Securing C Programs by Dynamic Type Checking

  • Haibin Shen
  • Jimin Wang
  • Lingdi Ping
  • Kang Sun
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3903)


Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.


Type System Program Element Active Member Ground Type Dynamic Type 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Loginov, A., Yong, S., Horwitz, S., Reps, T.: Debugging via runtime type checking. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, pp. 217–232. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Hanson, D.R., Fraser, C.W.: A Retargetable C Compiler. Addison-Wesley, Reading (1995)MATHGoogle Scholar
  3. 3.
    Wang, J., Ping, L., Pan, X., Shen, H., Yan, X.: Tools to make C programs safe: a deeper study. Journal of Zhejiang University SCIENCE 6A(1), 63–70 (2005)MATHCrossRefGoogle Scholar
  4. 4.
    Seward, J.: Valgrind, an open-source memory debugger for x86-GNU/Linux. Technical report (2003),
  5. 5.
    Burrows, M., Freund, S., Wiener, J.: Run-time type checking for binary programs. In: International Conference on Compiler Construction (2003)Google Scholar
  6. 6.
    Siff, M., Chandra, S., Ball, T., Kunchithapadam, K., Reps, T.: Coping with Type Casts in C. In: Nierstrasz, O., Lemoine, M. (eds.) ESEC 1999 and ESEC-FSE 1999. LNCS, vol. 1687, pp. 180–198. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  7. 7.
    Hasting, R., Joyce, B.: Purify: fast detection of memory leaks and access errors. In: Proceedings of the Winter USENIX Conference (1992)Google Scholar
  8. 8.
    Chandra, S., Reps, T.: Physical type checking for C. In: Proceedings of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering. Software Engineering Notes (SEN), vol. 24(5), pp. 66–75 (1999)Google Scholar
  9. 9.
    Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Automated Detection of Format-String Vulnerabilities Using Type Qualifiers. In: Proceedings of the 10th USENIX Security Symposium, Washington, DC (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Haibin Shen
    • 1
  • Jimin Wang
    • 1
  • Lingdi Ping
    • 1
  • Kang Sun
    • 1
  1. 1.College of Computer Science and TechnologyZhejiang UniversityChina

Personalised recommendations