[Cryptography] bounded pointers in C
Ben Laurie
ben at links.org
Sat Apr 19 01:07:03 EDT 2014
On 18 April 2014 18:50, Jerry Leichter <leichter at lrw.com> wrote:
> On Apr 18, 2014, at 7:35 AM, Ben Laurie <ben at links.org> wrote:
>> Hmm. Any info on how this works (or worked)? All bounded pointers
>> implementations I've seen have required some kind of code annotation
>> to make them work properly (e.g. explicit fat pointers). Can it really
>> be done without source modification?
> In principle, it's easy. Nothing in C constrains the size of pointers; the compiler can make them any size it likes. There are statements about what happens if you cast a pointer type to an integer type "large enough to contain it", but nothing says such a type must exist. So you can simple make every pointer a "fat pointer". The only legal ways to get initial pointer values is by taking the address of an object (and the size of an object is always known); or by calling malloc() and friends, which necessarily know the size as well. Beyond that, it's just a matter of keeping the size updated as the pointer is modified by pointer arithmetic.
>
> That's the principle. The *practice* is that a huge fraction of practical, every day, C programs assume that a pointer will fit in a long. Nothing in the language guarantees it, but "everyone knows" that this is how C works.
>
> At the cost of performance, you can move the lengths off to a hidden data structure in which you can look up pointers. When you're handed a pointer, you look it up and get its length. This is messy because you can be handed a pointer into a block of legal memory. So you need a structure to check whether a pointer occurs in any of a set of ranges. How well this would work in practice, I don't know. Presumably a smart compiler can elide most lookups: In some cases it knows the size anyway (e.g., you take the address of a struct on the stack); in others, once it's looked it up, it can keep it around for a while (i.e., thin pointers in memory, fat pointers in registers).
The Mill does this:
http://millcomputing.com/docs/security/
I think its a pretty interesting architecture, but not convinced its
the _right_ architecture :-)
More information about the cryptography
mailing list