the fail-safe c to java translator

The Fail-Safe C to Java translator

Yuhki Kamijima (Tohoku Univ.)

2

Background

The programming language C does not

guarantee memory safety This is the cause of memory attacks

ex. buffer overflow attacks

Attackers can obtain root privilege and operate freely

We want to execute C programs safely!

3

Background

How can we achieve memory safety? Point : Java is memory safe

We use Java to guarantee memory safety

4

Goal

Source to source, C to Java translation

with memory safety and ANSI conformance Save a lot of work spent on rewriting programs Java rejects dangerous programs

Prevent memory bugs and attacks

5

Summary

We propose one way of translating C to Java Well-defined operations

→ simulate by using objects Unsafe (= undefined) operations

→ raise an exceptionPointer operations

Represent pointers and memory blocks as Java objectsSimulate pointer operations by using these objects

CastsUse access methods to access memory blocks

Enables access by different types

6

Outline

C to Java translation by using Java objects Representation of pointer operations Examples of translation

Class details Fat pointer, block Access methods Fat integer

Implementation of the translator Experiments and considerations Related work Conclusion and future work

7

Representation of pointer operations

C : A pointer points to a memory block

Java : The object representing a pointer refers to

an object representing a memory block

C Java

memory objectspointer

8

Pointer : FatPointer Fields : base, offset

1 word memory block : FatBlock Field : contents Method : access methods

Java classes

FatPointer

base offset

accessmethods

FatBlock

contents

9

Regard variables as one element arrays

Examples of translation : declaration

int *p = NULL ;int a[3] ;

FatBlock p = new FatBlock(1) ;FatBlock a = new FatBlock(3) ;

accessmethods

aaccess

methodsp

10

Address operation

p = &a[1] ;

p.writeFat(0*4, new FatPointer(a, 1*4)) ;

0 4 8

p

4

a accessmethods

baseoffset

accessmethods

virtual offset 0

generate a new pointer which points to offset 4 of a

readFatwriteFat…

11

Address operation

p = &a[1] ;

p.writeFat(0*4, new FatPointer(a, 1*4)) ;access method for 1 word write

write the pointer on offset 0 of p

0 4 8

p a accessmethods

baseoffset

virtual offset 0

4access

methodsreadFat

…writeFat

12

i = p.readFat(0*4) ; new FatPointer(i.base, i.offset+1*4) ;1 word read

Addition of pointer and integer

p + 1; read the pointer contained at offset 0 of p

0 4 8

p a accessmethods

offset

virtual offset 0

4i base

4access

methods writeFat…

readFat

13

i = p.readFat(0*4) ; new FatPointer(i.base, i.offset+1*4) ;

Addition of pointer and integer

p + 1;

0 4 8

p a accessmethods

offset

virtual offset 0

8 base

make a new pointer which points to offset 8 of a

4access

methodsreadFatwriteFat…

14

*(char *)(&a[1]) ;

Cast

i = new FatPointer(a, 1*4) ; i.base.readByte(i.offset) ;

4

a

virtual offset 0 4 8

0x12345678

i

create a new pointer which points to offset 4 of a

readByteaccessmethods

readFatwriteFat…writeByte

15

*(char *)(&a[1]) ;

Cast

i = new FatPointer(a, 1*4) ; i.base.readByte(i.offset) ;1 byte read

4

a

virtual offset 0 4 8

0x12345678

i

offset 4

0x12

read 1 byte of data from the location i points to

accessmethods

readFatwriteFat…writeByte

readByte

16

Outline

C to Java translation by using Java objects Representation of pointer operations Examples of translation

Class details Fat pointer, block Access methods Fat integer

Implementation of the translator Experiments and considerations Related work Conclusion and future work

17

Pointer operation

How to simulate a pointer which points to the

middle of a memory block? References in Java cannot point to the middle of

an object

JavaC

→ Use fat pointers×

18

Fat Pointer [Austin et al. 94] [Oiwa et al. 01] et al.

