C and C++: A Security Perspective Security Beyond Memory Safety Using Modern C++ to Avoid Vulnerabilities by DesignMax Hoffmann Security Beyond Memory Safety CppCon 2024 2 Security Beyond Memory Safety Hoffmann Security Beyond Memory Safety CppCon 2024 3 FIFTY SHADES OF SHOOTING YOURSELF IN THE FOOT WITH A RAILGUNMax Hoffmann Security Beyond Memory Safety CppCon 2024 4Max Hoffmann Security Beyond yearsMax Hoffmann Security Beyond Memory Safety CppCon 2024 6Max Hoffmann Security Beyond Memory Safety CppCon 2024 7Max Hoffmann Security Beyond Memory Safety CppCon 2024 8Max Hoffmann Security Beyond Memory

com © 2024 Bloomberg Finance L.P. All rights reserved. • Create a basic HTTP server. • Allow a single-threaded server handling multiple clients. • Use the sender/receiver asynchronous framework.

Embracing an Adversarial Mindset for C++ Security Amanda Rousseau 9/18/2024 This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY1 Strategies for Secure C++ DevelopmentWHOAMI 0x401006 Microsoft 0x40100C Offensive 0x40100F Research & Security 0x401018 Engineering 0x40101A (MORSE) CURRENT 0x401000 MALWARE UNICORN AMANDA ROUSSEAU 0x402001 •Advanced adversaries How: •Deserialization •Client-Server interfaces Denial of Service Who: •Hacktivists •Script Kiddies •Game hackers How: •Client-Server interfaces Medium Effort Med-High Effort High

RequestHandler which is subclassed to create web applications, and various supporting classes). • Client- and server-side implementions of HTTP (HTTPServer and AsyncHTTPClient). • An asynchronous networking library protocols. The Tornado web framework and HTTP server together offer a full-stack alternative to WSGI. While it is possible to use the Tornado HTTP server as a container for other WSGI frameworks (WSGIContainer) framework and HTTP server together. 6.1.2 Asynchronous and non-Blocking I/O Real-time web features require a long-lived mostly-idle connection per user. In a traditional synchronous web server, this implies

concurrent web spider Structure of a Tornado web application Templates and UI Authentication and security Running and deploying Web framework tornado.web — RequestHandler and Application classes tornado httpserver — Non-blocking HTTP server tornado.httpclient — Asynchronous HTTP client tornado.httputil — Manipulate HTTP headers and URLs tornado.http1connection – HTTP/1.x client/server implementation Asynchronous utilities tornado.tcpclient — IOStream connection factory tornado.tcpserver — Basic IOStream-based TCP server Coroutines and concurrency tornado.gen — Generator-based coroutines tornado.locks – Synchronization

expected iv. Great Amazon Reboot of 2014 – 10% of Amazon EC2 servers had to reboot for Xen emergency security patch. At Netflix, zero downtime, no one actively working incidents. They were at a Hollywood party infrastructure, and environments 2. Deployment tools 3. Testing standards and tools, including security 4. Deployment pipeline tools 5. Monitoring and analysis tools 6. Tutorials and standards ii Technical Practices of Integrating Information Security, Change Management, and Compliance 1. Introduction a. Goal to simultaneously achieve Information Security goals and create high degree of assurance

的水平扩展和高可用特点，首先需要了解 TiDB 的整体架构。 TiDB 集群主要分为三个组件： TiDB Server 负责接收 SQL 请求，处理 SQL 相关的逻辑，并通过 PD 找到存储计算所需数据的 TiKV 地址， 与 TiKV 交互获取数据，最终返回结果。 TiDB Server 是无状态的，其本身并不存储数据，只负责计算，可以无限水平扩展，可以通过负载均衡组件（如 LVS、HAProxy 集群进行调度和负载均衡（如数据的迁移、Raft group leader 的迁 移等）；三是分配全局唯一且递增的事务 ID。 PD 是一个集群，需要部署奇数个节点，一般线上推荐至少部署 3 个节点。 TiKV Server 负责存储数据，从外部看 TiKV 是一个分布式的提供事务的 Key-Value 存储引擎。存储数据的基 本单位是 Region，每个 Region 负责存储一个 Key Range （从 StartKey 为单位进行调度。 TiDB Server PD Server TiKV Server 核心特性 水平扩展 README - 12 - 本文档使用 书栈(BookStack.CN) 构建 无限水平扩展是 TiDB 的一大特点，这里说的水平扩展包括两方面：计算能力和存储能力。TiDB Server 负责处理 SQL 请求，随着业务的增长，可以简单的添加 TiDB Server 节点，提高整体的处理能力，提供更高的吞吐。TiKV

SSM – EC2 Instance Connect – demo Why we should care? – brute force attacks – exploitation of security vulnerabilities – weak-password attacks – bots and scanners – DDoS attacks A regular virtual de‐ velopers just produce. In 4 words - "it is not good" So that's the story about secured SSH server.Simple fix Resources: EC2SecurityGroup: Type: AWS:: EC2:: SecurityGroup Properties: password login – enable regular firewall – disable default users – root – ubuntu – ec2-user – use security groups or equivalent 3-tier architecture3-tier architecture - props and cons – full control over

Linux server - old Mac x86-64 (AMD64) Microsoft ABI - Windows device armv7-a System V ABI - ancient iPhone - low-end Android smartphone x86 (IA-32) System V ABI - ancient Linux server x86 (IA-32) vector_dot_product add rsp, 16 pop rbx ret push rbx sub rsp, 80 mov rax, QWORD PTR __security_cookie xor rax, rsp mov QWORD PTR __$ArrayPad$[rsp], rax mov rbx, r8 mov r8, rdx mov __$ArrayPad$[rsp] xor rcx, rsp call __security_check_cookie add rsp, 80 pop rbx ret 0 V E C T O R 148 Keep an eye out for buffer security checks by Nicholas Frechettearmv8-a clang 18

Microsoft, Google, Anthropic, Meta, Apple, Alibaba, Deepseek, UK Government, US Department of Homeland Security. China data may be subject to informational limitations due to government restrictions. 3/23: AI assistant focused on safety & inter- pretability 3/24: USA Department of Homeland Security unveils its AI Roadmap Strategy 5/24: OpenAI releases GPT-4o, which has full multimodality intelligence. The earliest wave saw CapEx pouring into building internet infrastructure – massive server farms, undersea cables, and early data centers that enabled Amazon, Microsoft, Google and others