I am looking for other people's attempts to create safe subset of C and
enforce it with scripts. Does anybody know about anything like this?
By "safe", I mean the following:
* Strongly typed memory. No way to reinterpret it as bunch of bytes
* Recovery from invalid and NULL pointers other than crash
* Possibility to isolate piece of code by not giving it key pointers
Library used to support such safe subset must not introduce its own flaws.
For example, it is not a good idea to use int proxies for pointers like
Unix API does, because this allows pointer guessing and consequently
prevents isolation. 36 3892
Robert Vazan wrote: I am looking for other people's attempts to create safe subset of C and enforce it with scripts. Does anybody know about anything like this?
By "safe", I mean the following: * Strongly typed memory. No way to reinterpret it as bunch of bytes * Recovery from invalid and NULL pointers other than crash * Possibility to isolate piece of code by not giving it key pointers
Library used to support such safe subset must not introduce its own flaws. For example, it is not a good idea to use int proxies for pointers like Unix API does, because this allows pointer guessing and consequently prevents isolation.
Robert...
Search in Google groups (comp.lang.c). There have already been a
number of threads discussing this topic.
--
Morris Dovey
West Des Moines, Iowa USA
C links at http://www.iedu.com/c
Read my lips: The apple doesn't fall far from the tree.
Robert Vazan wrote: I am looking for other people's attempts to create safe subset of C and enforce it with scripts. Does anybody know about anything like this?
By "safe", I mean the following: * Strongly typed memory. No way to reinterpret it as bunch of bytes * Recovery from invalid and NULL pointers other than crash * Possibility to isolate piece of code by not giving it key pointers
Library used to support such safe subset must not introduce its own flaws. For example, it is not a good idea to use int proxies for pointers like Unix API does, because this allows pointer guessing and consequently prevents isolation.
Look at MISRA C guidelines, at www.misra.org.uk, which is enforcable
with commercial lint-like tools. You must order a hardcopy. I did and
found it to be an interesting read.
However, if you're really interested in high-integrity coding, perhaps
something like SPARK (Ada subset) may interest you as well.
If you insist on something C-based, MISRA-C with something like VxWorks
for Safety Critical Systems ( www.windriver.com) may be a candidate,
depending on what you're looking for.
Mark F. Haigh mf*****@sbcglob al.net
On Fri, 21 Nov 2003 13:47:49 +0100, Robert Vazan wrote: I am looking for other people's attempts to create safe subset of C and enforce it with scripts. Does anybody know about anything like this?
By "safe", I mean the following: * Strongly typed memory. No way to reinterpret it as bunch of bytes
It occurs to me that this requirement alone pretty much removes your
quest from anything remotely related to C.
"Kelsey Bjarnason" <ke*****@lights peed.bc.ca> wrote: On Fri, 21 Nov 2003 13:47:49 +0100, Robert Vazan wrote: By "safe", I mean the following: * Strongly typed memory. No way to reinterpret it as bunch of bytes
It occurs to me that this requirement alone pretty much removes your quest from anything remotely related to C.
It depends how you define "remotely related to C". You would essentially
have to disallow pointer arithmetic and therefore change the way that
arrays work. It starts to look quite like Java, and indeed Java has many
features for limited 'sandbox' operation inbuilt, for running unauthorised
code on client machines. I'd say Java is still related to C.
--
Simon.
On 2003-11-22, Kelsey Bjarnason <ke*****@lights peed.bc.ca> wrote: On Fri, 21 Nov 2003 13:47:49 +0100, Robert Vazan wrote:
I am looking for other people's attempts to create safe subset of C and enforce it with scripts. Does anybody know about anything like this?
By "safe", I mean the following: * Strongly typed memory. No way to reinterpret it as bunch of bytes
It occurs to me that this requirement alone pretty much removes your quest from anything remotely related to C.
It is a "safe subset". You could define a subset that:
* does not allow the use of unions;
* does not allow declarations of void pointers;
* does not allow defining functions that return void pointers; and
* does not allow casts.
You could write a lint like tool to help enforce the subset. Also, any
diagnostic emitted by the compiler would have to be addressed.
-- James
On Sat, 22 Nov 2003 00:08:59 -0600, James Hu wrote: * does not allow the use of unions; * does not allow declarations of void pointers; * does not allow defining functions that return void pointers; and * does not allow casts.
Add arrays, ellipsis arguments, and memory deallocation and I can start
considering it safe. Some replacement must be provided for arrays and
memory management. Your rules also prohibit interfaces.
On 2003-11-22, Robert Vazan <ro*********@pr ivateweb.sk> wrote: On Sat, 22 Nov 2003 00:08:59 -0600, James Hu wrote:
* does not allow the use of unions; * does not allow declarations of void pointers; * does not allow defining functions that return void pointers; and * does not allow casts. Add arrays,
Why? I was questioning myself about disallowing unions. Since acquiring
the value of a member union other than the last one stored into invokes
unspecified behavior, a "good enough" lint should be able to flag this.
Similarly for arrays, bounds checking should be enforced.
I guess the safe subset should explicitly state:
* does not allow unspecified or undefined behaviors.
ellipsis arguments,
Yes, I suppose definining your own varable argument functions should be
disallowed. Using printf and friends should be allowed, though.
and memory deallocation and I can start considering it safe.
