C to Checked C by 3C

TL;DR

This paper introduces 3C, a static analysis tool that facilitates the incremental porting of legacy C code to Checked C, enhancing spatial safety through automatic and semi-automatic annotations.

Contribution

It presents 3C, a novel static analysis-based annotation tool with algorithms typ3c and boun3c, enabling semi-automated porting of C to Checked C for improved safety.

Findings

3C effectively infers checked pointer types in large C codebases.

Combining 3C with human refactoring improves porting accuracy.

Experiments show 3C's utility across diverse programs.

Abstract

Owing to the continued use of C (and C++), spatial safety violations (e.g., buffer overflows) still constitute one of today's most dangerous and prevalent security vulnerabilities. To combat these violations, Checked C extends C with bounds-enforced checked pointer types. Checked C is essentially a gradually typed spatially safe C - checked pointers are backwards-binary compatible with legacy pointers, and the language allows them to be added piecemeal, rather than necessarily all at once, so that safety retrofitting can be incremental. This paper presents a semi-automated process for porting a legacy C program to Checked C. The process centers on 3C, a static analysis-based annotation tool. 3C employs two novel static analysis algorithms - typ3c and boun3c - to annotate legacy pointers as checked pointers, and to infer array bounds annotations for pointers that need them. 3C performs a root cause analysis to direct a human developer to code that should be refactored; once done, 3C can be re-run to infer further annotations (and updated root causes). Experiments on 11 programs totaling 319KLoC show 3C to be effective at inferring checked pointer types, and experience with previously and newly ported code finds 3C works well when combined with human-driven refactoring.