Is std::mdspan a Zero-overhead Abstraction? Oleksandr Bacherikov Snap IncWhat is std::mdspan? It’s a view over a multi-dimensional array. It’s designed primarily to be used as a function parameter right? 24 Wrong! std::layout_stride supports only all strides specified at runtime. If we target zero overhead, we have to specify one of the strides as 1 at compile time.What does the Standard offer

Privilege Escalation Who: •Ransomware gangs •advanced adversaries •Game hackers How: •Looking at the trust between medium to high integrity levels •Configurations •Filesystem Lateral movement Who: •Financial Controlled Heap MemoryWhy Remote Code Execution (RCE)? ● High Impact and Exploitability ○ High Value of Zero-Days ● Expanded Attack Surface ○ Cloud computing ○ Remote work ○ Increase in internet-connected Surface? Start by defining Trust BoundariesWhat is a Trust Boundary? Anytime there is a crossing of the trust between an untrusted component to a trusted componentDefining Trust Boundaries Downloads from

problems? Pros: ● Default constructor before the function call is avoided Cons (unless we fully trust the user and don’t have exceptions): ● Stack unwind on exception is still necessary ● Extra bool problems? Pros: ● Default constructor before the function call is avoided Cons (unless we fully trust the user and don’t have exceptions): ● Stack unwind on exception is still necessary ● Extra bool do Reason It’s the simplest and gives the cleanest semantics. Note This is known as “the rule of zero”. C++ Core Guidelines 62C++ Core Guidelines C.20: If you can avoid defining default operations

circular-logic problem: you have to use the interface to test the interface, so at some point you have to trust something which you haven't tested. The "Black Box Conundrum" You never really know if a member believe we have 30 grams of coffee? Not 30g coffee! 18Basic lab procedure: weighing a sample Zero the scale with the container to duplicate the exact conditions of the experiment. 19Basic lab procedure: weighing a sample Only after calibrating our equipment for exactly the situation to be measured can we trust the result. Actually 30g of coffee 20This is exactly TDD's procedure for a bugfix TDD: 1. Write

the memory, the binary is not writable. 2. The binary is statically linked at a start address of zero, with the first byte of text at 64K. 3. All indirect control transfers use a nacljmp pseudo-instruction the memory, the binary is not writable. 2. The binary is statically linked at a start address of zero, with the first byte of text at 64K. 3. All indirect control transfers use a nacljmp pseudo-instruction To reiterate: NaCl knows nothing of the source code for the application it runs, neither does it trust the compiler which compiled it. It only looks at the object code, and if the 7 rules are followed

next part of a function are the parameters of the function (i.e. the ‘input’) Functions can have zero or more inputs. This function has exactly one parameter of type std::string Notes on function statement -- it may still work ○ That includes if there exist multiple return paths. ● Don’t trust this however -- we need to have a return statement if we are expecting a result. ● Notes on Debugging:

Hiding your Implementation Details, Amir Kirsh @ CppCon, 2024 Amir Kirsh @AmirKirsh Master, tho I trust your dog completely, I still got a concern. What’s your concern? the fridge engine is in the private don’t need it, don’t give it. - If they get it, they’ll use it. - If they use it, they’ll abuse it. - Trust no one! 53 Hiding your Implementation Details, Amir Kirsh @ CppCon, 2024 It’s context specific!Something don’t need it, don’t give it. - If they get it, they’ll use it. - If they use it, they’ll abuse it. - Trust no one! 54 Hiding your Implementation Details, Amir Kirsh @ CppCon, 2024 It’s context specific!

Hoffmann Security Beyond Memory Safety CppCon 2024 25 Trust the DeveloperMax Hoffmann Security Beyond Memory Safety CppCon 2024 26 * a little more Trust the Compiler*Max Hoffmann Security Beyond Memory

circular-logic problem: you have to use the interface to test the interface, so at some point you have to trust something which you haven't tested. The "Black Box Conundrum" 67Black Box: Behaviors TEST_CASE( help) The path out of fear is confidence. "I don't know if I'm right" -- test and find out "I don't trust those yokels down the hall" -- test and find out "I don't know if I'll be OK with this change" --

– Header files and header units require (expensive) incomplete ODR checks, and demand complete trust 4 (C) Dos Reis & DaCamara; CppCon 2021Modules and ODR 5 (C) Dos Reis & DaCamara; CppCon 2021One