Increasing the Robustness of C Libraries and Applications through Run-time Introspection

Increasing the Robustness of C Libraries and Applications through Run-time Introspection

Manuel Rigger, Rene Mayrhofer, Roland Schatz, Matthias Grimmer, Hanspeter Moessenboeck

06 February 2017

In C, low-level errors such as buffer overflow and use-after-free are a major problem since they cause security vulnerabilities and hard-to-find bugs. Libraries cannot apply defensive programming techniques since objects (e.g., arrays or structs) lack run-time information such as bounds, lifetime, and types. To address this issue, we devised introspection functions that empower C programmers to access run-time information about objects and variadic function arguments. Using these functions, we implemented a more robust, source-compatible version of the C standard library that validates parameters to its functions. The library functions react to otherwise undefined behavior; for example, when detecting an invalid argument, its functions return a special value (such as -1 or NULL) and set the errno, or attempt to still compute a meaningful result. We demonstrate by examples that using introspection in the implementation of the C standard library and other libraries prevents common low-level errors, while also complementing existing approaches.


Venue : USENIX Security '17