The Communications Web site, http://cacm.acm.org, features more than a dozen bloggers in the BLOG@CACM community. In each issue of Communications, we’ll publish selected posts or excerpts.

Follow us on Twitter at http://twitter.com/blogCACM

DOI:10.1145/3057284 http://cacm.acm.org/blogs/blog-cacm

There is a deref- Ending Null erence in function imagetobmp of convertbmp.c:980 of OpenJPEG 2.1.2. image->comps[0].data is not assigned a Pointer Crashes value after initialization(NULL). Impact is Denial of Service. Void safety, says Bertrand Meyer, relies on Yes, that is for the JPEG standard. type declarations and static analysis. Try not think of it when you upload your latest pictures. Just for one month (November 2016), the CVE database Bertrand Meyer The problem is particularly acute contains null pointer vulnerabilities Null-Pointer Crashes, in object-oriented programming lan- affecting products of the Gotha of the No More guages, where x.f is the major com- IT industry, from Google (http://bit. http://bit.ly/2i6w0nz putational mechanism. Every single ly/2mfdAD2) and Microsoft (http:// December 20, 2016 execution of this construct (how bit.ly/2muJImD) (“theoretically every- As an earlier article5 em- many billions of them occurred in one could crash a server with just a sin- phasized, code matters; so do program- running programs around the world gle specifically crafted packet”) to Red ming languages. While Eiffel is best since you started reading this?) Hat (http://red.ht/2lXB5xS) and Cisco known for its Design by Contract tech- faces that risk. Compilers for many (http://bit.ly/2mMcueo). The entry niques, they are only part of a systematic languages catch other errors of a for an NVIDIA example (at http://bit. design all focused on enabling develop- similar nature—particularly type ly/2lUREf8) explains: ers to realize the best of their abilities— errors, such as assigning the wrong For the NVIDIA Quadro, NVS, and Ge- and eradicate from their code the sourc- kind of value to a variable—but they Force products, NVIDIA Windows GPU es of crashes and buggy behavior. do nothing about prohibiting null Display Driver R340 before 342.00 and Talking about sources of crashes, pointer dereferencing. R375 before 375.63 contains a vulner- one of the principal plagues of modern This fundamental brittleness threat- ability in the kernel mode layer (nvldd- programs is null-pointer dereferencing. ens the execution of most programs mkm.sys) handler where a NULL pointer This term denotes what happens when running today. Calling it a “billion- dereference caused by invalid user input you call x.f, meaning apply f (a field ac- dollar mistake” as Tony Hoare did1 is may lead to denial of service or potential cess or an operation) to the object that x not an exaggeration. In his recent Ph.D. escalation of privileges. references. If you want to define mean- thesis2, Alexander Kogtenkov surveyed We keep hearing complaints that ingful data structures, you need to allow the null-pointer-derefencing bugs in “the Internet was not designed with “null,” also known as Nil and Void, as the Common Vulnerabilities and Expo- security in mind.” What if the problem one of the possible values for reference sures (CVE) database, the reference re- had far less to do with the design (TCP/ variables (for example, to terminate pository of information about Internet IP is brilliant) than with the languages linked structures: the “next” field of the attacks. The resulting chart, showing that people use to write tools imple- last list element must be null, to indi- the numbers per year, is edifying: menting these protocols? cate there is no next element). But then Beyond the numbers stand real ex- In Eiffel, we decided that the situ- you should make sure that x.f never gets amples, often hair-raising. The descrip- ation was no longer tolerable. After called for null x, since there is in that tion of vulnerability CVE-2016-9113 the language had eradicated unsafe case no object to which we can apply f. (http://bit.ly/2mafdkJ) states: casts through the type system, memory

