Achieving Safety Incrementally with Checked C. Andrew Ruef, Leonidas Lampropoulos, Ian Sweet, David Tarditi, and Michael Hicks. In Proceedings of the Symposium on Principles of Security and Trust (POST), April 2019.

Checked C is a new effort working toward a memory-safe C. Its design is distinguished from that of prior efforts by truly being an extension of C: Every C program is also a Checked C program. Thus, one may make incremental safety improvements to existing codebases while retaining backward compatibility. This paper makes two contributions. First, to help developers convert existing C code to use so-called checked (i.e., safe) pointers, we have developed a preliminary, automated porting tool. Notably, this tool takes advantage of the flexibility of Checked C's design: The tool need not perfectly classify every pointer, as required of prior all-or-nothing efforts. Rather, it can make a best effort to convert more pointers accurately, without letting inaccuracies inhibit compilation. However, such partial conversion raises the question: If safety violations can still occur, what sort of advantage does using Checked C provide? We draw inspiration from research on migratory typing to make our second contribution: We prove a blame property that renders so-called checked regions blameless of any run-time failure. We formalize this property for a core calculus and mechanize the proof in Coq.

[ .pdf ]

@INPROCEEDINGS{ruef18checkedc-incr, AUTHOR = {Andrew Ruef and Leonidas Lampropoulos and Ian Sweet and David Tarditi and Michael Hicks}, TITLE = {Achieving Safety Incrementally with Checked C}, BOOKTITLE = {Proceedings of the Symposium on Principles of Security and Trust (POST)}, MONTH = APR, YEAR = 2019 }