Checked C May Help Kill C Bugs

shutterstock_370595594

If you’ve spent time as a programmer over the past several years, chances are good you’ve encountered C. After all, the general-purpose programming language has been used to build everything from operating systems to applications for embedded systems.

But as with any decades-old language, C comes with its share of issues, including a number of security vulnerabilities. Simply put, programmers need to manually pick through their code for out-of-bounds memory accesses, buffer overruns, and other problems—before those problems turn into attack vectors.

Microsoft wants to change that with a new add-on called Checked C, which will introduce bounds-checking (already present in other programming languages, such as C# and Java) to C. The researchers behind the project intend for programmers to use the extension on existing system software written in C.

“Checked C allows programmers to better describe how they intend to use pointers and the range of memory occupied by data that a pointer points to,” the researchers wrote in a short note on the Microsoft Research page. “This information is then used to add checking at runtime to detect mistakes where the wrong data is accessed, instead of the error occurring silently and without detection.”

This information “also can be used detect programming errors while the program is being written,” the note added. “The checking is called ‘bounds-checking’ because it checks that data is being accessed within its intended bounds.”

The Checked C repository, including files for specification and language extension tests, is available on GitHub. The research team is implementing Checked C in LLVM/Clang; there’s also the Checked C/Clang repository, with a version of Clang modified to support Checked C, as well as a Checked C/LLVM one.

Despite its age (or perhaps because of it, given the language’s ubiquity), C remains enormously popular, placing second on the latest TIOBE Index.

Image Credit: Undrey/Shutterstock.com

Post a Comment

Your email address will not be published.