[Cryptography] bounded pointers in C
Ben Laurie
ben at links.org
Sat Apr 19 01:03:40 EDT 2014
On 18 April 2014 13:53, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
> On 18/04/14 12:35, Ben Laurie wrote:
>>
>> On 18 April 2014 01:46, John Gilmore <gnu at toad.com> wrote:
>>>
>>> [...]
>>>
>>> A "bounded pointers" implementation of gcc was built in the late
>>> 1990s-2000 by Greg McGary (see
>>> http://gcc.gnu.org/ml/gcc/2000-04/msg00137.html). It worked well
>>> enough to compile and run GNU libc and the GNU textutils and
>>> fileutils. This was some sort of official GCC project, even. But
>>> apparently it was never adopted into mainline gcc -- I don't know why
>>> not. See https://sourceware.org/ml/libc-alpha/2012-01/msg00131.html ,
>>> http://gcc.gnu.org/ml/gcc/2001-02/msg00583.html ,
>>> http://gcc.gnu.org/ml/gcc/2001-02/msg00278.html
>>> He seems to be greg at mcgary.org and was contributing to GCC mailing
>>> lists as late as 2009. Apparently the code lived on a branch
>>> of the GCC source tree ("bounded-pointers-branch") so that branch
>>> may still be accessible somewhere. Indeed, doing this command:
>>>
>>> svn co svn://gcc.gnu.org/svn/gcc/branches/bounded-pointers-branch
>>>
>>> seems to have brought me some code, which might be Gary's latest code,
>>> or might not be. The last changes in it seem to be from about 2000,
>>> according to the ChangeLog. But I can't get it to build -- the
>>> configuration files seem messed up.
>>
>>
>> Hmm. Any info on how this works (or worked)? All bounded pointers
>> implementations I've seen have required some kind of code annotation
>> to make them work properly (e.g. explicit fat pointers). Can it really
>> be done without source modification?
>
>
> I can't see the point in trying to get away from the necessity of source
> modification - the idea after all is to have all strings and arrays and so
> on bounds checked, but if a programmer uses malloc and memcpy (the smoking
> gnu in the Heartbleed bug) instead of a declaration of a string and a
> bounded strcpy, then all bet are off anyway.
Not so, actually. In CHERI+LLVM, malloc+memcpy is safe (yes, kids,
CHERI would've prevented Heartbleed - there would be code
modification, but of a trivial kind [I think, we should find out]).
> Now if C had proper bounded pointers for strings and arrays, then using
> malloc and memcpy would throw out a big flag - why on Earth are you using
> this dangerous stuff instead of the nice safe string/array commands? - but
> as C doesn't have nice safe string/array commands ...
>
>
> -- Peter Fairbrother
>
>
>
More information about the cryptography
mailing list