[Cryptography] bounded pointers in C

Ben Laurie ben at links.org
Sat Apr 19 01:07:03 EDT 2014


On 18 April 2014 18:50, Jerry Leichter <leichter at lrw.com> wrote:
> On Apr 18, 2014, at 7:35 AM, Ben Laurie <ben at links.org> wrote:
>> Hmm. Any info on how this works (or worked)? All bounded pointers
>> implementations I've seen have required some kind of code annotation
>> to make them work properly (e.g. explicit fat pointers). Can it really
>> be done without source modification?
> In principle, it's easy.  Nothing in C constrains the size of pointers; the compiler can make them any size it likes.  There are statements about what happens if you cast a pointer type to an integer type "large enough to contain it", but nothing says such a type must exist.  So you can simple make every pointer a "fat pointer".  The only legal ways to get initial pointer values is by taking the address of an object (and the size of an object is always known); or by calling malloc() and friends, which necessarily know the size as well.  Beyond that, it's just a matter of keeping the size updated as the pointer is modified by pointer arithmetic.
>
> That's the principle.  The *practice* is that a huge fraction of practical, every day, C programs assume that a pointer will fit in a long.  Nothing in the language guarantees it, but "everyone knows" that this is how C works.
>
> At the cost of performance, you can move the lengths off to a hidden data structure in which you can look up pointers.  When you're handed a pointer, you look it up and get its length.  This is messy because you can be handed a pointer into a block of legal memory.  So you need a structure to check whether a pointer occurs in any of a set of ranges.  How well this would work in practice, I don't know.  Presumably a smart compiler can elide most lookups:  In some cases it knows the size anyway (e.g., you take the address of a struct on the stack); in others, once it's looked it up, it can keep it around for a while (i.e., thin pointers in memory, fat pointers in registers).

The Mill does this:

http://millcomputing.com/docs/security/

I think its a pretty interesting architecture, but not convinced its
the _right_ architecture :-)


More information about the cryptography mailing list