Delivering safe C++ Bjarne Stroustrup Columbia University www.stroustrup.comOverview • The challenges of safety • What is “safety”? • C++ Evolution • with a focus on safety • C++ Core Guidelines Government have begun initiatives to drive the culture of software development towards utilizing memory safe languages. • ... • NSA advises organizations to consider making a strategic shift from programming provide little or no inherent memory protection, such as C/C++, to a memory safe language when possible. Some examples of memory safe languages are C#, Go, Java, Ruby™, and Swift®. • NSA: https://www.open-std

behavior; Medical device operates correctly in response to inputs, including in failure scenarios (Fail-safe Design), to prevent harm or hazards to patient. Security: Protection of systems, networks, and data Lines of C++ CodeReminder to a simple, but often overlooked, question! Why C++? 23Can C++ usage be safe? Mitigate Safety and Security Vulnerabilities What can we do then? 24 Explore Tooling Processes ➢ Being more careful in general is less flexible!What have we learned? Takeaways 69 ❖ Building safe complex medical robotics is actually very hard ❖ Standards/regulations are necessary but not sufficient

How to Use Exceptions The Exception Safety Guarantees How to Write Exception-Safe Code How to Refactor Non-Exception-Safe CodeContent 4 The Exception Situation How Do Exceptions Work Best Practices How to Use Exceptions The Exception Safety Guarantees How to Write Exception-Safe Code How to Refactor Non-Exception-Safe CodeWhy Another Talk on Exception Safety? 56 https://wg21.link/p07097 https://wg21 How to Use Exceptions The Exception Safety Guarantees How to Write Exception-Safe Code How to Refactor Non-Exception-Safe CodeHow Do Exceptions Work 24 void f() { std::string s{ “Some default initializer”

Component in Rust - Mozilla Hacks - the Web developer blog • Google Online Security Blog: Memory Safe Languages in Android 13 (googleblog.com)Spatial safety Temporal safetySpatial safety Temporal safetySpatial safety Safe Unsafe Safe Unsafe Safe-by- constructionApproaches to safety Safe Unsafe Safe Unsafe Safe-by- constructionApproaches to safety Safe Unsafe Safe Unsafe Safe-by- construction Safe but rejectedApproaches to safety Safe Unsafe Safe Unsafe Safe-by- construction Safe but rejected Opportunistic bug findingApproaches to safety Safe Unsafe Safe Unsafe Safe-by- construction Safe but rejected Opportunistic

David Olsen – Generic Programming CppCon 2024 Example Specialization template struct safe_sizeof { static constexpr std::size_t value = sizeof(T); }; https://godbolt.org/z/r6E7Wh675110 2024 Example Specialization template struct safe_sizeof { static constexpr std::size_t value = sizeof(T); }; template <> struct safe_sizeof { static constexpr std::size_t value = 0; 2024 Example Specialization template struct safe_sizeof { static constexpr std::size_t value = sizeof(T); }; template <> struct safe_sizeof { static constexpr std::size_t value = 0;

SandboxedEnvironment. filters A dict of filters for this environment. As long as no template was loaded it’s safe to add new filters or remove old. For custom filters see Custom Filters. For valid filter names have Identifiers. tests A dict of test functions for this environment. As long as no template was loaded it’s safe to modify this dict. For custom tests see Custom Tests. For valid test names have a look at Notes variables. These variables are always available in a tem- plate. As long as no template was loaded it’s safe to modify this dict. For more details see The Global Namespace. For valid object names have a look

Timestamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.5 URL Safe Serialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . age of the signature, see Signing With Timestamps. To serialize to a format that is safe to use in URLs, see URL Safe Serialization. 8 Chapter 3. Table of Contents ItsDangerous Documentation (1.1.x), the intention: upgrade or activate), but you could also use different salts: from itsdangerous.url_safe import URLSafeSerializer s1 = URLSafeSerializer("secret-key", salt="activate") s1.dumps(42) 'NDI.

only accepts the POST method. require_safe() Decorator to require that a view only accepts the GET and HEAD methods. These methods are commonly considered “safe” because they should not have the significance Since some software, such as link checkers, rely on HEAD requests, you might prefer using require_safe instead of require_GET. Conditional view processing The following decorators in django.views.decorators file or database cache backends. Additionally, the local-memory cache backend is NOT multi-process safe, therefore probably not a good choice for production environments. If you have multiple caches defined

Positivity Checking Postulates Pragmas Prop Record Types Reflection Rewriting Run-time Irrelevance Safe Agda Sized Types Syntactic Sugar Syntax Declarations Telescopes Termination Checking Universe Levels usage Run-time Irrelevance Syntax Rules Subtyping of runtime-irrelevant function spaces References Safe Agda Sized Types Example for coinduction: finite languages References Syntactic Sugar Do-notation Properties module. These primitives can be used to define a decidable propositional equality with the --safe option. Lists module Agda.Builtin.List Built-in lists are bound using the LIST built-in: data

Positivity Checking Postulates Pragmas Prop Record Types Reflection Rewriting Run-time Irrelevance Safe Agda Sized Types Syntactic Sugar Syntax Declarations Telescopes Termination Checking Universe Levels usage Run-time Irrelevance Syntax Rules Subtyping of runtime-irrelevant function spaces References Safe Agda Sized Types Example for coinduction: finite languages References Syntactic Sugar Do-notation Properties module. These primitives can be used to define a decidable propositional equality with the --safe option. Lists module Agda.Builtin.List Built-in lists are bound using the LIST built-in: data