The Meaning of Memory Safety

We give a rigorous characterization of what it means for a programming language to be memory safe, capturing the intuition that memory safety supports local reasoning about state. We formalize this principle in two ways. First, we show how a small memory-safe language validates a noninterference property: a program can neither affect nor be affected by unreachable parts of the state. Second, we extend separation logic, a proof system for heap-manipulating programs, with a memory-safe variant of its frame rule. The new rule is stronger because it applies even when parts of the program are buggy or malicious, but also weaker because it demands a stricter form of separation between parts of the program state. We also consider a number of pragmatically motivated variations on memory safety and the reasoning principles they support. As an application of our characterization, we evaluate the security of a previously proposed dynamic monitor for memory safety of heap-allocated data.Comment: POST'18 final versio

Safety-critical Java for embedded systems

This paper presents the motivation for and outcomes of an engineering research project on certifiable Java for embedded systems. The project supports the upcoming standard for safety-critical Java, which defines a subset of Java and libraries aiming for development of high criticality systems. The outcome of this project include prototype safety-critical Java implementations, a time-predictable Java processor, analysis tools for memory safety, and example applications to explore the usability of safety-critical Java for this application area. The text summarizes developments and key contributions and concludes with the lessons learned

Unification of Safety-Critical Java

International audienceIn response to increasing interest in the use of objectoriented technology for development of safety-critical systems, the new DO-178C guidelines will include supplements to address object-oriented technology, model-driven development, formal methods, and development tool qualification [1]. These supplements correlate well with the emerging safety-critical Java standard. As a portable object-oriented programming language enabling high levels of abstraction, safety-critical Java is an ideal candidate for automatic code generation for programming models. The use of formal methods toprove the absence of certain memory management errors at run time is a critical distinction between safety-critical Java and the Real-Time Specification for Java (RTSJ) [2]. And the specialized development tools that facilitate the use of these formal methods will, in the ideal, be qualified so that the results of their analysis can be relied upon as trustworthy safety certification evidence

Implementing Safety-Critical Java Missions in Ada

Critical systems written in Ada are still reluctant to use dynamic memory allocation. The Ravenscar profile, for example, prohibits the dynamic creation of tasks. This is in spite of the availability of storage pools and the strong compile-time checking of access types. The Java community has, by necessity, taken a slightly less conservative approach. Safety-Critical Java (SCJ) supports a constrained use of dynamic memory allocation. This paper takes the SCJ approach and tries to implement it using Ada's storage pools. We show that the approach is not directly transferable to Ada due to the difference in the way that SCJ and Ada handle region-based memory management. However, an equivalent approach can be developed.</jats:p

Applying Java to the Domain of Hard Real-Time Systems

International audienceOrganizations are attracted to Java because the language has proven more economical than C and C++. Companies that have made the switch to Java typically find that they are twice as productive during development of new functionality and five to ten times as productive during reuse of existing code. Organizations that develop in Java also observe decreased software error rates, increased software reuse and longevity, and improved recruitment of competent developers. Special hard real-time Java development practices enable proofs of resource needs and determinism. Early analysis demonstrates that the hard real-time Java platform runs in less than a tenth the memory footprint and up to three times faster than traditional Java for typical hard real-time tasks. Determinism is on par with typical C code, offering more than a 20-fold improvement over the timing predictability of traditional Java