Hmm? If you disallow memory deallocation, you have to disallow memory
allocation as well.
If unspecified and undefined behaviors are not allowed, memory
deallocation should be safe.
I guess one could require an interface for each type to be allocated and
deallocated:
int * malloc_int_arra y(int number_of_ints) ;
void free_int_array( int *int_array);
And have the free wrapper do whatever it needed to do to make sure it
was freeing something its corresponding wrapper allocated. But a good
memory error debugging tool can already help enforce that.
Some replacement must be provided for arrays and memory management.
I think I took care of that.
Your rules also prohibit interfaces.
How so?
-- James
>It is a "safe subset". You could define a subset that: * does not allow the use of unions; * does not allow declarations of void pointers; * does not allow defining functions that return void pointers; and * does not allow casts.
You could write a lint like tool to help enforce the subset. Also, any diagnostic emitted by the compiler would have to be addressed.
A really "safe" subset of C needs to disallow:
- Pointers or pointer-valued expressions, including (library or
otherwise) functions that accept or return them.
- Variables.
- Side effects, particularly including assignment, op= operators,
I/O, and memory allocation/deallocation.
- Casts.
I think it is possible to have the compiler compile this to "safe"
assembly language with one of three opcodes: halt EXIT_SUCCESS,
halt EXIT_FAILURE, or branch-to-self.
Gordon L. Burditt
On Sun, 23 Nov 2003 01:21:18 +0000, Gordon Burditt wrote: A really "safe" subset of C needs to disallow:
Here I assume that you claim that this is best (least restrictive) safe
subset that can be made.
- Pointers or pointer-valued expressions, including (library or otherwise) functions that accept or return them.
Too restrictive. You cannot show that it is necessary.
- Variables.
Why?
- Side effects, particularly including assignment, op= operators,
Why?
I/O,
Standard I/O maybe, but why all I/O?
and memory allocation/deallocation.
Unnecessarily restrictive, once again.
I think it is possible to have the compiler compile this to "safe" assembly language with one of three opcodes: halt EXIT_SUCCESS, halt EXIT_FAILURE, or branch-to-self.
Sure, but I am uncertain whether your subset is really the only option. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Irmen de Jong |
last post by:
Pickle and marshal are not safe. They can do harmful
things if fed maliciously constructed data.
That is a pity, because marshal is fast.
I need a fast and safe (secure) marshaler.
Is xdrlib the only option?
I would expect that it is fast and safe because
it (the xdr spec) has been around for so long.
Or are there better options (perhaps 3rd party libraries)?
|
by: les_ander |
last post by:
Hi,
I have many set objects some of which can contain same group of object
while others can be subset of the other. Given a list of sets,
I need to get a list of unique sets such that non of the set is an
subset of another or contain exactly the same members.
Tried to do the following:
s1=set()
s2=set()
s3=set()
|
by: Chris Dutrow |
last post by:
I searched around on the net for a bit, couldn't find anything though.
I would like to find some code for a function where I input A Range Of
Integers
For example: Function( 1, 100 );
And the function will return me an array holding a random subset of integers
in that range of a size that I specify
So the Function would Probabaly look something like this:
|
by: Dan Bass |
last post by:
I know that XslTransform's Transform is thread safe according to the MSDN,
and that Load is not. I've therefore applied this simply Mutex to it and
would just like to confirm this is okay.
XslTransform xslt = null;
Mutex mut = new Mutex();
public override string MapMessage ( string messageSource )
{
|
by: Jon Paul Jones |
last post by:
For some time now, I have been looking for a build system for ASP.NET that
will merge the file based ease of deployment of classic ASP with the type
saftey and prebuilt nature of ASP.NET with codebehind. The team that I work
on manages several web sites and we have many different projects (not VS
projects) going on in each site simultaneously. Each of these projects may
have different deployment schedules. In a classis ASP world this was...
| |
by: Babar K. Zafar |
last post by:
Hi guys!
I know this subject has been beaten to death and I am not going to
whine about lacking features for proper restricted execution in the
Python runtime. It's the OS job, I get it.
Anyways, I thought about using a restricted *subset* of the language
for simple configuration scripts and storing data in a user-friendly
way. I'm fully aware about the dangers of introducing "eval" into the
picture so I took different route and...
|
by: jacob navia |
last post by:
We have discussed often the proposition from Microsoft
for a safer C library.
A rationale document is published here by one of the members of
the design team at microsoft:
http://msdn.microsoft.com/msdnmag/issues/05/05/SafeCandC/default.aspx
jacob
|
by: jecheney |
last post by:
Hi,
Im currently using the following code for reading/writing to a network
socket.
private StreamReader clientStreamReader;
private StreamWriter clientStreamWriter;
....
TcpClient tcpClient = new
TcpClient(server_host_name, server_port);
|
by: Szabolcs |
last post by:
I am not familiar with the UTF-8 encoding, but I know that it encodes
certain characters with up to four bytes. Is it safe to use UTF-8
encoded comments in C++ source files? For example, is there a remote
possibility that some multi-byte character, when interpreted
byte-by-byte, will contain */ and close the comment? Or is there
something else that can go wrong?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |