C++ Safe Buffers

Introduction

Clang can be used to harden your C++ code against buffer overflows, an otherwise common security issue with C-based languages.

The solution described in this document is an integrated programming model as it combines:

  • a family of opt-in Clang warnings (-Wunsafe-buffer-usage) emitted at during compilation to help you update your code to encapsulate and propagate the bounds information associated with pointers;

  • runtime assertions implemented as part of (libc++ hardening modes) that eliminate undefined behavior as long as the coding convention is followed and the bounds information is therefore available and correct.

The goal of this work is to enable development of bounds-safe C++ code. It is not a “push-button” solution; depending on your codebase’s existing coding style, significant (even if largely mechanical) changes to your code may be necessary. However, it allows you to achieve valuable safety guarantees on security-critical parts of your codebase.

This solution is under active development. It is already useful for its purpose but more work is being done to improve ergonomics and safety guarantees and reduce adoption costs.

The solution aligns in spirit with the “Ranges” safety profile that was proposed by Bjarne Stroustrup for standardization alongside other C++ safety features.

Pre-Requisites

In order to achieve bounds safety, your codebase needs to have access to well-encapsulated bounds-safe container, view, and iterator types. If your project uses libc++, standard container and view types such as std::vector and std::span can be made bounds-safe by enabling the “fast” hardening mode (passing -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST) to your compiler) or any of the stricter hardening modes.

In order to harden iterators, you’ll need to also obtain a libc++ binary built with _LIBCPP_ABI_BOUNDED_ITERATORS – which is a libc++ ABI setting that needs to be set for your entire target platform if you need to maintain binary compatibility with the rest of the platform.

A relatively fresh version of C++ is recommended. In particular, the very useful standard view class std::span requires C++20.

Other implementations of the C++ standard library may provide different flags to enable such hardening.

If you’re using custom containers and views, they will need to be hardened this way as well, but you don’t necessarily need to do this ahead of time.

This approach can theoretically be applied to plain C codebases, assuming that safe primitives are developed to encapsulate all buffer accesses, acting as “hardened custom containers” to replace raw pointers. However, such approach would be very unergonomic in C, and safety guarantees will be lower due to lack of good encapsulation technology. A better approach to bounds safety for non-C++ programs, -fbounds-safety, is currently in development.

Technically, safety guarantees cannot be provided without hardening the entire technology stack, including all of your dependencies. However, applying such hardening technology to even a small portion of your code may be significantly better than nothing.

The Programming Model for C++

Assuming that hardened container, view, and iterator classes are available, what remains is to make sure they are used consistently in your code. Below we define the specific coding convention that needs to be followed in order to guarantee safety and how the compiler technology around -Wunsafe-buffer-usage assists with that.

Buffer operations should never be performed over raw pointers

Every time a memory access is made, a bounds-safe program must guarantee that the range of accessed memory addresses falls into the boundaries of the memory allocated for the object that’s being accessed. In order to establish such a guarantee, the information about such valid range of addresses – the bounds information associated with the accessed address – must be formally available every time a memory access is performed.

A raw pointer does not naturally carry any bounds information. The bounds information for the pointer may be available somewhere, but it is not associated with the pointer in a formal manner, so a memory access performed through a raw pointer cannot be automatically verified to be bounds-safe by the compiler.

That said, the Safe Buffers programming model does not try to eliminate all pointer usage. Instead it assumes that most pointers point to individual objects, not buffers, and therefore they typically aren’t associated with buffer overflow risks. For that reason, in order to identify the code that requires manual intervention, it is desirable to initially shift the focus away from the pointers themselves, and instead focus on their usage patterns.

The compiler warning -Wunsafe-buffer-usage is built to assist you with this step of the process. A -Wunsafe-buffer-usage warning is emitted whenever one of the following buffer operations are performed on a raw pointer:

  • array indexing with [],

  • pointer arithmetic,

  • bounds-unsafe standard C functions such as std::memcpy(),

  • C++ smart pointer operations such as std::unique_ptr<T[N]>::operator[](), which unfortunately cannot be made fully safe within the rules of the C++ standard (as of C++23).

This is sufficient for identifying each raw buffer pointer in the program at at least one point during its lifetime across your software stack.

