[Cryptography] bounded pointers in C
John Gilmore
gnu at toad.com
Thu Apr 17 20:46:39 EDT 2014
> Well first of all, strings and arrays. I don't want a bounds-unchecked
> string or array, not ever - even if bounds checking is
> resource-consuming and there is no possibility of out-of-range inputs,
> someone else might come along later and change the code.
>
> I don't want to have to even think about whether a string or array is
> bounds checked; just whether the default behaviour when an out-of-range
> input is detected is suitable.
>
> So, where would you change it? K+R? ANSI? I don't know, but in 35 years
> they never got around to fixing it.
This is fixed in ANSI C. The language definition does not require
implementations to check pointer or array bounds -- but everything in
the language that prevented implementations from doing it was removed.
Accessing outside the legitimate boundaries of the object is
"undefined" in the language, and the compiler can do what it wants
when that happens, including make the program die instantly.
We have had many such implementations over the years -- but none of
them have become popular, or even standard.
A "bounded pointers" implementation of gcc was built in the late
1990s-2000 by Greg McGary (see
http://gcc.gnu.org/ml/gcc/2000-04/msg00137.html). It worked well
enough to compile and run GNU libc and the GNU textutils and
fileutils. This was some sort of official GCC project, even. But
apparently it was never adopted into mainline gcc -- I don't know why
not. See https://sourceware.org/ml/libc-alpha/2012-01/msg00131.html ,
http://gcc.gnu.org/ml/gcc/2001-02/msg00583.html ,
http://gcc.gnu.org/ml/gcc/2001-02/msg00278.html
He seems to be greg at mcgary.org and was contributing to GCC mailing
lists as late as 2009. Apparently the code lived on a branch
of the GCC source tree ("bounded-pointers-branch") so that branch
may still be accessible somewhere. Indeed, doing this command:
svn co svn://gcc.gnu.org/svn/gcc/branches/bounded-pointers-branch
seems to have brought me some code, which might be Gary's latest code,
or might not be. The last changes in it seem to be from about 2000,
according to the ChangeLog. But I can't get it to build -- the
configuration files seem messed up.
Others built similar but less straightforward bounds checkers, like
"Mudflap" (http://gcc.fyxm.net/summit/2003/mudflap.pdf), but
apparently that isn't popular, standard, or available in any public
GCC release either.
And many other C environments, such as "Saber C" and "Purify" have
done similar checks. It isn't rocket science. It works.
Actually building and maintaining C implementations that check pointer
boundaries seems to require a level of intense desire that so far
*nobody* has created or sustained for more than a year or two.
John
More information about the cryptography
mailing list