It is well known that programs written in C are apt to suffer from
nasty errors due to dangling pointers and/or buffer overflow.  In
particular, such errors in Internet servers are often exploited by
malicious attackers to ``crack'' an entire system, which becomes even
social problems nowadays.  Nevertheless, it is yet unrealistic to
throw away the C language at once because of legacy programs and
legacy _programmers_.  To alleviate this dilemma, many approaches to
safe implementations of the C language---such as Safe C and
CCured---have been proposed and implemented.  To our knowledge,
however, none of them support all the features of the ANSI C standard
_and_ prevent all unsafe operations.  (By unsafe operations, we mean
any operation that leads to ``undefined behavior'', such as array
boundary overrun and dereference of a pointer in a wrong type.)

This paper describes a memory-safe implementation of the _full_ ANSI C
language.  Our implementation detects and disallows all unsafe
operations, yet conforming to the full ANSI C standard (including
casts and unions) and even supporting many ``dirty tricks'' common in
programs beyond ANSI C.  This is achieved using sophisticated
representations of pointers (and integers) that contain dynamic type
and size information.  We also devise several techniques---both
compile-time and runtime---to reduce the overhead of runtime checks.