Aussie AI

Safe C++ Research

Last Updated 1 April, 2025

by David Spuler, Ph.D.

Safe C++

Open Source Security Foundation (OpenSSF) Best Practices Working Group, 2024-10-04, Compiler Options Hardening Guide for C and C++, https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
Stack Exchange, 2013 (approx), What is the most hardened set of options for GCC compiling C/C++? https://security.stackexchange.com/questions/24444/what-is-the-most-hardened-set-of-options-for-gcc-compiling-c-c
OWASP, Oct 2024 (accesse), C-Based Toolchain Hardening Cheat Sheet, https://cheatsheetseries.owasp.org/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.html
Gnu Org, Oct 2024 (accessed), C++ Standards Support in GCC, https://gcc.gnu.org/projects/cxx-status.html
CPP Reference, Oct 2024 (accessed), Concurrency support library (since C++11), https://en.cppreference.com/w/cpp/thread
Serge Guelton Siddhesh Poyarekar, Use compiler flags for stack protection in GCC and Clang, June 2, 2022, https://developers.redhat.com/articles/2022/06/02/use-compiler-flags-stack-protection-gcc-and-clang
Huzaifa Sidhpurwala, September 26, 2018, Security Technologies: FORTIFY_SOURCE, https://www.redhat.com/en/blog/security-technologies-fortifysource?extIdCarryOver=true&sc_cid=701f2000001OH7TAAW
Sean Baxter, Christian Mazakas, 2024-09-11, Safe C++, Document #D3390, https://safecpp.org/draft.html
Thomas Claburn, Mon 16 Sep 2024, The empire of C++ strikes back with Safe C++ blueprint, https://www.theregister.com/2024/09/16/safe_c_plusplus/
Vinnie Falco, Sep 12, 2024, Safe C++ Partnership, https://cppalliance.org/vinnie/2024/09/12/Safe-Cpp-Partnership.html
NSA, Nov. 10, 2022, NSA Releases Guidance on How to Protect Against Software Memory Safety Issues, Press Release, https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/
NSA, April 2022, Software Memory Safety, National Security Agency, Cybersecurity Information Sheet, U/OO/219936-22, PP-23-0782, APR 2023 Ver. 1.1, https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF
Thomas Claburn, Tue 20 Sep 2022, In Rust We Trust: Microsoft Azure CTO shuns C and C++, Mark Russinovich goes hardcore against old languages, https://www.theregister.com/2022/09/20/rust_microsoft_c/
Tim Anderson Thu 18 Jul 2019, Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again. Redmond engineer hints at taking super-lang for a spin, https://www.theregister.com/2019/07/18/microsoft_rust_security/
Thomas Claburn, Thu 7 Dec 2023, Dump C++ and in Rust you should trust, Five Eyes agencies urge, Memory safety vulnerabilities need to be crushed with better code, https://www.theregister.com/2023/12/07/memory_correction_five_eyes/
Memory Safety, Oct 2024 (accessed), What is memory safety and why does it matter? https://www.memorysafety.org/docs/memory-safety/
The White House, February 26, 2024, Press Release: Future Software Should Be Memory Safe, https://www.whitehouse.gov/oncd/briefing-room/2024/02/26/press-release-technical-report/
The White House, Feb 2024, Back to the Building Blocks: A Path Toward Secure and Measurable Software. https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf
Thomas Claburn Sat 3 Aug 2024, DARPA suggests turning old C code automatically into Rust – using AI, of course, https://www.theregister.com/2024/08/03/darpa_c_to_rust/
Alex Gaynor, Aug 18, 2024, Safer C++, https://alexgaynor.net/2024/aug/18/safer-c-plus-plus/
Sergio De Simone, Oct 07, 2024, Safe C++ is a new Proposal to Make C++ Memory-Safe, https://www.infoq.com/news/2024/10/safe-cpp-proposal/
Bjarne Stroustrup, Herb Sutter, Oct 3, 2024, C++ Core Guidelines https://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines
Sunny Chatterjee, September 4, 2020, New safety rules in C++ Core Check, https://devblogs.microsoft.com/cppblog/new-safety-rules-in-c-core-check/
