ABSTRACT
This paper considers the problem of providing safe programming support and enabling secure online software upgrades for control software in real-time control systems. In such systems, offline techniques for ensuring code safety are greatly preferable to online techniques. We propose a language called Control-C that is essentially a subset of C, but with key restrictions designed to ensure that memory safety of code can be verified entirely by static checking, under certain system assumptions. The language permits pointer-based data structures, restricted dynamic memory allocation, and restricted array operations, without requiring any runtime checks on memory operations and without garbage collection. The language restrictions have been chosen based on an understanding of both compiler technology and the needs of real-time control systems. The paper describes the language design and a compiler implementation for Control-C. We use control codes from three different experimental control systems to evaluate the suitability of the language for these codes, the effort required to port them to Control-C, and the effectiveness of the compiler in detecting a wide range of potential security violations for one of the systems.
- TinyOS, a component-based OS for the Networked Sensor Regime. See web site at: http://webs.cs.berkeley.edu/tos/.Google Scholar
- T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient detection of all pointer and array access errors. In Proc. 1994 Conf. on Prog. Lang. Design and Implementation, Orlando, FL, June 1994. Google ScholarDigital Library
- R. Bodik, R. Gupta, and V. Sarkar. ABCD: eliminating array bounds checks on demand. In SIGPLAN Conference on Programming Language Design and Implementation, pages 321--333, 2000. Google ScholarDigital Library
- G. Bollella and J. Gosling. The real-time specification for Java. Computer, 33(6):47--54, 2000. Google ScholarDigital Library
- R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, pages 13(4):451--490, October 1991. Google ScholarDigital Library
- R. DeLine and M. Fahndrich. Enforcing high-level protocols in low-level software. In Proc. SIGPLAN '01 Conf. on Programming Language Design and Implementation, Snowbird, UT, June 2001. Google ScholarDigital Library
- D. Gay and A. Aiken. Memory management with explicit regions. In SIGPLAN Conference on Programming Language Design and Implementation, pages 313--323, Montreal, Canada, June 1998. Google ScholarDigital Library
- J. Gosling, B. Joy, G. Steele, and G. Bracha. The Java Language Specification. Sun Microsystems, 2nd edition, 2000. Google ScholarDigital Library
- D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, , and J. Cheney. Region-based memory management in cyclone. In Proc. SIGPLAN '02 Conf. on Programming Language Design and Implementation, Berlin, Germany, June 2002. Google ScholarDigital Library
- T. A. Henzinger and C. M. Kirsch. The embedded machine: Predictable, portable real-time code. In Proc. 2002 Conf. Prog. Lang. Design and Implementation, Berlin, Germany, June 2002. Google ScholarDigital Library
- International Organisation for Standardisation. Ada95 Reference Manual, 1995. International Standard ISO/IEC 8652:1995.Google Scholar
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, , and Y. Wang. Cyclone: A safe dialect of C. In Proc. USENIX Annual Technical Conference, Monterey, CA, June 2002. Google ScholarDigital Library
- W. Kelly, V. Maslov, W. Pugh, E. Rosser, T. Shpeisman, and D. Wonnacott. The Omega Library Interface Guide. Technical report, Computer Science Dept., U. Maryland, College Park, Apr. 1996. Google ScholarDigital Library
- C. Lattner and V. Adve. Automatic Pool Allocation for Disjoint Data Structures. In Proc. ACM SIGPLAN Workshop on Memory System Performance, Berlin, Germany, Jun 2002. Google ScholarDigital Library
- C. Lattner and V. Adve. The LLVM Instruction Set and Compilation Strategy. Tech. Report UIUCDCS-R-2002-2292, Computer Science Dept., Univ. of Illinois at Urbana-Champaign, Aug 2002.Google Scholar
- S. Lim, K. Lee, and L. Sha. Ensuring integrity and serivce availability in a web based control laboratory. To appear in Journal of Parallel and Distributed Computing Practices.Google Scholar
- G. C. Necula. Proof-carrying code. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Langauges (POPL '97), pages 106--119, Paris, Jan. 1997. Google ScholarDigital Library
- G. C. Necula and P. Lee. The design and implementation of a certifying compiler. In Proceedings of the 1998 ACM SIGPLAN Conference on Prgramming Language Design and Implementation (PLDI), pages 333--344, 1998. Google ScholarDigital Library
- G. C. Necula, S. McPeak, and W. Weimer. Ccured: Type-safe retrofitting of legacy code. In Proc. 29th ACM Symp. Principles of Programming Languages (POPL02), London, Jan. 2002. Google ScholarDigital Library
- W. Pugh. A practical algorithm for exact array dependence analysis. Commun. ACM, 35(8):102--114, Aug. 1992. Google ScholarDigital Library
- L. Sha. Dependable system upgrades. In Proceedings of IEEE Real Time System Symposium, 1998. Google ScholarDigital Library
- L. Sha. Using simplicity to control complexity. IEEE Software, July/August 2001. Google ScholarDigital Library
- M. Tofte and J.-P. Talpin. Region-based memory management. Information and Computation, pages 132(2):109--176, Feb. 1997. Google ScholarDigital Library
- D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium, pages 3--17, San Diego, CA, February 2000.Google Scholar
Index Terms
- Ensuring code safety without runtime checks for real-time control systems
Recommendations
Memory safety without runtime checks or garbage collection
LCTES '03: Proceedings of the 2003 ACM SIGPLAN conference on Language, compiler, and tool for embedded systemsTraditional approaches to enforcing memory safety of programs rely heavily on runtime checks of memory accesses and on garbage collection, both of which are unattractive for embedded applications. The long-term goal of our work is to enable 100% static ...
Memory safety without runtime checks or garbage collection
Special Issue: Proceedings of the 2003 ACM SIGPLAN conference on Language, compiler, and tool support for embedded systems (San Diego, CA).Traditional approaches to enforcing memory safety of programs rely heavily on runtime checks of memory accesses and on garbage collection, both of which are unattractive for embedded applications. The long-term goal of our work is to enable 100% static ...
Separate compilation of hierarchical real-time programs into linear-bounded Embedded Machine code
Hierarchical Timing Language (HTL) is a coordination language for distributed, hard real-time applications. HTL is a hierarchical extension of Giotto and, like its predecessor, based on the logical execution time (LET) paradigm of real-time programming. ...
Comments