Symbolic Safety

One of the biggest challenges in operating systems, distributed systems, and mobile code is how to ensure safety of untrusted code. Two recent proposals are Software Fault Isolation (SFI) and Proof-Carrying Code (PCC). A diicult challenge is how to deal with memory accesses within loops. SFI generates run-time bounds checks at every access, which incurs non-negligible overhead in tight loops, while PCC currently requires that the loop be pre-annotated with invariants that specify these bounds. I present a static analysis for automatically determining the bounds of the memory accesses within a loop. Given a loop in either source code (e.g., C) or executable binary, the analysis attempts to generate a symbolic expression for each memory access in the loop that describes its range in terms of the context (e.g., values of variables) before the loop. An operating system can use the results of the analysis in one of two ways: 1] to prove statically that the surrounding context guarantees that these ranges are in safe bounds and then execute the unmodiied code (as in PCC, but now fully automatic); or 2] to insert a guard before the loop entry that will guarantee at run-time that the ranges are in safe bounds (as in SFI, but hoisted outside the loop). The analysis uses symbolic composition of transfer relations and does not require a xed-point calculation. I demonstrate my analysis on DEC Alpha assembly code for Internet Checksum and Standard ML code for TCP/IP byte copy.