This paper describes a completely memory-safe compiler for C language programs that is fully compatible with the ANSI C specification.

Programs written in C often suffer from nasty errors due to dangling pointers and buffer overflow. Such errors in Internet server programs are often exploited by malicious attackers to crack an entire system. The origin of these errors is usually corruption of in-memory data structures caused by out-of-bound array accesses. Usual C compilers do not provide any protection against such out-of-bound access, although many other languages such as Java and ML do provide such protection. There have been several proposals for preventing such memory corruption from various aspects: runtime buffer overrun detectors, designs for new C-like languages, and compilers for (subsets of) the C language. However, as far as we know, none of them have achieved full memory protection and full compatibility with the C language specification at the same time.

We propose the most powerful solution to this problem ever presented. We have developed Fail-Safe C, a memory-safe implementation of the full ANSI C language. It detects and disallows all unsafe operations, yet conforms to the full ANSI C standard (including casts and unions). This paper introduces several techniques--both compile-time and runtime--to reduce the overhead of runtime checks, while still maintaining 100% memory safety. This compiler lets programmers easily make their programs safe without heavy rewriting or porting of their code. It also supports many of the "dirty tricks" commonly used in many existing C programs, which do not strictly conform to the standard specification. In this paper, we demonstrate several real-world server programs that can be processed by our compiler and present technical details and benchmark results for it.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	American National Standard Institute. American national standard for information systems -- programming language -- C. ANSI X3.159-1989.
	2	Todd M. Austin , Scott E. Breach , Gurindar S. Sohi, Efficient detection of all pointer and array access errors, Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation, p.290-301, June 20-24, 1994, Orlando, Florida, United States
	3	Hans Boehm. A garbage collector for C and C++. http: //www.hpl.hp.com/personal/Hans Boehm/gc/.
	4	Hans-Juergen Boehm , Mark Weiser, Garbage collection in an uncooperative environment, Software—Practice & Experience, v.18 n.9, p.807-820, September 1988  [doi>10.1002/spe.4380180902]
	5	Jeremy Condit , Matthew Harren , Scott McPeak , George C. Necula , Westley Weimer, CCured in the real world, Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, June 09-11, 2003, San Diego, California, USA
	6	Crispin Cowan , Calton Pu , Dave Maier , Heather Hintony , Jonathan Walpole , Peat Bakke , Steve Beattie , Aaron Grier , Perry Wagle , Qian Zhang, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks, Proceedings of the 7th conference on USENIX Security Symposium, p.5-5, January 26-29, 1998, San Antonio, Texas
	7	Hiroaki Etoh and Kunikazu Yoda. Propolice: Improved stacksmashing attack detection. IPSJ SIG Notes, 2001(75):181--188, 2001.
	8	Jun Furuse. VITC: Safe C code compilation against attacks. In 4th Workshop on Dependable Software, 2006. In Japanese.
	9	Dan Grossman , Greg Morrisett , Trevor Jim , Michael Hicks , Yanling Wang , James Cheney, Region-based memory management in cyclone, Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, June 17-19, 2002, Berlin, Germany
	10	International Organization for Standards and International Electrotechnical Commission. Programming languages -- C. ISO/IEC Standard ISO/IEC 9899:1990.
	11	Trevor Jim , J. Greg Morrisett , Dan Grossman , Michael W. Hicks , James Cheney , Yanling Wang, Cyclone: A Safe Dialect of C, Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference, p.275-288, June 10-15, 2002
	12	Richard W. M. Jones and Paul H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Automated and Algorithmic Debugging, pages 13--26, 1997.
	13	Yuhki Kamijima and Eijiro Sumii. Safe implementation of C pointer arithmetics by translation to Java. JSSST, 26(1):139--154, 2009. In japanese.
	14	Brian W. Kernighan , Dennis M. Ritchie, The C programming language, Prentice Hall Press, Upper Saddle River, NJ, 1989
	15	Alexey Loginov , Suan Hsi Yong , Susan Horwitz , Thomas W. Reps, Debugging via Run-Time Type Checking, Proceedings of the 4th International Conference on Fundamental Approaches to Software Engineering, p.217-232, April 02-06, 2001
	16	George C. Necula , Scott McPeak , Westley Weimer, CCured: type-safe retrofitting of legacy code, Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.128-139, January 16-18, 2002, Portland, Oregon
	17	Yutaka Oiwa. Fail-Safe C webpage. https://staff.aist.go.jp/y.oiwa/FailSafeC/index--en.html.
	18	Yutaka Oiwa. An extension to Fail-Safe C to support object-oriented languages. In Symposium on Programming and Programming Languages, March 2005.
	19	Yutaka Oiwa. Implementation of a Fail-Safe ANSI C Compiler. PhD thesis, University of Tokyo, 2005.
	20	Yutaka Oiwa. Type-safe linking of C programs. In Symposium on Programming and Programming Languages, March 2007.
	21	Gray Watson. Dmalloc -- debug malloc library. http://www.dmalloc.com/.
	48	George Necula, Scott McPeak, and Westley Weimer. CCured:

• ACM SIGPLAN Notices
  Volume 44 ,  Issue 6   June 2009