Security via Type Qualifiers
Jeff Foster     U Maryland

Apply it to C lang
  The first problem: C doesn't have ref
    -- malloc on the heap
    -- locals on the stack
  C types aren't quite enough
    -- 3 has int type, but hides that fact that it's
       an R-tyep
  ref type for var (let x = ref x in ...)
  deref for rhs (!x)

  HOw to deal with multiple files?
    -- use CIL merger to merge all source code to a
       single-file (470432 lines for linux kernel)
    -- make conservative assumptions about missing files
       e.g. 
	   anything globally exposed may be tainted
       but maybe to too conservative
    -- give tool all files at same time
       include files that give types to lib functions
       unify types of globals
       problems: analysis really need to scale

Expreiment
  -- format string
     (need heuristics to make the warning (false positive)
     fewer
  -- user/kernel vulnerability (johnson + wagner 04)
     top 1G memory space is protected from user
      - add two new system calls
	   void setint(int *p)
	   void getint(int *p)
      - user calls getint( buf ) in unmapped space
      - user calls getint( buf ) in kernel space
      - use ***_from_user, ***_to_user instead of memcpy()
      - use type qualifiers to distingurish the two kinds
	of pointers
	  -- kerenel
	  -- user
        subtyping kernel < user
	add signatures for appropriate functions
	  -- copy_from_user( void * kernel to,  ...)
	  -- memcpy( void *kernel to, ...)
        needs to deal with false positives
	  