Represent a pointer as two words base : always points to the front of a memory block offset : contains an integer meaning the distance from

base to the address pointed to by the pointer

base offset means 8 byte distance

offset 0 4 8 12 16 20 24 28 32

8

the location we want to point to

19

FatPointer class

Simulate fat pointers in Java base : refers to a Block object offset : contains an integer

FatPointer

Block

accessmethods contents

virtual offset 0 4 8 12 16 20 24 28 32

base offset

8

20

Block abstract class

Simulate memory blocks contents : contains an array of data objects access methods : deal with memory accesses

Has concrete subclasses

・・・

Block (abstract)

accessmethods contents

ByteBlock

accessmethods

FatBlock

accessmethods

: FatPointer object : Byte object (1 byte of data)

21

Access methods

Memory accesses are implemented using

access methods Block class has several methods for

reading and writingreadFat : 1 word read

writeFat : 1 word write

readByte : 1 byte read

writeShort : 2 byte write

… Enables memory accesses by different types

contentsreadShortreadByteaccess

methodsreadFatwriteFat… writeByte writeShort

22

Fat Integer [Oiwa et al. 01]

Represent integers by two words Pointers are also integers in C,

generally expressed with 1 word We represent integers by objects

FatInt class base : always null offset : contains integer

FatInt

base offset

5null

23

Fat class

Common parent class of FatPointer and FatInt FatBlock contents contains Fat objects

FatPointer or FatInt

Fat (abstract)

base offset

FatPointer

base offset

FatInt

base offset

accessmethods

FatBlock

24

Outline

C to Java translation by using Java objects Representation of pointer operations Examples of translation

Class details Fat pointer, block Access methods Fat integer

Implementation of the translator Experiments and considerations Related work Conclusion and future work

25

Implementation of the translator

Translator implemented in Objective Caml

lexer

codegenerator

parser

pretty-printer

Csource code

Javasource code

CIL [Necula et al. 02]

Joust [Cooper]

implemented

this part

translator

Cabstract

syntax tree

Java abstract

syntax tree

26

Experiments

Benchmark programs taken from

The Computer Language Shootout Values in the graph means overheads

Fail-Safe C to Java user time / C user time Handwritten Java user time / C user time

Environments 2.80GHz Intel Pentium 4 CPU, 2GB memory Linux 2.6 gcc ： version 4.0.0 with –O2 option javac, java ： Sun JDK version 1.5.0 with –O option

27

Experiments

13.1

7 4.2

7

52.0

3

51.0

7

45.0

8 35.4

1

4.3

9

79.6

46.8

9 37.4

2

50.5

1

11.8

2 3.6

1

3.1

6

1.0

8

3.5

5

0.9

5

1.6

7

16.3

5

2.1

9

1.1

9

1.4

7

0

10

20

30

40

50

60

70

80

90

sta

rtup

su

m-file

nsie

ve

sp

ectra

l-n

orm

man

delb

rot

recu

rsiv

e

partia

l-su

ms

nsie

ve-b

its

fan

nku

ch

bin

ary

-trees

n-b

od

y

FSC2J/C

Java/C

28

Consideration

All pointers, integers and memory blocks are

translated to objects Lots of object creations and method calls

Reduce these by optimizations Translate variables to FatBlock only if they are pointed

to by a pointer Translate integers to FatInt only if they cannot be

distinguished from pointers Eliminate redundant calls to the same access method

29

Outline

C to Java translation by using Java objects Representation of pointer operations Examples of translation

Class details Fat pointer, block Access methods Fat integer

Implementation of the translator Experiments and considerations Related work Conclusion and future work

30

Related work : C to Java translators

Jazillian [Jazillian, Inc.] Aims at readability and maintainability Assumes user intervention of generated code

Ephedra [Martin et al. 01] Does not support cast of pointers between different types Does not support memory access via pointers of different types

Our translatorAims at 100% ANSI conformance (and more) and memory safety

Supports memory access via cast pointers by using

access methods

31

Related work : Safe C runtime systems

CCured [Necula et al. 02] Dynamically checks unsafe operations Reduces overheads by static analysis (to 3 - 87 %) Does not aim at 100% ANSI conformance

Fail-Safe C [Oiwa et al. 01] Based on the same ideas of fat pointers and fat intergers

Both compile C to native codeIf these compilers have a bug, unsafe codes are executed

Our translator translates C to Java source codeProvided that Java is safe, unsafe codes are rejected

(even if our translator has a bug)

We clarify the essence of Fail-Safe C

32

Conclusion and future work

We propose translation from C to Java Simulate pointers, integers and memory blocks

with Java objects

Future work Support all ANSI C and more Optimizations