* Checked C? @ 2018-09-09 12:22 Sandy Harris 2018-09-09 12:59 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Sandy Harris @ 2018-09-09 12:22 UTC (permalink / raw) To: kernel-hardening Slashdot reports that Microsoft have come up with something they call "checked C". It claims to prevent a wide variety of memory & pointer bugs, using a mix of compile-time and run-time checks, at moderate overheads. Implementation is as extensions to Clang so it might be hard to apply to the kernel which I think has some GNU-isms. Perhaps still worth a look? Paper describing it is at: https://www.microsoft.com/en-us/research/publication/checkedc-making-c-safe-by-extension/ Code is at: https://github.com/Microsoft/checkedc ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Checked C? 2018-09-09 12:22 Checked C? Sandy Harris @ 2018-09-09 12:59 ` Greg KH 2018-09-09 16:56 ` Theodore Y. Ts'o 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2018-09-09 12:59 UTC (permalink / raw) To: Sandy Harris; +Cc: kernel-hardening On Sun, Sep 09, 2018 at 08:22:44AM -0400, Sandy Harris wrote: > Slashdot reports that Microsoft have come up with something they call > "checked C". It claims to prevent a wide variety of memory & pointer > bugs, using a mix of compile-time and run-time checks, at moderate > overheads. > > Implementation is as extensions to Clang so it might be hard to apply > to the kernel which I think has some GNU-isms. Perhaps still worth a > look? The kernel builds just fine using Clang for some architectures. The pixel phones have been using it for a few years now. And if you wish to work on converting the kernel to use these extensions, please go ahead, that would be a great research project! greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Checked C? 2018-09-09 12:59 ` Greg KH @ 2018-09-09 16:56 ` Theodore Y. Ts'o 2018-09-09 18:24 ` Boris Lukashev 0 siblings, 1 reply; 4+ messages in thread From: Theodore Y. Ts'o @ 2018-09-09 16:56 UTC (permalink / raw) To: Greg KH; +Cc: Sandy Harris, kernel-hardening On Sun, Sep 09, 2018 at 02:59:12PM +0200, Greg KH wrote: > On Sun, Sep 09, 2018 at 08:22:44AM -0400, Sandy Harris wrote: > > Slashdot reports that Microsoft have come up with something they call > > "checked C". It claims to prevent a wide variety of memory & pointer > > bugs, using a mix of compile-time and run-time checks, at moderate > > overheads. > > > > Implementation is as extensions to Clang so it might be hard to apply > > to the kernel which I think has some GNU-isms. Perhaps still worth a > > look? What would be really interesting would be implementing the Microsoft extensions as Clang plugins, so the kernel changes don't require distributions to ship a modified Clang. Whoever does this will need to remember that kernel modifications need to work with: * Clang with the extensions * Clang without the extensions (in case the extensions are Clang version dependent, and the system has a Clang which is too old). * Gcc without the extensions We've been doing that sort of thing already, using CPP magic, so there are plenty of examples about ways of doing that. - Ted ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Checked C? 2018-09-09 16:56 ` Theodore Y. Ts'o @ 2018-09-09 18:24 ` Boris Lukashev 0 siblings, 0 replies; 4+ messages in thread From: Boris Lukashev @ 2018-09-09 18:24 UTC (permalink / raw) To: Theodore Y. Ts'o; +Cc: Greg KH, Sandy Harris, kernel-hardening Quick glance over the paper describes type and bounds checks attempting to make access safer at compile and runtime via new syntax... The caveat of "The safety provided by checked pointers can be thwarted by unsafe operations, such as writes to traditional pointers" leads to some immediate coverage concerns. Doesn't grsecurity/PaX already do things like this with GCC plugins? My understanding is that analogous functionality is available with GCC, and wouldn't require adopting MSFT's take on "how C should be" in Linux. If the kernel is to move to Clang (which seems to be a direction which Google and others are going), then implementing LLVM passes to do such things may not require explicit syntax to declare these pointers, but more likely exceptions to default use of safe types. -Boris On Sun, Sep 9, 2018 at 12:56 PM, Theodore Y. Ts'o <tytso@mit.edu> wrote: > On Sun, Sep 09, 2018 at 02:59:12PM +0200, Greg KH wrote: >> On Sun, Sep 09, 2018 at 08:22:44AM -0400, Sandy Harris wrote: >> > Slashdot reports that Microsoft have come up with something they call >> > "checked C". It claims to prevent a wide variety of memory & pointer >> > bugs, using a mix of compile-time and run-time checks, at moderate >> > overheads. >> > >> > Implementation is as extensions to Clang so it might be hard to apply >> > to the kernel which I think has some GNU-isms. Perhaps still worth a >> > look? > > What would be really interesting would be implementing the Microsoft > extensions as Clang plugins, so the kernel changes don't require > distributions to ship a modified Clang. > > Whoever does this will need to remember that kernel modifications need > to work with: > > * Clang with the extensions > > * Clang without the extensions (in case the extensions are Clang > version dependent, and the system has a Clang which is too old). > > * Gcc without the extensions > > We've been doing that sort of thing already, using CPP magic, so there > are plenty of examples about ways of doing that. > > - Ted -- Boris Lukashev Systems Architect Semper Victus ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-09-09 18:24 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-09-09 12:22 Checked C? Sandy Harris 2018-09-09 12:59 ` Greg KH 2018-09-09 16:56 ` Theodore Y. Ts'o 2018-09-09 18:24 ` Boris Lukashev
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.