Runtime Verification of C Memory Safety

  • Grigore Roşu
  • Wolfram Schulte
  • Traian Florin Şerbănuţă
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5779)


C is the most widely used imperative system’s implementation language. While C provides types and high-level abstractions, its design goal has been to provide highest performance which often requires low-level access to memory. As a consequence C supports arbitrary pointer arithmetic, casting, and explicit allocation and deallocation. These operations are difficult to use, resulting in programs that often have software bugs like buffer overflows and dangling pointers that cause security vulnerabilities. We say a C program is memory safe, if at runtime it never goes wrong with such a memory access error. Based on standards for writing “good” C code, this paper proposes strong memory safety as the least restrictive formal definition of memory safety amenable for runtime verification. We show that although verification of memory safety is in general undecidable, even when restricted to closed, terminating programs, runtime verification of strong memory safety is a decision procedure for this class of programs. We verify strong memory safety of a program by executing the program using a symbolic, deterministic definition of the dynamic semantics. A prototype implementation of these ideas shows the feasibility of this approach.


Operational Semantic Abstract Syntax Memory Allocation Language Construct Dynamic Semantic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Necula, G.C., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy code. In: POPL 2002: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 128–139. ACM, New York (2002)Google Scholar
  2. 2.
    Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: Proceedings of the Winter USENIX Conference, January 1992, pp. 125–136 (1992)Google Scholar
  3. 3.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Ferrante, J., McKinley, K.S. (eds.) PLDI, pp. 89–100. ACM, New York (2007)Google Scholar
  4. 4.
    Berger, E.D., Zorn, B.G.: Diehard: probabilistic memory safety for unsafe languages. In: PLDI 2006: Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, pp. 158–168. ACM, New York (2006)CrossRefGoogle Scholar
  5. 5.
    Novark, G., Berger, E.D., Zorn, B.G.: Exterminator: Automatically correcting memory errors with high probability. Commun. ACM 51(12), 87–95 (2008)CrossRefGoogle Scholar
  6. 6.
    Harbison, S.P., Steele, G.L.: C: A Reference Manual, 5th edn. Prentice Hall, Englewood Cliffs (2002)Google Scholar
  7. 7.
    Roşu, G.: K: A Rewriting-Based Framework for Computations – Preliminary version. Technical Report UIUCDCS-R-2007-2926, University of Illinois (2007)Google Scholar
  8. 8.
    Meseguer, J., Roşu, G.: The rewriting logic semantics project. Theor. Computer Science 373(3), 213–237 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Şerbănuţă, T.F., Roşu, G., Meseguer, J.: A rewriting logic approach to operational semantics. Inf. and Comp. (to appear, 2009),
  10. 10.
    Meseguer, J.: Conditioned rewriting logic as a united model of concurrency. Theor. Comput. Sci. 96(1), 73–155 (1992)CrossRefzbMATHGoogle Scholar
  11. 11.
    Wright, A.K., Felleisen, M.: A syntactic approach to type soundness. Inf. Comput. 115(1), 38–94 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, C.L. (eds.): All About Maude - A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic. LNCS, vol. 4350. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  13. 13.
    Walicki, M., Meldal, S.: Algebraic approaches to nondeterminism: An overview. ACM Comput. Surv. 29(1), 30–81 (1996)CrossRefGoogle Scholar
  14. 14.
    Rosu, G., Schulte, W.: Matching logic. Technical Report UIUCDCS-R-2009-3026, University of Illinois at Urbana-Champaign (2009)Google Scholar
  15. 15.
    Rogers Jr., H.: Theory of Recursive Functions and Effective Computability. MIT Press, Cambridge (1987)zbMATHGoogle Scholar
  16. 16.

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Grigore Roşu
    • 1
  • Wolfram Schulte
    • 2
  • Traian Florin Şerbănuţă
    • 1
  1. 1.University of Illinois at Urbana-ChampaignUSA
  2. 2.Microsoft ResearchUSA

Personalised recommendations