For example, both of the following functions are flagged by -Wunsafe-buffer-usage because pointer gets identified as an unsafe buffer pointer. Even though the second function does not directly access the buffer, the pointer arithmetic operation inside it may easily be the only formal “hint” in the program that the pointer does indeed point to a buffer of multiple objects:

int get_last_element(int *pointer, size_t size) {
  return ptr[sz - 1]; // warning: unsafe buffer access
}

int *get_last_element_ptr(int *pointer, size_t size) {
  return ptr + (size - 1); // warning: unsafe pointer arithmetic
}

All buffers need to be encapsulated into safe container and view types

It immediately follows from the previous requirement that once an unsafe pointer is identified at any point during its lifetime, it should be immediately wrapped into a safe container type (if the allocation site is “nearby”) or a safe view type (if the allocation site is “far away”). Not only memory accesses, but also non-access operations such as pointer arithmetic need to be covered this way in order to benefit from the respective runtime bounds checks.

If a container type (std::array, std::vector, std::string) is used for allocating the buffer, this is the best-case scenario because the container naturally has access to the correct bounds information for the buffer, and the runtime bounds checks immediately kick in. Additionally, the container type may provide automatic lifetime management for the buffer (which may or may not be desirable).

If a view type is used (std::span, std::string_view), this typically means that the bounds information for the “adopted” pointer needs to be passed to the view’s constructor manually. This makes runtime checks immediately kick in with respect to the provided bounds information, which is an immediate improvement over the raw pointer. However, this situation is still fundamentally insufficient for security purposes, because bounds information provided this way cannot be guaranteed to be correct.

For example, the function get_last_element() we’ve seen in the previous section can be made slightly safer this way:

int get_last_element(int *pointer, size_t size) {
  std::span<int> sp(pointer, size);
  return sp[size - 1]; // warning addressed
}

Here std::span eliminates the potential concern that the operation size - 1 may overflow when sz is equal to 0, leading to a buffer “underrun”. However, such program does not provide a guarantee that the variable sz correctly represents the actual size fo the buffer pointed to by ptr. The std::span constructed this way may be ill-formed. It may fail to protect you from overrunning the original buffer.

The following example demonstrates one of the most dangerous anti-patterns of this nature:

void convert_data(int *source_buf, size_t source_size,
                  int *target_buf, size_t target_size) {
  // Terrible: mismatched pointer / size.
  std::span<int> target_span(target_buf, source_size);
  // ...
}

The second parameter of std::span should never be the desired size of the buffer. It should always be the actual size of the buffer. Such code often indicates that the original code has already contained a vulnerability – and the use of a safe view class failed to prevent it.

If target_span actually needs to be of size source_size, a significantly safer way to produce such a span would be to build it with the correct size first, and then resize it to the desired size by calling .first():

void convert_data(int *source_buf, size_t source_size,
                  int *target_buf, size_t target_size) {
  // Safer.
  std::span<int> target_span(target_buf, target_size).first(source_size);
  // ...
}

However, these are still half-measures. This code still accepts the bounds information from the caller in an informal manner, and such bounds information cannot be guaranteed to be correct.

In order to mitigate problems of this nature in their entirety, the third guideline is imposed.

Encapsulation of bounds information must be respected continuously

The allocation site of the object is the only reliable source of bounds information for that object. For objects with long lifespans across multiple functions or even libraries in the software stack, it is essential to formally preserve the original bounds information as it’s being passed from one piece of code to another.

Standard container and view classes are designed to preserve bounds information correctly by construction. However, they offer a number of ways to “break” encapsulation, which may cause you to temporarily lose track of the correct bounds information:

  • The two-parameter constructor std::span(ptr, size) allows you to assemble an ill-formed std::span;

  • Conversely, you can unwrap a container or a view object into a raw pointer and a raw size by calling its .data() and .size() methods.

  • The overloaded operator&() found on container and iterator classes acts similarly to .data() in this regard; operations such as &span[0] and &*span.begin() are effectively unsafe.

Additional -Wunsafe-buffer-usage warnings are emitted when encapsulation of standard containers is broken in this manner. If you’re using non-standard containers, you can achieve a similar effect with facilities described in the next section: Backwards Compatibility, Interoperation with Unsafe Code, Customization.

