Perspective Security Beyond Memory Safety Using Modern C++ to Avoid Vulnerabilities by DesignMax Hoffmann Security Beyond Memory Safety CppCon 2024 2 Security Beyond Memory Safety Using Modern C++ to Security Beyond Memory Safety CppCon 2024 3 FIFTY SHADES OF SHOOTING YOURSELF IN THE FOOT WITH A RAILGUNMax Hoffmann Security Beyond Memory Safety CppCon 2024 4Max Hoffmann Security Beyond Memory Safety CppCon Security Beyond Memory Safety CppCon 2024 6Max Hoffmann Security Beyond Memory Safety CppCon 2024 7Max Hoffmann Security Beyond Memory Safety CppCon 2024 8Max Hoffmann Security Beyond Memory Safety CppCon

A Relaxed Guide to memory_order_relaxed Hans Boehm Paul E. McKenney Google Facebook CPPCON 2020std::atomic/std::atomic_ref and memory_order_relaxed ● C++ atomic sacrificing the simple threads-as-interleaving semantics ● by passing memory_order enum values to explicit atomic operations. ● In particular, memory_order_relaxed allows arbitrary visibility reordering with respect About memory_order_relaxed? ● Just a load, just a store: Full control, excellent efficiency and scalability! ○ Assuming aligned machine-sized atomic objects, that is…What is Not to Like About memory_order_relaxed

© 2019 Apex.AI, Inc. Safe and certified software for autonomous mobility TM Practical memory pool based allocators for Modern C++ by Misha Shalem misha.shalem@apex.ai © 2020 Apex.AI, Inc.● CppCon Andreas Pasternak ● Quote: “Memory pools and allocators are only one piece of the solution” Today we going to talk about this one piece in (more) depth © 2020 Apex.AI, Inc.Memory allocations in real-time practically for C++ memory allocations? We asked an independent 3rd party safety assessor and the answer was “It should comply to Autosar C++ 14 Coding Guidelines regarding memory allocations” © 2020

Bar std::string Bar std::string Bar std::stringObject Introspection (OI) Goals • Byte level memory footprint analysis for objects • Complete object type hierarchies • Dynamic allocations and containers hierarchy from a given root type • Understand the layout in memory of the entire hierarchy • Understand how to interpret data at memory offsets • Understand containers • Compiler generated debug Object Introspection Measurement Code Code GenerationApplied Example 1 • Unused container memory: Unused Sz = (C.capacity() - C.size()) * sizeof(element) Name TypeName Number ElemStatSz Length

Memory Model C++11 – C++23About Me: alex.dathskovsky@speedata.io www.linkedin.com/in/alexdathskovsky https://www.cppnext.comAlex Dathskovsky | alex.dathskovsky@speedata.io | www.linkedin.com/in/a hazards • an instruction can be executed when its operands have been calculated or loaded from memory • an instruction stalls if operands are not availableAlex Dathskovsky | alex.dathskovsky@speedata com/in/alexdathskovsky Reordering Types • Data dependencies must be honored • C++ compiler may reorder any memory access under the as-if rule • Different processors have different reordering guarantiesAlex

AnalyticsA story 🚨 90% Memory Used: What’s that alarm? 🔍Back to basics: How does my code impact memory usage? 👷 Memory allocation troubleshooting & tools: Leak & Fragmentation🚨 90% Memory Used: What’s that that alarm?🚨 90% Memory Used What’s that alarm? Consequences: ● Swap: performance degradation ● Out-of-memory (OOM) killer: service disruption ● Multi-tenant environment: resources are shared by different 90% Memory Used ~$ top -o RES What’s that alarm?🚨 90% Memory Used What’s that alarm? ~$ top -o RES🔍Back to basics: How does my code impact memory usage?How does my code impact memory usage? new

The input in this case is the memory data structure. • As shown in the diagram, the data in a memory data structure is distributed across various locations in memory, interconnected through pointers XOffsetDatastructure, CppCon 2024 27 Memory Data Structure2.2.1 The First Category • Serialization • The output is a data buffer. • The process involves transforming the memory data structure into a data buffer • The input is the data buffer. • The output is the memory data structure. • The process entails converting the data buffer back into a memory data structure. This conversion needs traversing and

foo("hello this is a long string"); This will do memory allocation. If this was in a performance sensitive portion of the code and we did not want memory allocation, we may need to write alternate methods provides performance benefits which we will see shortly.Basics • string_view does not allocate any memory. • It consists of a) pointer to string and b) length. 5 H E L L O ! \0 sv1 { pointer, len = 6 you are using string_view 6Performance benefits • The fact that string_view does not allocate memory can be used to gain performance in some scenarios. E.g., String splitting. 7 vector split_string(const

. . . . . . . . . . . . . . . . . . . . . . 77 4.8 Memory overcommitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 4.8.1 Memory ballooning . . . . . . . . . . . . . . . . . . . . VirtualBox Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 9.21.1 Memory ballooning control . . . . . . . . . . . . . . . . . . . . . . . . . 191 9.21.2 Host isolation detection . . . . . . . . 214 12.2.4 Frequency scaling effect on CPU usage . . . . . . . . . . . . . . . . . . 214 12.2.5 Inaccurate Windows CPU usage reporting . . . . . . . . . . . . . . . . . 215 12.2.6 Poor

PROBLEMS ⊡ Memory issues – we didn’t have enough memory. ⊡ Unexplained crashes. ⊡ Occasional data loss during network issues. 16 None of the errors were seen in the lab.THE PROBLEMS ⊡ Memory issues – enough memory. ⊡ Unexplained crashes. ⊡ Occasional data loss during network issues. 17 None of the errors were seen in the lab.THE PROBLEMS ⊡ Memory issues – we didn’t have enough memory. ⊡ Unexplained during network issues. 18 None of the errors were seen in the lab.THE PROBLEMS ⊡ Memory issues – we didn’t have enough memory. ⊡ Unexplained crashes. ⊡ Occasional data loss during network issues. 19