8 COMMUNICATIONS OF THE ACM | MAY 2017 | VOL. 60 | NO. 5 blog@cacm

management errors through garbage Null pointer issues (such as null pointer dereferencing) in Common Vulnerabilities and collection and data races through the Exposures Database. SCOOP concurrency mechanism, null pointer dereferencing was the remain- Collected by Alexander Kogtenkov ing dragon to slay. Today Eiffel is void- from MITRE’sCVE® database safe: a null pointer dereference can 80 10-Year average simply not happen. By accepting your 70 program, the compiler guarantees that every single execution of every single x.f 60 will find x attached to an actual object, rather than void. 50 How do we do this? I am not going 40 to describe the void-safe mechanism in detail here, referring instead to the 30 online documentation6, with the warn- ing it is still being improved. But I can 20 give the basic ideas. The original article Number of null-pointer issues describing void safety (and giving cred- 10 it to other languages for some of the original ideas) was a keynote at ECOOP 2000 2002 2004 2006 2008 2010 2012 2014 2016 in 20053. Revisiting the solution some years later, I wrote4: Devising, refining, and documenting the concept behind the mechanism pre- ple) PERSON it can never be void: its Certified Attachment Patterns (CAPs), sented here took a few weeks. The engi- value will always be a reference to an which compilers must implement. The neering took four years. object of that type; p1 is “attached.” preceding example is just one such CAP. That was optimistic. Seven more This is the default. If you want p2 to ac- A formal model backed by mechanized years later, the “engineering” con- cept a void value you will declare it as proofs (using the Isabelle/HOL proof tinues. It is not a matter of ensuring detachable PERSON. Simple compile- tool) provides2 solid evidence of the void safety; the mechanism was essen- time consistency rules support this soundness of these rules, including the tially sound from the beginning. The distinction: you can assign p1 to p2, delicate parts about initialization. continued fine-tuning has to do with but not the other way around. They Void safety has been here for several facilitating the programmer’s task. ensure an “attached” declaration is years, and no one who has used it wants Any mechanism that avoids bugs—an- truthful: at runtime, p1 will always be to go back. (The conversion to voided other example is static typing—buys non-void. That is a formal guarantee safety of older, non-void-safe projects is safety and reliability at a possible from the compiler. not as painless.) Writing void-safe code cost in expressiveness: you have to The static analysis produces more quickly becomes second nature. prohibit harmful schemes (otherwise such guarantees, without particular ac- And what about your code: are you you would not avoid any bugs), but tions from the programmers as long as certain it can never produce a null- you do not want to prohibit useful the code is safe. For example, if you write pointer dereference? schemes or make them too awkward to express (otherwise it is very easy to if p2 /= Void then p2.f end References 1. Hoare, C.A.R., Null References: The Billion-Dollar remove bugs: just reject all programs!) Mistake, August 25, 2009, http://bit.ly/2lAhgeP 2. Kogtenkov, A., Void Safety, ETH Zurich Ph.D. thesis, or make them too awkward to express. we know that things are OK. (Well, un- January 2017, http://se.inf.ethz.ch/people/kogtenkov/ The “engineering” consists of ever der certain conditions. In concurrent thesis.pdf. 3. Meyer, B., Attached Types and their Application more sophisticated static analysis, programming, for example, we must to Three Open Problems of Object-Oriented through which the compiler can ac- be sure that no other thread running in Programming, in ECOOP 2005 (Proceedings of European Conference on Object-Oriented cept safe cases that simplistic rules parallel can make p2 void between the Programming, Edinburgh, 25-29 July 2005), ed. would reject. time we test it and the time we apply f. Andrew Black, Lecture Notes in Computer Science 3586, Springer, 2005, pages 1-32, http://bit.ly/2muJ8Ff In practice, the difficulty of fine- The rules take care of these conditions.) 4. Meyer, B., Kogtenkov, A., and Stapf, E.: Avoid a Void: The tunign void safety mostly involve the The actual definition cannot, of Eradication of Null Dereferencing, in Reflections on the Work of C.A.R. Hoare, eds. C. B. Jones, A.W. Roscoe and initialization of objects. While the de- course, say that “the compiler” will K.R. Wood, Springer, 2010, pages 189-211, tails of void safety can be elaborate, recognize safe cases and reject unsafe http://bit.ly/2lsNfN0 5. Meyer, B., Those Who Say Code Does Not Matter, the essential idea is simple: the mech- ones. We cannot just entrust the safety CACM, April 15, 2014, http://bit.ly/1mNqout anism relies on type declarations and of our program to the inner workings 6. Void safety documentation at eiffel.org: http://bit.ly/2lsS2xZ static analysis. of a tool (even open-source tools like The void-safe type system introduc- the existing Eiffel compilers). Besides, Bertrand Meyer is a professor of software engineering at es a distinction between “attached” there is more than just one compiler. In- Politecno di Milano and Innopolis University. and “detachable” types. If you declare stead, the definition of void safety uses a a variable p1 as just of type (for exam- set of clear and precise rules, known as © 2017 ACM 0001-0782/17/05 $15.00

MAY 2017 | VOL. 60 | NO. 5 | COMMUNICATIONS OF THE ACM 9