For example, our previous attempt to address the warning in get_last_element() has actually introduced a new warning along the way, that notifies you about the potentially incorrect bounds information passed into the two-parameter constructor of std::span:

int get_last_element(int *pointer, size_t size) {
  std::span<int> sp(pointer, size); // warning: unsafe constructor
  return sp[size - 1];
}

In order to address this warning, you need to make the function receive the bounds information from the allocation site in a formal manner. The function doesn’t necessarily need to know where the allocation site is; it simply needs to be able to accept bounds information when it’s available. You can achieve this by refactoring the function to accept a std::span as a parameter:

int get_last_element(std::span<int> sp) {
  return sp[size - 1];
}

This solution puts the responsibility for making sure the span is well-formed on the caller. They should do the same, so that eventually the responsibility is placed on the allocation site!

Such definition is also very ergonomic as it naturally accepts arbitrary standard containers without any additional code at the call site:

void use_last_element() {
  std::vector<int> vec { 1, 2, 3 };
  int x = get_last_element(vec);  // x = 3
}

Such code is naturally bounds-safe because bounds-information is passed down from the allocation site to the buffer access site. Only safe operations are performed on container types. The containers are never “unforged” into raw pointer-size pairs and never “reforged” again. This is what ideal bounds-safe C++ code looks like.

Backwards Compatibility, Interoperation with Unsafe Code, Customization

Some of the code changes described above can be somewhat intrusive. For example, changing a function that previously accepted a pointer and a size separately, to accept a std::span instead, may require you to update every call site of the function. This is often undesirable and sometimes completely unacceptable when backwards compatibility is required.

In order to facilitate incremental adoption of the coding convention described above, as well as to handle various unusual situations, the compiler provides two additional facilities to give the user more control over -Wunsafe-buffer-usage diagnostics:

  • #pragma clang unsafe_buffer_usage to mark code as unsafe and suppress -Wunsafe-buffer-usage warnings in that code.

  • [[clang::unsafe_buffer_usage]] to annotate potential sources of discontinuity of bounds information – thus introducing additional -Wunsafe-buffer-usage warnings.

In this section we describe these facilities in detail and show how they can help you with various unusual situations.

Suppress unwanted warnings with #pragma clang unsafe_buffer_usage

If you really need to write unsafe code, you can always suppress all -Wunsafe-buffer-usage warnings in a section of code by surrounding that code with the unsafe_buffer_usage pragma. For example, if you don’t want to address the warning in our example function get_last_element(), here is how you can suppress it:

int get_last_element(int *pointer, size_t size) {
  #pragma clang unsafe_buffer_usage begin
  return ptr[sz - 1]; // warning suppressed
  #pragma clang unsafe_buffer_usage end
}

This behavior is analogous to #pragma clang diagnostic (documentation) However, #pragma clang unsafe_buffer_usage is specialized and recommended over #pragma clang diagnostic for a number of technical and non-technical reasons. Most importantly, #pragma clang unsafe_buffer_usage is more suitable for security audits because it is significantly simpler and describes unsafe code in a more formal manner. On the contrary, #pragma clang diagnostic comes with a push/pop syntax (as opposed to the begin/end syntax) and it offers ways to suppress warnings without mentioning them by name (such as -Weverything), which can make it difficult to determine at a glance whether the warning is suppressed on any given line of code.

There are a few natural reasons to use this pragma:

  • In implementations of safe custom containers. You need this because ultimately -Wunsafe-buffer-usage cannot help you verify that your custom container is safe. It will naturally remind you to audit your container’s implementation to make sure it has all the necessary runtime checks, but ultimately you’ll need to suppress it once the audit is complete.

  • In performance-critical code where bounds-safety-related runtime checks cause an unacceptable performance regression. The compiler can theoretically optimize them away (eg. replace a repeated bounds check in a loop with a single check before the loop) but it is not guaranteed to do that.

  • For incremental adoption purposes. If you want to adopt the coding convention gradually, you can always surround an entire file with the unsafe_buffer_usage pragma and then “make holes” in it whenever you address warnings on specific portions of the code.