Bob Lord, December 06, 2023 (revised), The Urgent Need for Memory Safety in Software Products, CISA, https://www.cisa.gov/news-events/news/urgent-need-memory-safety-software-products
Chromium, Oct 2024 (accessed), Memory safety, https://www.chromium.org/Home/chromium-security/memory-safety/
Alex Gaynor, Mon, Aug 12, 2019, Introduction to Memory Unsafety for VPs of Engineering, https://alexgaynor.net/2019/aug/12/introduction-to-memory-unsafety-for-vps-of-engineering/
Diane Hosfelt, February 28, 2019, Implications of Rewriting a Browser Component in Rust, https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/
CISA, December 06, 2023, CISA Releases Joint Guide for Software Manufacturers: The Case for Memory Safe Roadmaps, https://www.cisa.gov/news-events/alerts/2023/12/06/cisa-releases-joint-guide-software-manufacturers-case-memory-safe-roadmaps
CISA, Dec 2023, The Case for Memory Safe Roadmaps, https://www.cisa.gov/case-memory-safe-roadmaps https://www.cisa.gov/sites/default/files/2023-12/The-Case-for-Memory-Safe-Roadmaps-508c.pdf https://www.cisa.gov/sites/default/files/2024-05/The-Case-for-Memory-Safe-Roadmaps-508c_ES.pdf
CISA, June 26, 2024, Exploring Memory Safety in Critical Open Source Projects, https://www.cisa.gov/resources-tools/resources/exploring-memory-safety-critical-open-source-projects https://www.cisa.gov/sites/default/files/2024-06/joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf
MSRC Team, July 18, 2019, We need a safer systems programming language, https://msrc.microsoft.com/blog/2019/07/we-need-a-safer-systems-programming-language/
Vladimir Kushnir, May 31, 2012, Safe C++: How to avoid common mistakes, O'Reilly Media, https://www.amazon.com/Safe-How-avoid-common-mistakes-ebook/dp/B00885RVNS/
John Lakos, Vittorio Romeo, Rostislav Khlebnikov, Alisdair Meredith, December 23, 2021, Embracing Modern C++ Safely, 1st Edition, Addison-Wesley Professional, https://www.amazon.com/Embracing-Modern-Safely-John-Lakos/dp/0137380356/
Rainer Grimm, April 22, 2022, C++ Core Guidelines Explained, 1st Edition, Addison-Wesley Professional, https://www.amazon.com/C-Core-Guidelines-Rainer-Grimm/dp/013687567X/
CWE, Oct 2024 (accessed), CWE VIEW: Software Development, Common Weakness Enumeration, https://cwe.mitre.org/data/definitions/699.html
IAR, Oct 2024 (accessed), Safety coding techniques for your application, https://www.iar.com/knowledge/learn/code-quality/safety-coding-techniques-for-your-application/
Les Pounder February 29, 2024, White House urges developers to avoid C and C++, use 'memory-safe' programming languages, https://www.tomshardware.com/software/security-software/white-house-urges-developers-to-avoid-c-and-c-use-memory-safe-programming-languages
Marc Samu, Oct 2024 (accessed), The Safe-C Programming Language, https://www.safe-c.org/presentation.en.html (A safe version of C developed in 2011.)
Rurban, Oct 2024 (accessed), Safe C Library - ISO TR24731 Bounds Checking Interface, https://rurban.github.io/safeclib/doc/safec-3.6.0/index.html (A version of the standard C library with extra safety.)
Hugo Martins, Oct 2024 (accessed), awesome-linters; A community-driven list of awesome linters, https://github.com/caramelomartins/awesome-linters
Albin Johansson, Carl Holmberg, Francisco Gomes De Oliveira Neto, and Philipp Leitner. 2024. The Impact of Compiler Warnings on Code Quality in C++ Projects. In Proceedings of the 32nd IEEE/ACM International Conference on Program Comprehension (ICPC '24). Association for Computing Machinery, New York, NY, USA, 270–279. https://doi.org/10.1145/3643916.3644410 https://dl.acm.org/doi/abs/10.1145/3643916.3644410 (Using compiler warnings correlations with higher quality metrics.)
