Buggy C code at the root of the 2014 “Heartbleed” security vulnerability, which exposed private data
Lack of memory safety is one of the biggest threats to data privacy and system security lurking in our cell phones, computers, gaming systems and other electronic devices. The underlying source of many memory safety issues is the programming language C, which allows developers to create programs that access computer memory incorrectly. Hackers or other threat actors can exploit memory safety errors to leak or corrupt private information. They might even take control of the system by executing arbitrary code, which could cause severe damage in high-security environments such as national defense systems.
Andrew Tolmach, a Professor of Computer Science at Portland State University, has devoted much of his career to making computer systems safer. Earlier this year, the National Science Foundation awarded Tolmach a half-million dollars to support his research in improving the security properties of C. The grant will fund Tolmach and his research team’s work for three years.
"C's biggest strength is that it allows programmers to write very efficient code, but this can be a weakness from a security perspective because if programmers write a program in C incorrectly, the results can be very dangerous," said Tolmach.
Originally developed in 1972 and sometimes referred to as "the mother of all programming languages," C is widely used in low-level infrastructure software, such as operating systems present in most computers as well as embedded systems such as video game consoles and medical devices. C exists one level above the machine code, which controls the hardware.
While newer programming languages, such as Java, do not have the same memory safety issues as C, C is unlikely to be replaced any time soon due to its ubiquity and presence in legacy systems. To address this reality, researchers at the University of Pennsylvania and Draper Labs, a nonprofit engineering and research lab located in Cambridge, MA, have developed an enhanced computer processor feature called PIPE (Processor Interlock for Policy Enforcement) Architecture to curb the security threats posed by C's weaknesses.
The PIPE Architecture works by maintaining metadata (called tags) alongside ordinary data and code. Metadata is similar to the information inscribed on a dog's tag. Dog tags typically include the dog's name, vaccination status, and the contact information of its owner(s); dog tags carry information about the dog but are not part of the dog. Similar to the information on a dog tag, PIPE metadata describes the function and purpose of each instruction and memory address in the code. This enables the processor to check the instructions and memory metadata against each other, ensuring that the program functions as intended and accesses the correct part of the computer's memory.
Tolmach's research focuses on adapting C code to run on the PIPE Architecture and making the language more secure. He and his team are working on specifying the security properties of the metadata in C, creating tags that tell the system how the code should operate. They are also building a compiler, which is a tool that translates adapted C code into tagged machine code that will run on the enhanced processor of the PIPE Architecture. To demonstrate that the compiler is secure, they are developing a mathematical proof that will be machine-checked (verified by a computer).
The most likely early application of the PIPE Architecture and adapted C code will be in high-security settings, such as national defense systems, government agencies, and financial institutions. Consumer goods won't likely be early adopters of this technology. However, some embedded systems, such as medical devices, could incorporate the technologies sooner.
Over the past decade, Tolmach has collaborated with researchers at institutions worldwide, including the University of Pennsylvania, Inria (the National Institute for Research in Digital Science and Technology in France), Draper Labs, and the Max Planck Institute in Germany developing the technology.
"It takes a long time to mature both the research and the partnerships that enable this work," emphasized Tolmach. "I'm very pleased about our progress so far and excited about what we'll achieve in the next three years."