  • In the code that interoperates with unsafe code. This may be code that will never follow the programming model (such as plain C code that will never be converted to C++) or with the code that simply haven’t been converted yet.

Interoperation with unsafe code may require a lot of suppressions. You are encouraged to introduce “unsafe wrapper functions” for various unsafe operations that you need to perform regularly.

For example, if you regularly receive pointer/size pairs from unsafe code, you may want to introduce a wrapper function for the unsafe span constructor:

#pragma clang unsafe_buffer_usage begin

template <typename T>
std::span<T> unsafe_forge_span(T *pointer, size_t size) {
  return std::span(pointer, size);
}

#pragma clang unsafe_buffer_usage end

Such wrapper function can be used to suppress warnings about unsafe span constructor usage in a more ergonomic manner:

void use_unsafe_c_struct(unsafe_c_struct *s) {
  // No warning here.
  std::span<int> sp = unsafe_forge_span(s->pointer, s->size);
  // ...
}

The code remains unsafe but it also continues to be nicely readable, and it proves that -Wunsafe-buffer-usage has done it best to notify you about the potential unsafety. A security auditor will need to keep an eye on such unsafe wrappers. It is still up to you to confirm that the bounds information passed into the wrapper is correct.

Flag bounds information discontinuities with [[clang::unsafe_buffer_usage]]

The clang attribute [[clang::unsafe_buffer_usage]] (attribute documentation) allows the user to annotate various objects, such as functions or member variables, as incompatible with the Safe Buffers programming model. You are encouraged to do that for arbitrary reasons, but typically the main reason to do that is when an unsafe function needs to be provided for backwards compatibility.

For example, in the previous section we’ve seen how the example function get_last_element() needed to have its parameter types changed in order to preserve the continuity of bounds information when receiving a buffer pointer from the caller. However, such a change breaks both API and ABI compatibility. The code that previously used this function will no longer compile, nor link, until every call site of that function is updated. You can reclaim the backwards compatibility – in terms of both API and ABI – by adding a “compatibility overload”:

int get_last_element(std::span<int> sp) {
  return sp[size - 1];
}

[[clang::unsafe_buffer_usage]] // Please use the new function.
int get_last_element(int *pointer, size_t size) {
  // Avoid code duplication - simply invoke the safe function!
  // The pragma suppresses the unsafe constructor warning.
  #pragma clang unsafe_buffer_usage begin
  return get_last_element(std::span(pointer, size));
  #pragma clang unsafe_buffer_usage end
}

Such an overload allows the surrounding code to continue to work. It is both source-compatible and binary-compatible. It is also strictly safer than the original function because the unsafe buffer access through raw pointer is replaced with a safe std::span access no matter how it’s called. However, because it requires the caller to pass the pointer and the size separately, it violates our “bounds information continuity” principle. This means that the callers who care about bounds safety needs to be encouraged to use the std::span-based overload instead. Luckily, the attribute [[clang::unsafe_buffer_usage]] causes a -Wunsafe-buffer-usage warning to be displayed at every call site of the compatibility overload in order to remind the callers to update their code:

void use_last_element() {
  std::vector<int> vec { 1, 2, 3 };

  // no warning
  int x = get_last_element(vec);

  // warning: this overload introduces unsafe buffer manipulation
  int x = get_last_element(vec.data(), vec.size());
}

The compatibility overload can be further simplified with the help of the unsafe_forge_span() wrapper as described in the previous section – and it even makes the pragmas unnecessary:

[[clang::unsafe_buffer_usage]] // Please use the new function.
int get_last_element(int *pointer, size_t size) {
  // Avoid code duplication - simply invoke the safe function!
  return get_last_element(unsafe_forge_span(pointer, size));
}

Notice how the attribute [[clang::unsafe_buffer_usage]] does not suppress the warnings within the function on its own. Similarly, functions whose entire definitions are covered by #pragma clang unsafe_buffer_usage do not become automatically annotated with the attribute [[clang::unsafe_buffer_usage]]. They serve two different purposes:

  • The pragma says that the function isn’t safely written;

  • The attribute says that the function isn’t safe to use.

