Repository files navigation

Checked C extends C with bounds checking and improved type safety. It helps programmers retrofit existing C code tobe more secure. This repo containstheChecked C specification,sample code, and test code.

• For a quick overview of Checked C and pointers to sample code,see ourWiki.
• You can download Checked C clang compiler releases for Windows, Mac, and Ubuntuhere.
• The specification is availablehere.
• The repo for the Checked C clang compiler ishere. The compiler is a fork ofLLVM/clang. Instructions for building the compiler from source code are on theChecked C clang wiki.

• Fat Pointers For Temporal Memory Safety of C by Jie Zhou,John Criswell, and Michael Hicks. This appeared inOOPSLA 2023.It describes an extension to Checked C that adds new pointers that provide temporal memory safety.

• C to Checked C by 3C, by Aravind Machiry, John Kastner, Matt McCutchen, Aaron Eline,Kyle Headley, and Michael Hicks. This paper describes the semi-automated 3C tool for converting C to Checked C.Itwon a SIGPLAN Distinguished Paper awardat OOPSLA 2022.

• A Formal Model of Checked C, by Liyi Li, Deena Postol, LeonidaLampropoulos, David Van Horn, and Michael Hicks. This was published in the 2022 IEEE 35th Computer Security FoundationsSymposlium. It describe a formal model of Checked C. The model was formalized using the Coq theorem prover.

• Achieving Safety Incrementally With Checked C.This was presented at the2019 Principles of Security and Trust Conference:.This paper describes an early version of 3C that convert existing C code to use Ptr types. It also proves a blameproperty about checked regions that shows that checked regions are blameless for any memory corruption.This proof is formalized for a core subset of the language extension.

• Checked C: Making C Safe by Extension byDavid Tarditi, Samuel Elliott, Andrew Ruef, and Michael Hicks. This appeared in theIEEE 2018 Cybersecurity Development Conference. It describes the key ideas of Checked C boundschecking in 8 pages. We have added features to Checked C since then.TheWiki andspecificationprovide up-to-date descriptions of Checked C.

• There was aposterpresented at theLLVM Dev Meeting2019: "Overflows BeGone: Checked C for Memory Safety". The poster provides an introduction toChecked C, outlines the compiler implementation and presents an experimentalevaluation of Checked C.

• There was atalk(slides)at the2020 LLVM Virtual DevMeeting: "Checked C: Adding memorysafety support to LLVM". The talk describes the design of bounds annotationsfor checked pointers and array pointers as well as the framework for the staticchecking of the soundness of bounds. The talk also briefly describes novel algorithmsto automatically widen bounds for null-terminated arrays and for comparison ofexpressions for equivalence.

We are happy to have the help. You can contribute by trying out Checked C,reporting bugs, and giving us feedback. There are other ways tocontribute too.

The software in this repository is covered by the MIT license. See the file LICENSE.TXT for the license. TheChecked C specification is made available by Microsoft under theOpenWeb Foundation FinalSpecification Agreement, version 1.0.Contributions of code to the Checked LLVM/clang repos aresubject to theLLVM/clang licensing terms.

Checked C is an independent open-source project. It started as a research project at Microsoft in 2015.similar to Checked C. We were looking for a way to improve the security of existing systems software andeliminate classes of bugs.

One approach is to rewrite the software in a newer language such as Rust.However, rewriting code is challenging for a number of reasons: it is costly, there are subtle differences in evenbasic language features such as arithmetic across languages, and it can take a long time before youhave a working system. Combined, this makes a rewrite a high-risk software development project. These kindsof rewrites are unlikely to be done just to improve security. We decided to pursue an incremental approach that allowsexisting C code to be improved gradually and at much lower cost.

Researchers from many universities and companies have contributed to Checked C.Researchers at the University of Maryland, the University of Rochester, the University of Washington, Samsung,Rutgers University, and the University of Pennsylvania have contributed to Checked C.Apple has proposed a C extension similar to Checked C that relies on more dynamic checking.

This project has adopted aCode of Conduct.