We have proposed an extension to C (primarily) and C++ (possibly) to address buffer overflow prevention. Buffer overflows are still a huge practical problem in C, and much important code is still written in C. This is a new approach that may actually work.
The proposal, "Safe arrays amd pointers for C, round 2", is here: http://www.animats.com/papers/languages/safearraysforc41.pdf This has been discussed on Lambda the Ultimate and comp.std.c, and the flaws found in those discussions have been dealt with. So far, no one has found a killer reason why this can't work. The proposal is to combine the concepts of C variable length array formal parameters and C++ references. This allows passing arrays as arrays, rather than pointers. For "strict mode" translation units, arrays must be passed in this way. For compatibility with old code, strict mode code can call non-strict mode code, and vice versa. When strict mode code calls strict mode code, there is checking to insure that sizes match. This approach doesn't require array descriptors or "fat pointers". Example: Standard UNIX/Linux/Posix read, new strict form: int read(size_t n; int fd, void_space(&buf)[n], size_t n); The array parameter as a sized reference, an array of size n. "void_space" is a new type, like "void *" for type matching purposes, but like "char" for space allocation. The initial "size_t n;" is an existing GCC extension, a forward parameter declaration, needed because the array parameter precedes the size parameter. In non-strict code, this can be called with the good old form: char inbuf[512]; int stat = read(somefd, inbuf, 512); The size is not checked in non-strict code. In strict code, the compiler would generate a size check, based on the prototype, that the size of the actual parameter matched the size of the variable length formal parameter. In strict code, arrays generally have to be passed around as references, to keep the associated size information. There's also a way to do this for structs. So this goes beyond C variable length arrays. Again, there are no array descriptors; declarations tell the language where to find the size of an array. So code is compatible at the object level. There's more, but that's the main idea. Programs would be migrated to strict mode from the bottom up. First standard libraries, then security-critical libraries, then security-critical applications. What I'd like for now is an an estimate of how hard this would be to implement in GCC. Most of the necessary features, or something close to them, are already implemented in GCC. Implementors, please comment. Thanks. John Nagle Animats
