1 Basic Hazard Pointer Algorithm read pointer A from SRC remove A from SRC 1 5 4 Safe to use pointer A SRC A hazard pointer is a single-writer multi-reader pointer. set HP to A if SRC == A clear ACCESS If a hazard pointer points to an object before its removal, then the object will not be reclaimed as long as the hazard pointer remains unchanged unchanged. *A Hazard Pointer Synchronous Reclamation Beyond Concurrency TS2 – Maged Michael Protector Remover / Reclaimer Hazard pointers protect access to objects that may be removed concurrently. SAFE RECLAMATION

pointers and the C++ language. In this talk, we will discuss the low level foundations of what a raw pointer is--a variable that stores an address. We will then see some examples of raw pointers for creating leave understanding how we can use pointers in a safe manner through the standard library smart pointer abstractions. 4 The abstract that you read and enticed you to join me is here!Code for the talk and more on: www.mshah.io 6One of my fondest programming memories was... 7... when I used a pointer correctly on the first try 8 ● And maybe as a C or C++ programmer you have a similar memory or

if (var == 1) { *p = 42; // Null dereference? } } p -> Unknown p -> NotNull p -> Unknown p -> Null p -> MaybeNull p -> MaybeNull Warning Unknown Null NotNull MaybeNull Analysis state (cond) { var = 2; p = nullptr; } // branch 3 if (var == 1) { *p = 42; // Null dereference? } }Flow-sensitive analysis resourcesPath- sensitive checksvoid path_sensitive(int *p, *p = 42; // Null dereference? } } p: ?1 cond: ?2 var: 0 p: ?1 cond: ?2 var: 1 ?1 != 0 p: null cond: 1 var: 2 p: null cond: ?2 var: 0 p: ?1 cond: 0 var: 1 ?1 != 0 p: null cond: 1 var:

GetFirstObjProc(obj); p �!= NULL; p = GetNextProc(p)) for (b = GetFirstBlock(p); b �!= NULL; b = GetNextBlock(b)) for (i = GetFirstInst(b); i �!= NULL; i = GetNextInst(i)) { runtime through either a miscalculation of code locations, mishandled register states or a bad pointer dereference, to name a few. Attacking Client Side JiT Compilers — 2011 (read)While the concept of runtime through either a miscalculation of code locations, mishandled register states or a bad pointer dereference, to name a few. Attacking Client Side JiT Compilers — 2011 (read)While the concept of

● null pointer dereference ● access to an object through a pointer of a different type ● etc. Compilers are not required to diagnose undefined behavior!Undefined Behavior – Fun with NULL pointers p1179 ○ Owner & Pointer ○ Built-in compiler check ○ Current LLVM implementation gives 5% overhead ○ Annotations to help analysis: gsl::SharedOwner, gsl::Owner, gsl::Pointer void sample1() [-Wsign-compare] int a = -27; unsigned b = 20U; if (a > b) return 27; return 42; [-Wsizeof-pointer-memaccess] int x = 100; int *ptr = &x; memset(ptr, 0, sizeof (ptr)); [-Wmisleading-indentation]

constructed and destroyed (resource safety) • Every pointer either points to a valid object or is the nullptr (memory safety) • Every reference through a pointer is not through the nullptr (often a run-time check) check) • Every access through a subscripted pointer is in-range (often a run-time check) • That • Implies range checking and elimination of dangling pointers (“memory safety”) • Is just what C++ requires corruption: for example, through the result of a range error or by accessing and memory through a pointer to an object that no longer exists thereby changing a different object. • Type errors: for example

stack-based buffer overflows. Can impact performance. -fno-delete-null-pointer-checks GCC 3.0.0, Clang 7.0.0 Force retention of null pointer checks -fno-strict-overflow GCC 4.2.0 Integer overflow may occur -Werror=incompatible-pointer-types GCC 5.5.0 Clang 7.0.0 Treat conversion between pointers that have incompatible types as errors -Werror=int-conversion GCC 2.95.3 Clang 2.6.0 Treat implicit integer to pointer and and pointer to integer conversions as errors ❖ Treat obsolete C constructs as errorsCompiler Hardening 33 Prioritize Memory, type and thread safety: sanitizers Compiler Flag Supported Since Description

Attacker Controlled Heap MemoryHeap Corruption Exploit Explained ● “Spray” the memory with aligned pointer offsets. ● Release the memory to be used again by the program Attacker Controlled Heap MemoryHeap CClfsBaseFilePersisted::WriteMetadataBlock will proceed to use the retrieved value from the rgBlocks array as a pointer to the _CLFS_LOG_BLOCK_HEADER structure to increment LogBlockHeader->Record[0]->DumpCount and LogBlockHeader->Usn _CLFS_CONTAINER_CONTEXT stored in base log files and contains a field for storing a kernel pointer. typedef struct _CLFS_CONTAINER_CONTEXT { CLFS_NODE_ID cidNode; ULONGLONG cbContainer;

2021, 2022, 2023, 2024}; u_short *yrPtr = co_years.data(); std::cout << "Years using data() pointer: "; for (size_t i = 0; i < co_years.size(); ++i) { std::cout << *(yrPtr + i) << " "; } 15 16 17 18 19 20 [Running] g++ -std=c++20 5_data_when_c.cpp -o 5_data_when_c Years using data() pointer:2019 2020 2021 2022 2023 2024 Modified vector: 2019 9999 2021 2022 2023 2024 [Done] exited with exited with code=139 in 0.626 seconds 1 2 3 4 5 6 7 8 9 10 25the trade offs Stack Heap Fast - pointer adjustment. Automatic - easy clean up. Predictable - easy to debug. Locality - cache performance

const value_type& (since C++11) pointer Allocator::pointer (until C++11) std::allocator_traits::pointer (since C++11) const_pointer Allocator::const_pointer (until C++11) std::allocator_t std::allocator_traits::const_pointer (since C++11) iterator LegacyRandomAccessIterator to value_type const_iterator LegacyRandomAccessIterator to const value_type reverse_iterator std::reverse_iterator class representing a reference to a single bool (class) const_reference bool pointer implementation-de�ned const_pointer implementation-de�ned iterator implementation-de�ned const_iterator implementation-de�ned