Perspective Security Beyond Memory Safety Using Modern C++ to Avoid Vulnerabilities by DesignMax Hoffmann Security Beyond Memory Safety CppCon 2024 2 Security Beyond Memory Safety Using Modern C++ to Security Beyond Memory Safety CppCon 2024 3 FIFTY SHADES OF SHOOTING YOURSELF IN THE FOOT WITH A RAILGUNMax Hoffmann Security Beyond Memory Safety CppCon 2024 4Max Hoffmann Security Beyond Memory Safety CppCon Security Beyond Memory Safety CppCon 2024 6Max Hoffmann Security Beyond Memory Safety CppCon 2024 7Max Hoffmann Security Beyond Memory Safety CppCon 2024 8Max Hoffmann Security Beyond Memory Safety CppCon

A Relaxed Guide to memory_order_relaxed Hans Boehm Paul E. McKenney Google Facebook CPPCON 2020std::atomic/std::atomic_ref and memory_order_relaxed ● C++ atomic sacrificing the simple threads-as-interleaving semantics ● by passing memory_order enum values to explicit atomic operations. ● In particular, memory_order_relaxed allows arbitrary visibility reordering with respect About memory_order_relaxed? ● Just a load, just a store: Full control, excellent efficiency and scalability! ○ Assuming aligned machine-sized atomic objects, that is…What is Not to Like About memory_order_relaxed

© 2019 Apex.AI, Inc. Safe and certified software for autonomous mobility TM Practical memory pool based allocators for Modern C++ by Misha Shalem misha.shalem@apex.ai © 2020 Apex.AI, Inc.● CppCon Andreas Pasternak ● Quote: “Memory pools and allocators are only one piece of the solution” Today we going to talk about this one piece in (more) depth © 2020 Apex.AI, Inc.Memory allocations in real-time practically for C++ memory allocations? We asked an independent 3rd party safety assessor and the answer was “It should comply to Autosar C++ 14 Coding Guidelines regarding memory allocations” © 2020

Bar std::string Bar std::string Bar std::stringObject Introspection (OI) Goals • Byte level memory footprint analysis for objects • Complete object type hierarchies • Dynamic allocations and containers hierarchy from a given root type • Understand the layout in memory of the entire hierarchy • Understand how to interpret data at memory offsets • Understand containers • Compiler generated debug Object Introspection Measurement Code Code GenerationApplied Example 1 • Unused container memory: Unused Sz = (C.capacity() - C.size()) * sizeof(element) Name TypeName Number ElemStatSz Length

Memory Model C++11 – C++23About Me: alex.dathskovsky@speedata.io www.linkedin.com/in/alexdathskovsky https://www.cppnext.comAlex Dathskovsky | alex.dathskovsky@speedata.io | www.linkedin.com/in/a hazards • an instruction can be executed when its operands have been calculated or loaded from memory • an instruction stalls if operands are not availableAlex Dathskovsky | alex.dathskovsky@speedata com/in/alexdathskovsky Reordering Types • Data dependencies must be honored • C++ compiler may reorder any memory access under the as-if rule • Different processors have different reordering guarantiesAlex

criminals •advanced adversaries How: •Focus on code be execution from different sessions. •Shared memory allocations •Use-After-Free Remote Execution Who: •Advanced adversaries How: •Deserialization Authentication: Up to $100,000 https://www.microsoft.com/en-us/msrc/bountyUpward Trends of Vulns by Type ● Memory Safety issues stay dominant ● Remote Code Execution (RCE) ● Elevation of Privilege (EoP) ● Numeric 2019 2020 2021 2022 2023 2024 Memory Safety Issues Heap Corruption Heap OOB Stack Corruption Type Confusion Uninitialized Use Use After Free OtherTrends 2023-2024 Memory Safety Issues Numeric Errors

Vulnerabilities Spectre MeltdownMemory Safety "Memory safety is the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and vec[0]; vec.push_back(42); cout << ref; // ref may be invalid }Memory Safety - Out of Bounds Accessing (read/write) memory out of bounds of an allocated buffer or container void foo(){ int f1, properties of baz )Function Composition struct fn_props { perf performance; bool is_memory_safe; bool can_terminate; }; constexpr fn_props compose(fn_props fn1, fn_props fn2) {

hilbert, matching types ● roboticists and their lack of beer ● external state memory accessor ● improving memory access using asynchronicity 4 ● motivations for std::mdspan ● review std::mdspan hilbert, matching types ● roboticists and their lack of beer ● external state memory accessor ● improving memory access using asynchronicity 5 ● motivations for std::mdspan ● review std::mdspan hilbert, matching types ● roboticists and their lack of beer ● external state memory accessor ● improving memory access using asynchronicity 6 ● motivations for std::mdspan ● review std::mdspan

std::variant • Desired: • variant is “value-type” • Implementation cannot allocate dynamic memory • …BUT! • discover exception may be thrown during move initialization of contained value (during std::variant • Desired: • variant is “value-type” • Implementation cannot allocate dynamic memory • …BUT! • discover exception may be thrown during move initialization of contained value (during object is destroyed Stack-based (automatic) data objects • Is symmetry to define state based on control-flow (static lexical scoping) • Edge cases managed by the C++ Standard (Guaranteed!) “The compiler

liberty, folks usually think of JIT as: The executable code changes after the program is loaded into memory and the linker/loader are done doing their work. On modern systems: pages mapped X at some point target architecture.4. Interpreters have access to run-time information, such as input parameters, control flow, and target machine specifics. This information may change from run to run or be unobtainable analysis. (read)4. Interpreters have access to run-time information, such as input parameters, control flow, and target machine specifics. This information may change from run to run or be unobtainable