1 Basic Hazard Pointer Algorithm read pointer A from SRC remove A from SRC 1 5 4 Safe to use pointer A SRC A hazard pointer is a single-writer multi-reader pointer. set HP to A if SRC == A clear ACCESS If a hazard pointer points to an object before its removal, then the object will not be reclaimed as long as the hazard pointer remains unchanged unchanged. *A Hazard Pointer Synchronous Reclamation Beyond Concurrency TS2 – Maged Michael Protector Remover / Reclaimer Hazard pointers protect access to objects that may be removed concurrently. SAFE RECLAMATION

pointers and the C++ language. In this talk, we will discuss the low level foundations of what a raw pointer is--a variable that stores an address. We will then see some examples of raw pointers for creating leave understanding how we can use pointers in a safe manner through the standard library smart pointer abstractions. 4 The abstract that you read and enticed you to join me is here!Code for the talk and more on: www.mshah.io 6One of my fondest programming memories was... 7... when I used a pointer correctly on the first try 8 ● And maybe as a C or C++ programmer you have a similar memory or

if (var == 1) { *p = 42; // Null dereference? } } p -> Unknown p -> NotNull p -> Unknown p -> Null p -> MaybeNull p -> MaybeNull Warning Unknown Null NotNull MaybeNull Analysis state (cond) { var = 2; p = nullptr; } // branch 3 if (var == 1) { *p = 42; // Null dereference? } }Flow-sensitive analysis resourcesPath- sensitive checksvoid path_sensitive(int *p, *p = 42; // Null dereference? } } p: ?1 cond: ?2 var: 0 p: ?1 cond: ?2 var: 1 ?1 != 0 p: null cond: 1 var: 2 p: null cond: ?2 var: 0 p: ?1 cond: 0 var: 1 ?1 != 0 p: null cond: 1 var:

GetFirstObjProc(obj); p �!= NULL; p = GetNextProc(p)) for (b = GetFirstBlock(p); b �!= NULL; b = GetNextBlock(b)) for (i = GetFirstInst(b); i �!= NULL; i = GetNextInst(i)) { runtime through either a miscalculation of code locations, mishandled register states or a bad pointer dereference, to name a few. Attacking Client Side JiT Compilers — 2011 (read)While the concept of runtime through either a miscalculation of code locations, mishandled register states or a bad pointer dereference, to name a few. Attacking Client Side JiT Compilers — 2011 (read)While the concept of

● null pointer dereference ● access to an object through a pointer of a different type ● etc. Compilers are not required to diagnose undefined behavior!Undefined Behavior – Fun with NULL pointers p1179 ○ Owner & Pointer ○ Built-in compiler check ○ Current LLVM implementation gives 5% overhead ○ Annotations to help analysis: gsl::SharedOwner, gsl::Owner, gsl::Pointer void sample1() [-Wsign-compare] int a = -27; unsigned b = 20U; if (a > b) return 27; return 42; [-Wsizeof-pointer-memaccess] int x = 100; int *ptr = &x; memset(ptr, 0, sizeof (ptr)); [-Wmisleading-indentation]

constructed and destroyed (resource safety) • Every pointer either points to a valid object or is the nullptr (memory safety) • Every reference through a pointer is not through the nullptr (often a run-time check) check) • Every access through a subscripted pointer is in-range (often a run-time check) • That • Implies range checking and elimination of dangling pointers (“memory safety”) • Is just what C++ requires corruption: for example, through the result of a range error or by accessing and memory through a pointer to an object that no longer exists thereby changing a different object. • Type errors: for example

� . – � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � . – � � � � � � � � � � NULL � � � � � � � � � . – � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � . – & � � � � � � � � � � � � � � � � . • � � � � � � � � � � � � � � � � � � � � � � � � � � � � Dereference � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ) ref_x.count_ones ) ( � � � � � � � � � � � � � . � � � � 59 � � � � � Option<&u8 < � � � � � � � � � � � � � � � � � � � � � � NULL � � � � � � � � � None � � � � � � � � � � . – � � � � � � � � � � � � � � � � � � � � � ) � � �

prevented at compile time – No uninitialized variables. – No double-frees. – No use-after-free. – No NULL pointers. – No forgotten locked mutexes. – No data races between threads. – No iterator invalidation have widths as follows: • iN, uN, and fN are N bits wide, • isize and usize are the width of a pointer, • char is 32 bits wide, • bool is 8 bits wide. There are a few syntaxes which are not shown above: &i32) -> &(i32, i32) { let point = (*x, 0); return &point; } • References can never be null in Rust, so null checking is not necessary. 48 • A reference is said to ”borrow” the value it refers to,

stack-based buffer overflows. Can impact performance. -fno-delete-null-pointer-checks GCC 3.0.0, Clang 7.0.0 Force retention of null pointer checks -fno-strict-overflow GCC 4.2.0 Integer overflow may occur -Werror=incompatible-pointer-types GCC 5.5.0 Clang 7.0.0 Treat conversion between pointers that have incompatible types as errors -Werror=int-conversion GCC 2.95.3 Clang 2.6.0 Treat implicit integer to pointer and and pointer to integer conversions as errors ❖ Treat obsolete C constructs as errorsCompiler Hardening 33 Prioritize Memory, type and thread safety: sanitizers Compiler Flag Supported Since Description

Attacker Controlled Heap MemoryHeap Corruption Exploit Explained ● “Spray” the memory with aligned pointer offsets. ● Release the memory to be used again by the program Attacker Controlled Heap MemoryHeap CClfsBaseFilePersisted::WriteMetadataBlock will proceed to use the retrieved value from the rgBlocks array as a pointer to the _CLFS_LOG_BLOCK_HEADER structure to increment LogBlockHeader->Record[0]->DumpCount and LogBlockHeader->Usn _CLFS_CONTAINER_CONTEXT stored in base log files and contains a field for storing a kernel pointer. typedef struct _CLFS_CONTAINER_CONTEXT { CLFS_NODE_ID cidNode; ULONGLONG cbContainer;