By Julia Schwarz
Much of the internet runs on systems written in the C programming language, but C has major security vulnerabilities. Now, computer scientists at Princeton and the University of California-San Diego have created a tool that safeguards these systems while developers migrate them into safer languages, a process that will take many years.
This migration includes core operating systems like Windows and Android, as well as applications like Dropbox, Chrome and Firefox, according to Amit Levy, an assistant professor of computer science and senior author on the paper. The work was presented at the USENIX Symposium on Operating Systems Design and Implementation on July 8, where it won a best paper award.
Much of the code ever written, according to Levy, is written in C. These millions of lines of code form the basis of modern digital infrastructure, including essential systems related to banking, healthcare and transportation. Most of this code is good and has no vulnerabilities. But computer systems are not static. Every system requires regular maintenance and adaptation. When engineers work on these systems, they can unintentionally introduce security problems related to the underlying C code.
Newer languages like Rust, Swift and Go have guardrails to prevent developers from introducing certain bugs, but C does not. “C has very few training wheels,” said Levy. “It opens the door to a bunch of security vulnerabilities that have historically been really hard for programmers to avoid.”
To make systems safer, the US government and major corporations have started migrating critical systems to newer languages like Rust. But migrating systems to Rust isn’t a safety guarantee, said Levy, because no real-world system can be written entirely in one programming language.
In practice, nearly every program interacts with older, legacy code, most of it written in C. One major source of these interactions is code libraries, which are widely used by developers as a shortcut for building common pieces of applications — everything from encryption to creating visual elements like buttons to handling basic network protocols.
Crucially, even if the core functions of an application are built in Rust, any interaction with a C library can potentially introduce vulnerabilities. This is because when Rust and C interact in an application, they create shared memory. And writing memory incorrectly — also known as buffer overflow attacks — is a key source of security vulnerabilities in C.
“Once you have that potential vulnerability, anyone can exploit it,” said Levy.
To prevent this, Levy and his collaborators have created a new tool, called Omniglot, which sets intermediaries between Rust and C code. Omniglot not only isolates memory used by C libraries it also checks shared memory for inconsistencies.
Both approaches have been used before, said Levy, but a key feature of Omniglot is its efficiency and speed. Checking pieces of code can slow down an application so much it becomes useless. “A lot of the novelty,” said Levy, “is doing that part efficiently.”
The paper “Building Bridges: Safe Interactions with Foreign Languages through Omniglot” was presented July 8 at the USENIX Symposium on Operating Systems Design and Implementation. In addition to Levy, authors include Mae Milano, Leon Schuermann and Jack Toubes of Princeton and Tyler Potyondy and Pat Pannuto of the University of California-San Diego. The research was supported in part by the U.S. National Science Foundation.