SlideShare a Scribd company logo

C++ The Principles of Most Surprise

Patricia Aas
Patricia Aas

Undefined Behavior and Compiler Optimizations can result in programs that display surprising behavior. In this presentation we look at some examples, and I hope to convince you that you should not reason about Undefined Behavior and that you should take care and use your tools.

Software
1 of 19
Download to read offline
@pati_gallardo T S
All Your Code Are Belong To Us The Principle of Most Surprise Security Researchers Meetup 0x07 Patricia Aas T S @pati_gallardo Thank You to @volatile_void and @AmigaBeanbag for the title!
Patricia Aas - Consultant T S C++ Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her @pati_gallardo
Undefined Behaviour @pati_gallardo
undefined behavior “Examples of undefined behavior are memory accesses outside of array bounds, signed integer overflow, null pointer dereference, modification of the same scalar more than once in an expression without sequence points, access to an object through a pointer of a different type, etc. Compilers are not required to diagnose undefined behavior (although many simple situations are diagnosed), and the compiled program is not required to do anything meaningful.” http://en.cppreference.com/w/cpp/language/ub @pati_gallardo 5
Infinite Loop int main(void) { complex<int> delta; complex<int> mc[4] = {0}; for(int di = 0; di < 4; di++, delta = mc[di]) cout << di << endl; } (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug Undefined Behavior: Access out of bounds @pati_gallardo 6
Infinite Loop Want to give it a try? Compiler Explorer https://godbolt.org/g/TDjM8h Wandbox https://wandbox.org/permlink/aAFP2bMjA3um3L4K Github https://github.com/patricia-gallardo/insecure-coding-examples/ blob/master/vulnerable/infinite_loop.cpp @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug7
@pati_gallardo
Schrödinger's Variable int main(void) { bool b; if (b) printf("truen"); if (!b) printf("falsen"); } Thanks to @olvemaudal Undefined Behavior: Access to uninitialized variable @pati_gallardo 9 gcc 4.7.1 -O0 true false
Schrödinger's Variable Want to give it a try? Compiler Explorer (Gcc 4.7.1 -O0) https://godbolt.org/z/YnIDYj Compiler Explorer (Clang 7.0.0 -O3) https://godbolt.org/z/0Ov5WP @pati_gallardo 10 Thanks to @olvemaudal
- Don’t reason about undefined behaviour - Assume that it crashes or is never executed - Changing compiler, compiler version or optimization level can break your application Undefined Behaviour 11
Compiler Optimization @pati_gallardo
@pati_gallardo The Case Of The Disappearing Memset @pati_gallardo
CWE-14: Compiler Removal of Code to Clear Buffers void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); } SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 14 Dead store: removed by the optimizer
Want to give it a try? https://godbolt.org/g/FpEsht SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 15 CWE-14: Compiler Removal of Code to Clear Buffers
Memset_s : Zeroing Memory // Compliant Solution (C11) memset_s(pwd, 0, sizeof(pwd)); // Windows Solution SecureZeroMemory(pwd, sizeof(pwd)); SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 16
@Bigcheesegs https://youtu.be/g7entxbQOCc
T S P f . Patricia Aas, T S @pati_gallardo
@pati_gallardo T S

Recommended

Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)Patricia Aas
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
Isolating GPU Access in its Own Process
Isolating GPU Access in its Own ProcessIsolating GPU Access in its Own Process
Isolating GPU Access in its Own ProcessPatricia Aas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 

Recommended

Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)Patricia Aas
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
Isolating GPU Access in its Own Process
Isolating GPU Access in its Own ProcessIsolating GPU Access in its Own Process
Isolating GPU Access in its Own ProcessPatricia Aas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
C++ for Java Developers (JavaZone 2017)
C++ for Java Developers (JavaZone 2017)C++ for Java Developers (JavaZone 2017)
C++ for Java Developers (JavaZone 2017)Patricia Aas
 
C++ for Java Developers (JavaZone Academy 2018)
C++ for Java Developers (JavaZone Academy 2018)C++ for Java Developers (JavaZone Academy 2018)
C++ for Java Developers (JavaZone Academy 2018)Patricia Aas
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
Php5 certification mock exams
Php5 certification mock examsPhp5 certification mock exams
Php5 certification mock examsecho liu
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Moduleast_j
 
