Memory Safety Without Runtime Checks or Garbage Collection

Reference1

Challenge: dangling pointers

Proving statically that a general C program (for example) never dereferences a freed pointer (the “dangling pointer” problem) is undecidable.

Region-based memory management, however, has been used to guaranttee the safety of pointer-based accesses to region data without garbage collection, but with limitations: 1) manual effort to convert program to use regions; 2) many solutions disallow explicit deallocation.

Automatic regions inference algorithms have been developed to solve limitation completely or partially, such as in ML, or Cyclone. But these languages disallow explicit deallocation.

In this work, we use our fully automatic region inference algorithm called Automatic Pool Allocation that works for C with explict malloc and free. The transformation solves both the limitations above.

Unfortunately, allowing individual object deallocation means that the transformation does not ensure memory safety.

Restriction Rules for C

  • T1. Strong type: all variables, assignments and expressions (as in 2002);

  • T2. Cast to a pointer from other types are disallowed; certaion pointer to pointer casts of two compatible targets are allowed (2002+);

  • T3. Union can only contain types that can be cast to each other (as in 2002).

Rules for pointer safety:

  • P1. Every local pointer variable must be initialized before being referenced (as in 2002);
  • P2. Any individual type should be no larger than the size of the reserved address range (as in 2002);
  • P3. The address of stack location cannot be stored in a heap-allocated object or a global variable, and cannot be returned from a function (new from 2002);

Heap safety by pool allocation

  1. Memory Safety Without Runtime Checks or Garbage Collection. LCTES, 2003. ↩
Created Jul 29, 2019 // Last Updated Aug 31, 2020

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?