C and C++: A Security Perspective Security Beyond Memory Safety Using Modern C++ to Avoid Vulnerabilities by DesignMax Hoffmann Security Beyond Memory Safety CppCon 2024 2 Security Beyond Memory Safety Hoffmann Security Beyond Memory Safety CppCon 2024 3 FIFTY SHADES OF SHOOTING YOURSELF IN THE FOOT WITH A RAILGUNMax Hoffmann Security Beyond Memory Safety CppCon 2024 4Max Hoffmann Security Beyond yearsMax Hoffmann Security Beyond Memory Safety CppCon 2024 6Max Hoffmann Security Beyond Memory Safety CppCon 2024 7Max Hoffmann Security Beyond Memory Safety CppCon 2024 8Max Hoffmann Security Beyond Memory

Embracing an Adversarial Mindset for C++ Security Amanda Rousseau 9/18/2024 This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY1 Strategies for Secure C++ DevelopmentWHOAMI 0x401006 Microsoft 0x40100C Offensive 0x40100F Research & Security 0x401018 Engineering 0x40101A (MORSE) CURRENT 0x401000 MALWARE UNICORN AMANDA ROUSSEAU 0x402001 perspectiveFactors Influencing Trends Increased Security Awareness and Practices Adoption of Modern Technologies •secure coding, regular patching, comprehensive security testing •Improved Discovery Methods -

expected iv. Great Amazon Reboot of 2014 – 10% of Amazon EC2 servers had to reboot for Xen emergency security patch. At Netflix, zero downtime, no one actively working incidents. They were at a Hollywood party infrastructure, and environments 2. Deployment tools 3. Testing standards and tools, including security 4. Deployment pipeline tools 5. Monitoring and analysis tools 6. Tutorials and standards ii Technical Practices of Integrating Information Security, Change Management, and Compliance 1. Introduction a. Goal to simultaneously achieve Information Security goals and create high degree of assurance

240 9.34.1 Setting up USB/IP support on a Linux system . . . . . . . . . . . . . . . 240 9.34.2 Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 9.35 VISO file format / 2 VM aborts with out of memory errors on Solaris 10 hosts . . . . . . . . 275 13 Security guide 277 13.1 General Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 13.2 . . . . . . . . . . . . . . . . . 278 13.3 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 13.3.1 The Security Model . . . . . . . . . . . . . . . . . . .

239 9.34.1 Setting up USB/IP support on a Linux system . . . . . . . . . . . . . . . 239 9.34.2 Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 9.35 VISO file format / 2 VM aborts with out of memory errors on Solaris 10 hosts . . . . . . . . 274 13 Security guide 276 13.1 General Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 13.2 . . . . . . . . . . . . . . . . . 277 13.3 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 13.3.1 The Security Model . . . . . . . . . . . . . . . . . . .

INJECTION / SECURITY BREACH CPP INJECTION / SECURITY BREACH 5 . 11CPP INJECTION / SECURITY BREACH CPP INJECTION / SECURITY BREACH 5 . 11CPP INJECTION / SECURITY BREACH CPP INJECTION / SECURITY BREACH SELECT 11CPP INJECTION / SECURITY BREACH CPP INJECTION / SECURITY BREACH CPP INJECTION CPP INJECTION SELECT * FROM Users WHERE Name='' or 1==1--' and Password='' 5 . 11CPP INJECTION / SECURITY BREACH CPP INJECTION INJECTION / SECURITY BREACH CPP INJECTION CPP INJECTION SELECT * FROM Users WHERE Name='' or 1==1--' and Password='' int main() { jit<"[]{ std::cout << \""s + std::getenv("USER") + "\"; }">(); } 5

10 hosts . . . . . . . . 193 13 Security guide 194 13.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 13.1.1 General Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . 195 13.3 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 13.3.1 The Security Model . . . . . . . . . . . . . . . . . . . VirtualBox 2.2 or later. When started from a Linux guest, this tool requires root privileges for security reasons: $ sudo VBoxControl guestproperty enumerate VirtualBox Guest Additions Command Line Management

aims at unifying software development (Dev), security (Sec) and operations (Ops). The main characteristic of DevSecOps is to automate, monitor, and apply security at all phases of the software lifecycle: DevSecOps, testing and security are shifted to the left through automated unit, functional, integration, and security testing - this is a key DevSecOps differentiator since security and functional capabilities continuous monitoring approach in parallel instead of waiting to apply each skill set sequentially.  Security risks of the underlying infrastructure must be measured and quantified, so that the total risks

10 hosts . . . . . . . . 214 13 Security guide 215 13.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 13.1.1 General Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . 216 13.3 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 13.3.1 The Security Model . . . . . . . . . . . . . . . . . . . VirtualBox 2.2 or later. When started from a Linux guest, this tool requires root privileges for security reasons: $ sudo VBoxControl guestproperty enumerate VirtualBox Guest Additions Command Line Management

my_placeholder = PlaceholderField(my_placeholder_slotname) # your methods Warning For security reasons the related_name for a PlaceholderField may not be suppressed using '+'; this allows the this module do sanity checks on arguments. Warning None of the functions in this module does any security or permission checks. They verify their input values to be sane wherever possible, however permission template tag escapes the content of the rendered model attribute. This helps prevent a range of security vulnerabilities stemming from HTML, JavaScript, and CSS Code Injection. To change this behaviour