C++ for Java Developers (SwedenCpp Meetup 2017)
C++ for Java Developers (SwedenCpp Meetup 2017)C++ for Java Developers (SwedenCpp Meetup 2017)
C++ for Java Developers (SwedenCpp Meetup 2017)Patricia Aas
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
DEF CON 23 - COLIN O'FLYNN - dont whisper my chips
DEF CON 23 - COLIN O'FLYNN - dont whisper my chipsDEF CON 23 - COLIN O'FLYNN - dont whisper my chips
DEF CON 23 - COLIN O'FLYNN - dont whisper my chipsFelipe Prado
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Security Conference
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Security Conference
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
 
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...Istanbul Tech Talks
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策kwatch
 
GitGot: The Swiss Army Chainsaw of Git Repo Management
GitGot: The Swiss Army Chainsaw of Git Repo ManagementGitGot: The Swiss Army Chainsaw of Git Repo Management
GitGot: The Swiss Army Chainsaw of Git Repo ManagementJohn Anderson
 
Geb for browser automation
Geb for browser automationGeb for browser automation
Geb for browser automationJacob Aae Mikkelsen
 
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)Patricia Aas
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 

More Related Content

What's hot

Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
C++ for Java Developers (JavaZone 2017)
C++ for Java Developers (JavaZone 2017)C++ for Java Developers (JavaZone 2017)
C++ for Java Developers (JavaZone 2017)Patricia Aas
 
C++ for Java Developers (JavaZone Academy 2018)
C++ for Java Developers (JavaZone Academy 2018)C++ for Java Developers (JavaZone Academy 2018)
C++ for Java Developers (JavaZone Academy 2018)Patricia Aas
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
Php5 certification mock exams
Php5 certification mock examsPhp5 certification mock exams
Php5 certification mock examsecho liu
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Moduleast_j
 
C++ for Java Developers (SwedenCpp Meetup 2017)
C++ for Java Developers (SwedenCpp Meetup 2017)C++ for Java Developers (SwedenCpp Meetup 2017)
C++ for Java Developers (SwedenCpp Meetup 2017)Patricia Aas
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
DEF CON 23 - COLIN O'FLYNN - dont whisper my chips
DEF CON 23 - COLIN O'FLYNN - dont whisper my chipsDEF CON 23 - COLIN O'FLYNN - dont whisper my chips
DEF CON 23 - COLIN O'FLYNN - dont whisper my chipsFelipe Prado
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Security Conference
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Security Conference
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
 
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...Istanbul Tech Talks
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策kwatch
 
GitGot: The Swiss Army Chainsaw of Git Repo Management
GitGot: The Swiss Army Chainsaw of Git Repo ManagementGitGot: The Swiss Army Chainsaw of Git Repo Management
GitGot: The Swiss Army Chainsaw of Git Repo ManagementJohn Anderson
 

What's hot (20)

Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
C++ for Java Developers (JavaZone 2017)
C++ for Java Developers (JavaZone 2017)C++ for Java Developers (JavaZone 2017)
C++ for Java Developers (JavaZone 2017)
 
C++ for Java Developers (JavaZone Academy 2018)
C++ for Java Developers (JavaZone Academy 2018)C++ for Java Developers (JavaZone Academy 2018)
C++ for Java Developers (JavaZone Academy 2018)
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an Exploit
 
Php5 certification mock exams
Php5 certification mock examsPhp5 certification mock exams
Php5 certification mock exams
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Module
 
C++ for Java Developers (SwedenCpp Meetup 2017)
C++ for Java Developers (SwedenCpp Meetup 2017)C++ for Java Developers (SwedenCpp Meetup 2017)
C++ for Java Developers (SwedenCpp Meetup 2017)
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
DEF CON 23 - COLIN O'FLYNN - dont whisper my chips
DEF CON 23 - COLIN O'FLYNN - dont whisper my chipsDEF CON 23 - COLIN O'FLYNN - dont whisper my chips
DEF CON 23 - COLIN O'FLYNN - dont whisper my chips
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
 
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...
ITT 2014 - Eric Lafortune - ProGuard, Optimizer and Obfuscator in the Android...
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策
What is wrong on Test::More? / Test::Moreが抱える問題点とその解決策
 
GitGot: The Swiss Army Chainsaw of Git Repo Management
GitGot: The Swiss Army Chainsaw of Git Repo ManagementGitGot: The Swiss Army Chainsaw of Git Repo Management
GitGot: The Swiss Army Chainsaw of Git Repo Management
 
Geb for browser automation
Geb for browser automationGeb for browser automation
Geb for browser automation
 

