Delivering safe C++ Bjarne Stroustrup Columbia University www.stroustrup.comOverview • The challenges of safety • What is “safety”? • C++ Evolution • with a focus on safety • C++ Core Guidelines Government have begun initiatives to drive the culture of software development towards utilizing memory safe languages. • ... • NSA advises organizations to consider making a strategic shift from programming provide little or no inherent memory protection, such as C/C++, to a memory safe language when possible. Some examples of memory safe languages are C#, Go, Java, Ruby™, and Swift®. • NSA: https://www.open-std

behavior; Medical device operates correctly in response to inputs, including in failure scenarios (Fail-safe Design), to prevent harm or hazards to patient. Security: Protection of systems, networks, and data Lines of C++ CodeReminder to a simple, but often overlooked, question! Why C++? 23Can C++ usage be safe? Mitigate Safety and Security Vulnerabilities What can we do then? 24 Explore Tooling Processes ➢ Being more careful in general is less flexible!What have we learned? Takeaways 69 ❖ Building safe complex medical robotics is actually very hard ❖ Standards/regulations are necessary but not sufficient

How to Use Exceptions The Exception Safety Guarantees How to Write Exception-Safe Code How to Refactor Non-Exception-Safe CodeContent 4 The Exception Situation How Do Exceptions Work Best Practices How to Use Exceptions The Exception Safety Guarantees How to Write Exception-Safe Code How to Refactor Non-Exception-Safe CodeWhy Another Talk on Exception Safety? 56 https://wg21.link/p07097 https://wg21 How to Use Exceptions The Exception Safety Guarantees How to Write Exception-Safe Code How to Refactor Non-Exception-Safe CodeHow Do Exceptions Work 24 void f() { std::string s{ “Some default initializer”

Component in Rust - Mozilla Hacks - the Web developer blog • Google Online Security Blog: Memory Safe Languages in Android 13 (googleblog.com)Spatial safety Temporal safetySpatial safety Temporal safetySpatial safety Safe Unsafe Safe Unsafe Safe-by- constructionApproaches to safety Safe Unsafe Safe Unsafe Safe-by- constructionApproaches to safety Safe Unsafe Safe Unsafe Safe-by- construction Safe but rejectedApproaches to safety Safe Unsafe Safe Unsafe Safe-by- construction Safe but rejected Opportunistic bug findingApproaches to safety Safe Unsafe Safe Unsafe Safe-by- construction Safe but rejected Opportunistic

David Olsen – Generic Programming CppCon 2024 Example Specialization template struct safe_sizeof { static constexpr std::size_t value = sizeof(T); }; https://godbolt.org/z/r6E7Wh675110 2024 Example Specialization template struct safe_sizeof { static constexpr std::size_t value = sizeof(T); }; template <> struct safe_sizeof { static constexpr std::size_t value = 0; 2024 Example Specialization template struct safe_sizeof { static constexpr std::size_t value = sizeof(T); }; template <> struct safe_sizeof { static constexpr std::size_t value = 0;

192 30.6 Implementing Unsafe Traits . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 30.7 Safe FFI Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 30.7.1 Solution the lifetimes of all references to ensure they live long enough. Dangling references cannot occur in safe Rust. x_axis would return a reference to point, but point will be deallocated when the function returns *other); } println!("{cell:?}"); } The main thing to take away from this slide is that Rust provides safe ways to modify data behind a shared reference. There are a variety of ways to ensure that safety,

properties of baz )Function Composition struct fn_props { perf performance; bool is_memory_safe; bool can_terminate; }; constexpr fn_props compose(fn_props fn1, fn_props fn2) { static_assert( .performance = std::min(fn1.performance, fn2.performance), .is_memory_safe = fn1.is_memory_safe && fn2.is_memory_safe, .can_terminate = fn1.can_terminate || fn2.can_terminate, }; }Value Wrapper perf::fast, .is_memory_safe = false, .can_terminate = true, }> ,[](auto next, /* ...*/ ) { return next(vec[index], /* ...*/ ); });Index Example - Bounds Check Memory safe - accessing a vector element

▪ Mitigating deliberate attacks against vulnerable parts of a system ▪ Absolute measures (“Is it safe?” “Is it secure?”) very hard to attain ▪ Relative measures (“Is it safer?” “Is it secure against the difference between accidental wrapping and deliberate wrapping 34P0122R0 ARRAY_VIEW: BOUNDS-SAFE VIEWS FOR SEQUENCES OF OBJECTS ▪ Precursor to span & mdspan ▪ “Any failure to meet array_view’s correctly initialized array_view, then its bounds cannot be overrun.” ▪ Is this safe? 2015 35P0122R0 ARRAY_VIEW: BOUNDS-SAFE VIEWS FOR SEQUENCES OF OBJECTS ▪ Precursor to span & mdspan ▪ “Any failure

tools for your platform 02 03 04 Code reuse through libraries Building correct, secure, and safe systems Planning for the future Agenda Resources for learning modern C++ 0501 Obtaining tools tools for your platform 02 03 04 Code reuse through libraries Building correct, secure, and safe systems Planning for the future Agenda Resources for learning modern C++ 05Tools for your platform tools for your platform 02 03 04 Code reuse through libraries Building correct, secure, and safe systems Planning for the future Agenda Resources for learning modern C++ 0501 Obtaining tools

語言包含兩個部分： • **安全的 Rust：**可確保記憶體安全，無法觸發未定義的行為。 • **不安全的 Rust：**如果違反先決條件，便可能觸發未定義的行為。 We saw mostly safe Rust in this course, but it's important to know what Unsafe Rust is. 不安全的程式碼通常都很簡短、受到隔離，而且封裝在安全的抽象層中。您應該仔細記錄這類程式碼的正 mut s = String::from("careful!"); let r1 = &mut s as *mut String; let r2 = r1 as *const String; // Safe because r1 and r2 were obtained from references and so are // guaranteed to be non-null and properly { println!("r1 is: {}", *r1); *r1 = String::from("uhoh"); println!("r2 is: {}", *r2); } // NOT SAFE. DO NOT DO THIS. /* let r3: &String = unsafe { &*r1 }; drop(s); println!("r3 is: {}", *r3); */ }