C and C++: A Security Perspective Security Beyond Memory Safety Using Modern C++ to Avoid Vulnerabilities by DesignMax Hoffmann Security Beyond Memory Safety CppCon 2024 2 Security Beyond Memory Safety Hoffmann Security Beyond Memory Safety CppCon 2024 3 FIFTY SHADES OF SHOOTING YOURSELF IN THE FOOT WITH A RAILGUNMax Hoffmann Security Beyond Memory Safety CppCon 2024 4Max Hoffmann Security Beyond yearsMax Hoffmann Security Beyond Memory Safety CppCon 2024 6Max Hoffmann Security Beyond Memory Safety CppCon 2024 7Max Hoffmann Security Beyond Memory Safety CppCon 2024 8Max Hoffmann Security Beyond Memory

Embracing an Adversarial Mindset for C++ Security Amanda Rousseau 9/18/2024 This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY1 Strategies for Secure C++ DevelopmentWHOAMI 0x401006 Microsoft 0x40100C Offensive 0x40100F Research & Security 0x401018 Engineering 0x40101A (MORSE) CURRENT 0x401000 MALWARE UNICORN AMANDA ROUSSEAU 0x402001 perspectiveFactors Influencing Trends Increased Security Awareness and Practices Adoption of Modern Technologies •secure coding, regular patching, comprehensive security testing •Improved Discovery Methods -

languages BUILDING PERFORMANCE-PORTABLE SOFTWARESYCL NEWS, ECOSYSTEM, RESEARCH 2023/04/18 Working Group Members New New New New NewUNIFIED ACCELERATION FOUNDATION (UXL) MISSION ▪ Build a multi-architecture safety-critical subset SYCL 2020 C++-based heterogeneous parallel programming March 2022 SYCL SC Working Group announced to develop C++-based heterogeneous parallel compute programming framework for safety-critical ▪ C++, SYCL, Kokkos ▪ Aurora ▪ WG21 - ISO C++ Committee ▪ Vice Chair, Library Evolution Working Group Incubator (LEWGI / SG18) ▪ Admin Chair ▪ INCITS/C++ - US C++ Committee ▪ Vice Chair ▪ Khronos SYCL

or policies of any company in the Johnson & Johnson Family of Companies.Big Picture Why Safety/Security in C++ Medical Device Failure Analysis Brief Intro to Medical Device Standards, Documents, and Coding Practices in Safety Critical Path Final Words and Q&A 1 2 3 4 5 6Safety/Security and C++ 5Security/Safety Concerns with C++ 6MITRE Common Weaknesses Enumeration 7Recent Notable Talks on 92006-2011 FDA MAUDE database Medical Device Failure Analysis 10 This study does NOT contain security related recalls!Recall Index Database Medical Device Failure Analysis 11 © 2018 Stericycle, Inc

member (but I missed recent WG23 meetings) • Involved quite a bit with SG14, the low-latency study group • Occasional WG21 secretary • etc. 3Who am I? • Father of five, aged 28 to 10 • I feed and take member (but I missed recent WG23 meetings) • Involved quite a bit with SG14, the low-latency study group • Occasional WG21 secretary • etc. 4Things happening in SG14 • The abstract of this talk is as This talk will look at some interesting details you will not find in P2966What is SG14? A diverse group of people with some shared technical interests 9What is SG14? • SG14 was « born »… with CppCon,

fedorapeople.org/flag-soup/flag-soup.html ● P2800 ● Ben Boeckel ○ Kitware ○ ISO C++ Tooling Study Group ● 2023-09-20More: Bloomberg on Packaging 26 “Lessons Learned from Packaging 10,000+ C++ Projects” Specification (CPS) ● Proposed by Kitware’s Matthew Woehlke ● Presented to ISO C++ Tooling Study Group ○ https://wg21.link/p1313 27Momentum: Postmodern (?) CMake ● CMake support ⇒ trivial upgrades growing ○ Standards should accelerate adoption ● Using unpackaged dependencies ○ Problematic for security detection and patching ○ But we expect our python to be in PYPI?! ● Header-only libraries ○ Unclear

chronological order, covering 60 years. We’ve also got a CppCon Slack channel: SIG_JIT (Special Interest Group). In a way this talk isn’t my usual talk because it’s more of a lecture on JiT compilers, where I’ll CppCon—Just-in-Time compilation This completes our Brief History… But there’s one more thing I want to mention.Security The Cat only grinned when it saw Alice. It looked good-natured, she thought: still it had very said I wouldn’t go into downsides of JiT compilation too much, but one I want to dig int a bit is security. Good news about JiTs: you’re now shipping a compiler! Bad news about JiTs: you’re now shipping

Description: A toolkit for the Transport Layer Security (TLS) and Secure Sockets␣ ˓→Layer (SSL) protocols Topics: conan, openssl, ssl, tls, encryption, security Recipe: Cache Binary: Cache Binary remote: it is necessary that the LD_LIBRARY_PATH and DYLD_LIBRARY_PATH environment variables are used. Security restrictions might apply in OSX (read this thread), so the DYLD_LIBRARY_PATH and DYLD_FRAMEWORK_PATH package_info(self): self.cpp_info.libs = ["SDL2"] self.cpp_info.frameworks.extend(["Carbon", "CoreAudio", "Security", "IOKit"]) 17.15. How to link with Apple Frameworks 359 Conan Documentation, Release 1.41.0

Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Code Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 . . 92 7 PREFACE Preface Introduction The C++ programming language owns a fairly large user group. From the advent of C++98 to the official finalization of C++11, it has continued to stay relevant template class std::lock_guard for the RAII syntax for the mutex. RAII guarantees the exceptional security of the code while keeping the simplicity of the code. #include #include #include

Planet / ComicSansMS @DerGhulbus Co-organizer of the Munich C++ User Group (MUC++) Member of WG21 (ISO C++) and MISRA C++ Working on the Runtime framework for the Arene platform Wong Distinguished Engineer ● Chair of SYCL Heterogeneous Programming Language ● ISO C++ Directions Group past Chair ● Past CEO OpenMP ● ISOCPP.org Director, VP http://isocpp.org/wiki/faq/wg21#michael-wong build GPU compilers for some of the most powerful supercomputers in the world 4 © The Khronos® Group Inc. 2020 - Page 5 This work is licensed under a Creative Commons Attribution 4.0 International License