The C++ language combines a massive potential for raw power with the massive
risk of type and memory safety violations. The developer is inherently
responsible for securing all executed code and to guarantee type safety and
memory safety. We are particularly focused on type safety. In C++, developers
can cast objects from one type to another. While upcasts in the type lattice are
always safe, downcasts may be unsafe as the size (and fields) of a child object
may be different from the parent. In existing code bases, only few---if
any---casts are validated at runtime due to not just performance cost but due to
an inherent incompatibility: thanks to C++s relation with C, most objects are
simple arrays of bytes without any associated type information. Only few
classes, namely those with virtual functions, carry type information. To
implement virtual dispatch, C++ adds a field to the class that identifies the
type and allows virtual functions to call the corresponding method according to
the underlying type of the object. Only a small percentage of classes have
virtual methods and only those can be checked at runtime.
To ensure compatibility between C and C++, existing mechanisms tried to store
disjoint type metadata. For each allocated object they allocated type
information and for each cast, they checked that the cast object actually
corresponds to the correct type. This disjoint metadata is expensive to manage
and results in incompatibilities as cleaning up metadata after objects are
destructed is often omitted.
Our key idea with type++ is to
create a dialect of C++ that explicitly incorporates type information into all
classes. This embedded type information, that is present in all allocated
objects, allows efficient type checks for all casts. In our
implementation, we make all type casts
explicit and leverage this runtime information to validate each cast at runtime.
Our evaluation shows that even for large projects, only few lines need to be
changed. For example, for the millions of lines of code of the SPEC CPU
benchmarks, we only change 125 lines for SPEC CPU2006 and 131 lines for SPEC
CPU2017. For Chromium, we only change 229 lines of code to protect large parts
of the 35 millions lines of code. The performance overhead ranges around a very
reasonable 1%. We conclude that enforcing type safety across even large projects
is feasible with minimal code changes. Developers should aim at full type safety
and protect their code against type confusion attacks!
This work was a collaboration among Nicolas Badoux, Flavio Toffalini, Yuseok
Jeon, and Mathias Payer all at the HexHive as part of Nicolas' main PhD project.
This work received all artifact evaluation badges and, at
the conference, received a distinguished paper award.