Ironclad C++: A Library-Augmented Type-Safe Subset of C++

Christian DeLozier, University of Pennsylvania
Richard A. Eisenberg, Bryn Mawr College
Santosh Nagarakatte, Rutgers University - New Brunswick/Piscataway
Peter-Michael Osera, Grinnell College
Milo M. K. Martin, Google
Steve Zdancewic, University of Pennsylvania

Abstract

The C++ programming language remains widely used, despite inheriting many unsafe features from C—features that often lead to failures of type or memory safety that manifest as buffer overflows, use-after-free vulnerabilities, or abstraction violations. Malicious attackers can exploit such violations to compromise application and system security. This paper introduces Ironclad C++, an approach to bringing the benefits of type and memory safety to C++. Ironclad C++ is, in essence, a library-augmented, type-safe subset of C++. All Ironclad C++ programs are valid C++ programs that can be compiled using standard, off-the-shelf C++ compilers. However, not all valid C++ programs are valid Ironclad C++ programs: a syntactic source-code validator statically prevents the use of unsafe C++ features. To enforce safety properties that are difficult to check statically, Ironclad C++ applies dynamic checks via templated “smart pointer” classes. Using a semi-automatic refactoring tool, we have ported nearly 50K lines of code to Ironclad C++. These benchmarks incur a performance overhead of 12% on average, compared to the original unsafe C++ code.