Re: Idea: Array Boundary Checks on Write Access Only

[Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>]

Stephen Leake wrote:
> I don't see why a "read bug" is ever ok!

An array read bug has only local consequences, a wrong return
result (unless the result is an erroneous pointer). An array or
pointer write bug can cause erroneous behaviour in other completely
indepentent classes even if the implementation of these is carefully
scrutinized to be bug free and very carefully shielded against
wrong parameters.

There are no bug free systems but in many types of systems, some
modules (e.g., an encryption module that must not leak secret
keys) must be especially carefully reviewed, while the huge majority
of the system is much less critical. This some-modules-only
review makes only sense if there is a guarantee that no other
less pedantically reviewed code (user interface, etc.) can
accidentially or maliciously be caused to overwrite the internal data
structures of the critical module.

Therefore, array boundary checks for write access are much more
important than array boundary checks for read access, and I think
it is a cute idea to be able to switch off read checks and leave
in write checks for production versions. Read checks should
however stay in effect for pointer arrays, when to the target
of the read pointer a later write access might happen.

A wrong array read just causes some variable value to be wrong,
there are thousands of other bugs that have the same effect. A
wrong array or pointer write causes errors at other places and
that is an effect other types of bugs will not have.

So I think write-only checks are a useful tradeoff in many
situations. The read checks are very expensive, not only because of
the inserted check instructions, but also because the many
different paths of execution that can result make optimization
difficult.

Markus

-- 
Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK
email: mkuhn at acm.org,  home page: <http://www.cl.cam.ac.uk/~mgk25/>