Fail-Safe ANSI-C Compiler: An Approach to Making C Programs Secure Progress Report

  • Yutaka Oiwa
  • Tatsurou Sekiguchi
  • Eijiro Sumii
  • Akinori Yonezawa
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2609)


It is well known that programs written in C are apt to suffer from nasty errors due to dangling pointers and/or buffer overflow. In particular, such errors in Internet servers are often exploited by malicious attackers to “crack” an entire system, which becomes even social problems nowadays. Nevertheless, it is yet unrealistic to throw away the C language at once because of legacy programs and legacy programmers. To alleviate this dilemma, many approaches to safe implementations of the C language-such as Safe C and CCured—have been proposed and implemented. To our knowledge, however, none of them support all the features of the ANSI C standard and prevent all unsafe operations. (By unsafe operations, we mean any operation that leads to “undefined behavior”, such as array boundary overrun and dereference of a pointer in a wrong type.) This paper describes a memory-safe implementation of the full ANSI C language. Our implementation detects and disallows all unsafe operations, yet conforming to the full ANSI C standard (including casts and unions) and even supporting many “dirty tricks” common in programs beyond ANSI C. This is achieved using sophisticated representations of pointers (and integers) that contain dynamic type and size information. We also devise several techniques—both compile-time and runtime—to reduce the overhead of runtime checks.


Memory Access Memory Block Runtime System Dynamic Type Cast Operation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. Efficient detection of all pointer and array access errors. In Proc.’ 94 Conference on Programming Language Design and Implementation (PLDI), pages 290–301, 1994.Google Scholar
  2. 2.
    Rastislav Bodik, Rajiv Gupta, and Vivek Sarkar. ABCD: Eliminating Array Bounds Checks on Demand. In Proceedings of the SIGPLAN’ 00 Conference on Program Language Design and Implementation, June 2000.Google Scholar
  3. 3.
    Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Conference, pages 63–78, San Antonio, Texas, January 1998.Google Scholar
  4. 4.
    Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. Region-based memory management in Cyclone. In Proc. ACM Conference on Programming Language Design and Implementation (PLDI), pages 282–293, June 2002.Google Scholar
  5. 5.
    Reed Hastings and Bob Joyce. Purify: Fast detection of memory leaks and access errors. In Proc. 1992 Winter USENIX Conference, pages 125–136, 1992.Google Scholar
  6. 6.
    Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, June 2002.Google Scholar
  7. 7.
    Richard W. M. Jones and Paul H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Automated and Algorithmic Debugging, pages 13–26, 1997.Google Scholar
  8. 8.
    Stephen Kaufer, Russell Lopez, and Sasha Pratap. Saber-C: an interpreter-based programming environment for the C language. In Proc. 1998 Summer USENIX Conference, pages 161–171, 1988.Google Scholar
  9. 9.
    Jens Knoop, Oliver Rüthing, and Bernhard Steffen. Lazy Code Motion. In Proceedings of the 5th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 224–234, June 1992.Google Scholar
  10. 10.
    Alexey Loginov, Suan Hsi Yong, Susan Horwitz, and Thomas Reps. Debugging via run-time type checking. Lecture Notes in Computer Science, 2029:217, 2001.Google Scholar
  11. 11.
    George Necula, Scott McPeak, and Westley Weimer. CCured: Type-safe retrofitting of legacy code. In Proc. The 29th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL2002), pages 128–139, January 2002.Google Scholar
  12. 12.
    Yutaka Oiwa, Eijiro Sumii, and Akinori Yonezawa. Implementing a fail-safe ANSIC compiler. In JSSST 2001, Hakodate, Japan, 18 September 2001. Japan Society for Software Science and Technology. In Japanese.Google Scholar
  13. 13.
    Yutaka Oiwa, Eijiro Sumii, and Akinori Yonezawa. Implementing a fail-safe ANSIC compiler. Computer Software, 19(3):39–44, May 2002. In Japanese.Google Scholar
  14. 14.
    Harish Patil and Charles Fischer. Low-cost, concurrent checking of pointer and array accesses in C programs. Software-Practice and Experience, 27(1):87–110, January 1997.CrossRefGoogle Scholar
  15. 15.
    Radu Rugina and Martin Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In Proc.’ 00 Conference on Programming Language Design and Implementation (PLDI), pages 182–195, 2000.Google Scholar
  16. 16.
    David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium, February 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Yutaka Oiwa
    • 1
  • Tatsurou Sekiguchi
    • 1
    • 2
  • Eijiro Sumii
    • 1
  • Akinori Yonezawa
    • 1
  1. 1.University of TokyoTokyoJapan
  2. 2.Japan Science and Technology CorporationPRESTOJapan

Personalised recommendations