Resilient C++ - Mitigate C++ Vulnerabilities
Peter Sommerlad
C++ programmers suffer from its super power of backward compatibility, deficiencies in language and standard library design, as well as its complexity. Fortunately, there exist collections of C++ vulnerabilities with their mitigations and guidelines to make your own code less prone to pitfalls caused by using the language and its standard library. This workshop will show you where to look for pitfalls, as well as highlight specific ones and provides concrete guidance or even libraries to use for your own C++ design and code to follow, so that your code becomes safer. It is inspired by the author's work on the MISRA-C++ guidelines and the collection of C++ vulnerabilities in the context of ISO SC22 WG23.
Writing safe and secure code suffers from the language's vulnerabilities. Knowing C++ vulnerabilities and potential mitigations is a first step to write better code. Fortunately there exist guidelines and collections of potential programming pitfalls to draw from. Those might recommend to not use a language feature or use it in a specific way. While this might not absolutely be possible, each violation of such guidelines should be well thought of. Also using dedicated libraries help with sidestepping some problems, such as the woes of implicit conversions of built-int types.
Outline
- provide a mental model for C++ type design and use
- demonstrate libraries that help circumventing language pitfalls
- give examples of C++ vulnerabilities with mitigation hints
- highlight some MISRA-C++ guidelines applicable beyond the safety realm
- show some idioms and coding guidelines making your code less vulnerable
- indicate where to look for further learning, such as ISO WG23, MISRA-C++, CERT, and Core Guidelines
- notes when to think about violating a guideline consciously and how to convince that you didn't open up to a C++ vulnerabiliy
Peter Sommerlad
Peter Sommerlad is a consultant and trainer for Safe Modern C++ and Agile Software Engineering. Peter was professor at and director of IFS Institute for Software at FHO/HSR Rapperswil, Switzerland until February 2020. Peter is co-author of POSA Vol.1 and Security Patterns. He inspired the C++ IDE Cevelop with a unique C++ feedback, refactoring, and code modernization experience. Peter is a member of MISRA-C++, Hillside, ACM, IEEE Computer Society, ACCU, ISO WG23 and the ISO WG21 C++ committee. Contact
E-Mail: peter.cpp@sommerlad.ch Links