Similar to C++ The Principles of Most Surprise

Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)Patricia Aas
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...Christoph Matthies
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
New Ideas for Old Code - Greach
New Ideas for Old Code - GreachNew Ideas for Old Code - Greach
New Ideas for Old Code - GreachHamletDRC
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaJoe Stein
 
Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding PracticesAll Things Open
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureRogue Wave Software
 
Questioning the status quo
Questioning the status quoQuestioning the status quo
Questioning the status quoIvano Pagano
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesPrometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesLeonardo Di Donato
 
Advanced debugging  techniques in different environments
Advanced debugging  techniques in different environmentsAdvanced debugging  techniques in different environments
Advanced debugging  techniques in different environmentsAndrii Soldatenko
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy CodeRowan Merewood
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksVadym Muliavka
 
Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019
Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019
Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019Paulo Clavijo
 

Similar to C++ The Principles of Most Surprise (20)

Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
New Ideas for Old Code - Greach
New Ideas for Old Code - GreachNew Ideas for Old Code - Greach
New Ideas for Old Code - Greach
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding Practices
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Clean Code 2
Clean Code 2Clean Code 2
Clean Code 2
 
Questioning the status quo
Questioning the status quoQuestioning the status quo
Questioning the status quo
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesPrometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on Kubernetes
 
Advanced debugging  techniques in different environments
Advanced debugging  techniques in different environmentsAdvanced debugging  techniques in different environments
Advanced debugging  techniques in different environments
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy Code
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
 
Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019
Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019
Breaking Dependencies Legacy Code - Cork Software Crafters - September 2019
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Patricia Aas
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019)
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)
 

Recently uploaded

Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 

Recently uploaded (20)

Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 

C++ The Principles of Most Surprise

  • 2. All Your Code Are Belong To Us The Principle of Most Surprise Security Researchers Meetup 0x07 Patricia Aas T S @pati_gallardo Thank You to @volatile_void and @AmigaBeanbag for the title!
  • 3. Patricia Aas - Consultant T S C++ Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her @pati_gallardo
  • 5. undefined behavior “Examples of undefined behavior are memory accesses outside of array bounds, signed integer overflow, null pointer dereference, modification of the same scalar more than once in an expression without sequence points, access to an object through a pointer of a different type, etc. Compilers are not required to diagnose undefined behavior (although many simple situations are diagnosed), and the compiled program is not required to do anything meaningful.” http://en.cppreference.com/w/cpp/language/ub @pati_gallardo 5
  • 6. Infinite Loop int main(void) { complex<int> delta; complex<int> mc[4] = {0}; for(int di = 0; di < 4; di++, delta = mc[di]) cout << di << endl; } (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug Undefined Behavior: Access out of bounds @pati_gallardo 6
  • 7. Infinite Loop Want to give it a try? Compiler Explorer https://godbolt.org/g/TDjM8h Wandbox https://wandbox.org/permlink/aAFP2bMjA3um3L4K Github https://github.com/patricia-gallardo/insecure-coding-examples/ blob/master/vulnerable/infinite_loop.cpp @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug7
  • 9. Schrödinger's Variable int main(void) { bool b; if (b) printf("truen"); if (!b) printf("falsen"); } Thanks to @olvemaudal Undefined Behavior: Access to uninitialized variable @pati_gallardo 9 gcc 4.7.1 -O0 true false
  • 10. Schrödinger's Variable Want to give it a try? Compiler Explorer (Gcc 4.7.1 -O0) https://godbolt.org/z/YnIDYj Compiler Explorer (Clang 7.0.0 -O3) https://godbolt.org/z/0Ov5WP @pati_gallardo 10 Thanks to @olvemaudal
  • 11. - Don’t reason about undefined behaviour - Assume that it crashes or is never executed - Changing compiler, compiler version or optimization level can break your application Undefined Behaviour 11
  • 13. @pati_gallardo The Case Of The Disappearing Memset @pati_gallardo
  • 14. CWE-14: Compiler Removal of Code to Clear Buffers void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); } SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 14 Dead store: removed by the optimizer
  • 15. Want to give it a try? https://godbolt.org/g/FpEsht SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 15 CWE-14: Compiler Removal of Code to Clear Buffers
  • 16. Memset_s : Zeroing Memory // Compliant Solution (C11) memset_s(pwd, 0, sizeof(pwd)); // Windows Solution SecureZeroMemory(pwd, sizeof(pwd)); SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 16
  • 18. T S P f . Patricia Aas, T S @pati_gallardo