Also notice how we’ve made an unsafe wrapper for a safe function. This is significantly better than making a safe wrapper for an unsafe function. In other words, the following solution is significantly more unsafe and undesirable than the previous solution:

int get_last_element(std::span<int> sp) {
  // You've just added that attribute, and now you need to
  // immediately suppress the warning that comes with it?
  #pragma clang unsafe_buffer_usage begin
  return get_last_element(sp.data(), sp.size());
  #pragma clang unsafe_buffer_usage end
}


[[clang::unsafe_buffer_usage]]
int get_last_element(int *pointer, size_t size) {
  // This access is still completely unchecked. What's the point of having
  // perfect bounds information if you aren't performing runtime checks?
  #pragma clang unsafe_buffer_usage begin
  return ptr[sz - 1];
  #pragma clang unsafe_buffer_usage end
}

Structs and classes, unlike functions, cannot be overloaded. If a struct contains an unsafe buffer (in the form of a nested array or a pointer/size pair) then it is typically impossible to replace them with a safe container (such as std::array or std::span respectively) without breaking the layout of the struct and introducing both source and binary incompatibilities with the surrounding client code.

Additionally, member variables of a class cannot be naturally “hidden” from client code. If a class needs to be used by clients who haven’t updated to C++20 yet, you cannot use the C++20-specific std::span as a member variable type. If the definition of a struct is shared with plain C code that manipulates member variables directly, you cannot use any C++-specific types for these member variables.

In such cases there’s usually no backwards-compatible way to use safe types directly. The best option is usually to discourage the clients from using member variables directly by annotating the member variables with the attribute [[clang::unsafe_buffer_usage]], and then to change the interface of the class to provide safe “accessors” to the unsafe data.

For example, let’s assume the worst-case scenario: struct foo is an unsafe struct type fully defined in a header shared between plain C code and C++ code:

struct foo {
  int *pointer;
  size_t size;
};

In this case you can achieve safety in C++ code by annotating the member variables as unsafe and encapsulating them into safe accessor methods:

struct foo {
  [[clang::unsafe_buffer_usage]]
  int *pointer;
  [[clang::unsafe_buffer_usage]]
  size_t size;

// Avoid showing this code to clients who are unable to digest it.
#if __cplusplus >= 202002L
  std::span<int> get_pointer_as_span() {
    #pragma clang unsafe_buffer_usage begin
    return std::span(pointer, size);
    #pragma clang unsafe_buffer_usage end
  }

  void set_pointer_from_span(std::span<int> sp) {
    #pragma clang unsafe_buffer_usage begin
    pointer = sp.data();
    size = sp.size();
    #pragma clang unsafe_buffer_usage end
  }

  // Potentially more utility functions.
#endif
};

Future Work

The -Wunsafe-buffer-usage technology is in active development. The warning is largely ready for everyday use but it is continuously improved to reduce unnecessary noise as well as cover some of the trickier unsafe operations.

Fix-It Hints for -Wunsafe-buffer-usage

A code transformation tool is in development that can semi-automatically transform large bodies of code to follow the C++ Safe Buffers programming model. It can currently be accessed by passing the experimental flag -fsafe-buffer-usage-suggestions in addition to -Wunsafe-buffer-usage.

Fixits produced this way currently assume the default approach described in this document as they suggest standard containers and views (most notably std::span and std::array) as replacements for raw buffer pointers. This also additionally requires libc++ hardening in order to make the runtime bounds checks actually happen.

Static Analysis to Identify Suspicious Sources of Bounds Information

The unsafe constructor span(pointer, size) is often a necessary evil when it comes to interoperation with unsafe code. However, passing the correct bounds information to such constructor is often difficult. In order to detect those span(target_pointer, source_size) anti-patterns, path-sensitive analysis performed by the clang static analyzer can be taught to identify situations when the pointer and the size are coming from “suspiciously different” sources.

Such analysis will be able to identify the source of information with significantly higher precision than that of the compiler, making it much better at identifying incorrect bounds information in your code while producing significantly fewer warnings. It will also need to bypass #pragma clang unsafe_buffer_usage suppressions and “see through” unsafe wrappers such as unsafe_forge_span – something that the static analyzer is naturally capable of doing.