Microsoft has just open sourced ‘Checked C,’ C programming language with added security and reliability
Microsoft has open-sourced a research project called Checked C, an extension to the C programming language, to add new syntax and typing to the C language and also add extra security and reliability to the system code. Checked C offers to reduce programming errors by adding safety features to the C language, and keep it safe from vulnerabilities that gave rise to the Heartbleed, Sandworm and Shellshock security incidents.
“The Checked C research project is investigating how to extend the C programming language so that programmers can write more secure and reliable C programs,” Microsoft Research says on its Web site. “The project is developing an extension to C called Checked C that adds checking to C to detect or prevent common programming errors such as buffer overruns, out-of-bounds memory accesses, and incorrect type casts. The extension is designed to be used for existing system software written in C.”
The problem is that the C language doesn’t check to see if you are using a pointer within the memory region you intended to use it. Checked C plans to address these issues by changing how it handles pointers, C’s mechanism for accessing memory directly. Pointers are used by programmers to define memory addresses where their code will operate.
While many more modern programming languages such as Java and C# include bounds checking by automatically adding it to data structures, that functionality isn’t available to developers writing systems software.
“This is a problem for system software, where the programmer needs precise control over what a program is doing,” Microsoft Research said. “In Checked C, the programmer controls the placement of information needed for bounds-checking and how the information flows through the program, so the programmer retains precise control over what a program is doing.”
The Checked C extension provides new kinds of pointer types and array types, programmer-inserted dynamic checks, bounds declarations and many more mechanisms to address the aforementioned problems for developers writing new systems code or modifying legacy code.
“The Checked C extension will let programmers add checking to their programs to detect these kinds of errors when a program runs or while it is being written,” the company said. “Existing system software can be modified incrementally in a backwards-compatible fashion to have this checking.”