows pointer arithmetics forces NULL-Check and Bounds check when dereferenced.

@notnull : It can never be NULL, so it does not need a NULL-Check.

@zeroterm : It is used with strings to do safe pointer arithmetics on pointers by knowing the place of the zero byte delimiter.

@effect(`e) : used to set the memory regions that this pointer can work.

@aqual : used to define aliasability.

Regions

Every pointer is assigned to a region Before dereferencing a pointer cyclone checks

if its region is deallocated. Helps to secure against dangling pointers. Also important for securing against memory

leaks as a data structure like a list or a queue can be assigned to one region, so when we free the region the whole data structure is freed without looping on pointers to free them.

Arrays

Stack Arrays like in C Heap arrays using the word ”new” Arrays of pointers all pointers must be

initialized which make it safer. Arrays can have the same annotations

(qualifiers) as pointers.

Structs

Cyclone structs are like C structs. Tuples is a form of structs that is not

parameterized which means that its fields are accessed by their position (offset)

$(int,char,bool) x = $(42,'z',true); if (x[2]) x[0]++;

Tuples are equivalent if they are structurally equivalent.

Unions

Tagged Unions: are unions that save the last written field identifier in a tag so that if we try to get the value of another field an exception is thrown.union T a;

int x;

a.String = "hello, world";

/* Next line fails */

x = a.Integer + 3;

Untagged Pointers: It has no tag to know the last written field but It does not allow to have a pointer as one of its fields to be safer.

Exceptions

Pointers NULL-Check and Bounds check and many other checks throw exceptions when they fail.

Makes it easy for the developer to write robust code and take corrective measures on error.FILE *f = fopen("/etc/passwd","r"); int c;

try {

c = getc((FILE *@notnull)f);

} catch {

case &Null_Exception:

printf("Error: can't open /etc/passwd\n"); exit(1);

case &Invalid_argument(s):

printf("Error: Invalid_argument(%s)\n",s); exit(1);

}

Subtyping

Cyclone allows structural subtyping which allows polymorphism which is not allowed in C.

typedef struct Point {float x,y;} *point;

typedef struct CPoint {float x,y; int color;} *cpoint;

float xcoord(point p) {

return p->x;

}

Note that both Point and CPoint are equal in structure with the exception of the last field in CPoint.

Other Restrictions

Can't cast an integer to a pointer Can't do pointer arithmetic on a pointer unless

the pointer performs bounds check Cyclone does not permit gotos from one scope

into another. Can't explicitly free a heap-allocated object,

but you can either use regions or the garbage collector to free memory.

References

http://cyclone.thelanguage.org:8181/ "Cyclone: A Type-Safe Dialect of C" by Dan

Grossman, Michael Hicks, Trevor Jim, and Greg Morrisett

"Region-Based Memory Management in Cyclone" by Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney (Computer Science Department, Cornell University)

Thank you