Delivering safe C++ Bjarne Stroustrup Columbia University www.stroustrup.comOverview • The challenges of safety • What is “safety”? • C++ Evolution • with a focus on safety • C++ Core Guidelines towards utilizing memory safe languages. • ... • NSA advises organizations to consider making a strategic shift from programming languages that provide little or no inherent memory protection, such such as C/C++, to a memory safe language when possible. Some examples of memory safe languages are C#, Go, Java, Ruby™, and Swift®. • NSA: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2023/p2739r0

Perspective Security Beyond Memory Safety Using Modern C++ to Avoid Vulnerabilities by DesignMax Hoffmann Security Beyond Memory Safety CppCon 2024 2 Security Beyond Memory Safety Using Modern C++ to Security Beyond Memory Safety CppCon 2024 3 FIFTY SHADES OF SHOOTING YOURSELF IN THE FOOT WITH A RAILGUNMax Hoffmann Security Beyond Memory Safety CppCon 2024 4Max Hoffmann Security Beyond Memory Safety CppCon Security Beyond Memory Safety CppCon 2024 6Max Hoffmann Security Beyond Memory Safety CppCon 2024 7Max Hoffmann Security Beyond Memory Safety CppCon 2024 8Max Hoffmann Security Beyond Memory Safety CppCon

behavior; Medical device operates correctly in response to inputs, including in failure scenarios (Fail-safe Design), to prevent harm or hazards to patient. Security: Protection of systems, networks, and data Lines of C++ CodeReminder to a simple, but often overlooked, question! Why C++? 23Can C++ usage be safe? Mitigate Safety and Security Vulnerabilities What can we do then? 24 Explore Tooling Processes -Werror –Wall -Wextra Compiler Options Hardening Guide for C and C++Compiler Hardening 31 Prioritize Memory and type safety ❖ Compiler Extensions should be disallowed Compiler Flag Supported Since Description

A Relaxed Guide to memory_order_relaxed Hans Boehm Paul E. McKenney Google Facebook CPPCON 2020std::atomic/std::atomic_ref and memory_order_relaxed ● C++ atomic sacrificing the simple threads-as-interleaving semantics ● by passing memory_order enum values to explicit atomic operations. ● In particular, memory_order_relaxed allows arbitrary visibility reordering with respect About memory_order_relaxed? ● Just a load, just a store: Full control, excellent efficiency and scalability! ○ Assuming aligned machine-sized atomic objects, that is…What is Not to Like About memory_order_relaxed

© 2019 Apex.AI, Inc. Safe and certified software for autonomous mobility TM Practical memory pool based allocators for Modern C++ by Misha Shalem misha.shalem@apex.ai © 2020 Apex.AI, Inc.● CppCon CppCon 2019: Safe Software for Autonomous Mobility With Modern C++ by Andreas Pasternak ● Quote: “Memory pools and allocators are only one piece of the solution” Today we going to talk about this depth © 2020 Apex.AI, Inc.Memory allocations in real-time safety-critical environment ● The solution should be safe and certifiable ● What does it mean practically for C++ memory allocations? We asked

Bar std::string Bar std::string Bar std::stringObject Introspection (OI) Goals • Byte level memory footprint analysis for objects • Complete object type hierarchies • Dynamic allocations and containers hierarchy from a given root type • Understand the layout in memory of the entire hierarchy • Understand how to interpret data at memory offsets • Understand containers • Compiler generated debug Object Introspection Measurement Code Code GenerationApplied Example 1 • Unused container memory: Unused Sz = (C.capacity() - C.size()) * sizeof(element) Name TypeName Number ElemStatSz Length

Memory Model C++11 – C++23About Me: alex.dathskovsky@speedata.io www.linkedin.com/in/alexdathskovsky https://www.cppnext.comAlex Dathskovsky | alex.dathskovsky@speedata.io | www.linkedin.com/in/a hazards • an instruction can be executed when its operands have been calculated or loaded from memory • an instruction stalls if operands are not availableAlex Dathskovsky | alex.dathskovsky@speedata com/in/alexdathskovsky Reordering Types • Data dependencies must be honored • C++ compiler may reorder any memory access under the as-if rule • Different processors have different reordering guarantiesAlex

The lifetime safety toolbox What comes next?Memory Safety • Microsoft: 70 percent of all security bugs are memory safety issues | ZDNET • Memory safety (chromium.org) • Implications of Rewriting Browser Component in Rust - Mozilla Hacks - the Web developer blog • Google Online Security Blog: Memory Safe Languages in Android 13 (googleblog.com)Spatial safety Temporal safetySpatial safety Temporal safety Safe Unsafe Safe Unsafe Safe-by- constructionApproaches to safety Safe Unsafe Safe Unsafe Safe-by- constructionApproaches to safety Safe Unsafe Safe Unsafe Safe-by- construction Safe but

veness and simplicity for heterogeneous programming in modern C++ New Features Unified Shared Memory | Parallel Reductions | Subgroup Operations | Class template Argument Deduction Significant SYCL SUITE RELEASED SYCL Conformance Test Suite https://github.com/KhronosGroup/SYCL-CTSUNIFIED SHARED MEMORY IMPLICIT VS EXPLICIT DATA MOVEMENT array_view ptr; extent<2> e(64, 64); parallel_for_each(e shared memory provides an alternative pointer-based data management model to the buffer/accessor mode ○ Unified virtual address space (consistent pointers) ○ Pointer-based structures ○ Explicit memory management

Vulnerabilities Spectre MeltdownMemory Safety "Memory safety is the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and vec[0]; vec.push_back(42); cout << ref; // ref may be invalid }Memory Safety - Out of Bounds Accessing (read/write) memory out of bounds of an allocated buffer or container void foo(){ int properties of baz )Function Composition struct fn_props { perf performance; bool is_memory_safe; bool can_terminate; }; constexpr fn_props compose(fn_props fn1, fn_props fn2) { static_assert(