Download - Cyclcone a safe dialect of C
Cyclone a safe dialect of C
Prepared by: Ahmed Magdy Ezzeldin
What is CYCLONE
Cyclone is a safer dialect of C that is not vulnerable to buffer overflows, format string attacks, double free bugs, dangling pointer accesses, etc...
It qualifies ordinary C code with some annotations to make it safer.
Cyclone has a special C compiler named ”cyclone” (built on GCC) which supports the special annotations of Cyclone.
How it works
Cyclone works on the following aspects to make C safer.
Pointers
Regions
Arrays
Structs
Unions
Exceptions
Subtyping
Other Restrictions
Pointers
@nullable : forces NULL-Check when dereferenced
@thin : 1 machine word. It does not allow pointer arithmetics.
@fat : 3 machine words. It allows pointer arithmetics forces NULL-Check and Bounds check when dereferenced.
@notnull : It can never be NULL, so it does not need a NULL-Check.
@zeroterm : It is used with strings to do safe pointer arithmetics on pointers by knowing the place of the zero byte delimiter.
@effect(`e) : used to set the memory regions that this pointer can work.
@aqual : used to define aliasability.
Regions
Every pointer is assigned to a region Before dereferencing a pointer cyclone checks
if its region is deallocated. Helps to secure against dangling pointers. Also important for securing against memory
leaks as a data structure like a list or a queue can be assigned to one region, so when we free the region the whole data structure is freed without looping on pointers to free them.
Arrays
Stack Arrays like in C Heap arrays using the word ”new” Arrays of pointers all pointers must be
initialized which make it safer. Arrays can have the same annotations
(qualifiers) as pointers.
Structs
Cyclone structs are like C structs. Tuples is a form of structs that is not
parameterized which means that its fields are accessed by their position (offset)
$(int,char,bool) x = $(42,'z',true); if (x[2]) x[0]++;
Tuples are equivalent if they are structurally equivalent.
Unions
Tagged Unions: are unions that save the last written field identifier in a tag so that if we try to get the value of another field an exception is thrown.union T a;
int x;
a.String = "hello, world";
/* Next line fails */
x = a.Integer + 3;
Untagged Pointers: It has no tag to know the last written field but It does not allow to have a pointer as one of its fields to be safer.
Exceptions
Pointers NULL-Check and Bounds check and many other checks throw exceptions when they fail.
Makes it easy for the developer to write robust code and take corrective measures on error.FILE *f = fopen("/etc/passwd","r"); int c;
try {
c = getc((FILE *@notnull)f);
} catch {
case &Null_Exception:
printf("Error: can't open /etc/passwd\n"); exit(1);
case &Invalid_argument(s):
printf("Error: Invalid_argument(%s)\n",s); exit(1);
}
Subtyping
Cyclone allows structural subtyping which allows polymorphism which is not allowed in C.
typedef struct Point {float x,y;} *point;
typedef struct CPoint {float x,y; int color;} *cpoint;
float xcoord(point p) {
return p->x;
}
Note that both Point and CPoint are equal in structure with the exception of the last field in CPoint.
Other Restrictions
Can't cast an integer to a pointer Can't do pointer arithmetic on a pointer unless
the pointer performs bounds check Cyclone does not permit gotos from one scope
into another. Can't explicitly free a heap-allocated object,
but you can either use regions or the garbage collector to free memory.
References
http://cyclone.thelanguage.org:8181/ "Cyclone: A Type-Safe Dialect of C" by Dan
Grossman, Michael Hicks, Trevor Jim, and Greg Morrisett
"Region-Based Memory Management in Cyclone" by Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney (Computer Science Department, Cornell University)
Thank you