Alex Rebert, Chandler Carruth, Jen Engel, Andy Qin, October 15, 2024, Safer with Google: Advancing Memory Safety, Google Security Blog, https://security.googleblog.com/2024/10/safer-with-google-advancing-memory.html
LLVM, Oct 2024 (accessed), libc++ documentation: Hardening Modes, https://libcxx.llvm.org/Hardening.html
Sean Baxter, Oct 15, 2024, Memory Safety without Lifetime Parameters, Document #D3444, https://safecpp.org/draft-lifetimes.html
David Spuler, Oct 2024, CUDA C++ Debugging: Safer GPU Kernel Programming, https://www.amazon.com/dp/B0DJJVDJBW/
Davidson Francis (Theldus), Nov 2024 (accessed), safemalloc: A safe wrapper for [m,c,re]alloc/free functions =), https://github.com/Theldus/safemalloc/tree/master (A safe malloc wrapper library that is thread-safe and MIT licensed.)
Kang Sun, Daliang Xu, Dongwei Chen, Xu Cheng, Dong Tong, 20 Apr 2020, S3Library: Automatically Eliminating C/C++ Buffer Overflow using Compatible Safer Libraries, https://arxiv.org/abs/2004.09062
Kumar Avijit, Prateek Gupta, and Deepak Gupta. Tied, libsafeplus: Tools for runtime buffer overflow protection. In USENIX Security Symposium, pages 45–56, 2004. https://www.usenix.org/conference/13th-usenix-security-symposium/tied-libsafeplus-tools-runtime-buffer-overflow-protection http://usenix.org/publications/library/proceedings/sec04/tech/full_papers/avijit/avijit_html/index.html http://usenix.org/publications/library/proceedings/sec04/tech/full_papers/avijit/avijit.pdf
Ayman Alheraki, October 2, 2024, Will C++26 Solve the Memory Safety Issue? https://simplifycpp.org/?id=a0310
Megan Crouse, November 4, 2024, Software Makers Encouraged to Stop Using C/C++ by 2026, https://www.techrepublic.com/article/cisa-fbi-memory-safety-recommendations/
CISA, October 16, 2024, Product Security Bad Practices, Request for Comment on Product Security Bad Practices Guidance, https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
Clang, Nov 2024, C++ Safe Buffers, https://clang.llvm.org/docs/SafeBuffers.html
Sandor Dargo, Nov 2024, Use std::span instead of C-style arrays, https://www.sandordargo.com/blog/2024/11/06/std-span
Martin Sebor, February 22, 2017, Memory Error Detection Using GCC, https://developers.redhat.com/blog/2017/02/22/memory-error-detection-using-gcc
Martin Sebor, April 30, 2021, Detecting memory management bugs with GCC 11, Part 1: Understanding dynamic allocation, https://developers.redhat.com/blog/2021/04/30/detecting-memory-management-bugs-with-gcc-11-part-1-understanding-dynamic-allocation
Martin Sebor, May 5, 2021, Detecting memory management bugs with GCC 11, Part 2: Deallocation functions, https://developers.redhat.com/blog/2021/05/05/detecting-memory-management-bugs-with-gcc-11-part-2-deallocation-functions
Craig Hale, Nov 11, 2024, US government wants businesses to stop using C and C++, claims they are insecure, https://www.msn.com/en-us/news/technology/us-government-wants-businesses-to-stop-using-c-and-c-claims-they-are-insecure/ar-AA1tTg8r?ocid=BingNewsVerp
Bjarne Stroustrup, 2021-07-12 , Type-and-resource safety in modern C++, Doc. no. P2410r0, https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2021/p2410r0.pdf
Thomas Claburn, 12 Nov 2024 , To kill memory safety bugs in C code, try the TrapC fork. Memory-safe variant is planned for next year, https://www.theregister.com/2024/11/12/trapc_memory_safe_fork/
Robin Rowe, Nov 11, 2024, Safe Smart Contracts, TrapC: Memory Safe Fork of C, W2140 Bangkok, https://vimeo.com/1028578347
Tim Anderson, November 12, 2024, ISO C++ Chair Herb Sutter leaves Microsoft, declares forthcoming C++ 26 ‘most impactful release since C++11’, https://devclass.com/2024/11/12/iso-c-chair-herb-sutter-leaves-microsoft-declares-forthcoming-c-26-most-impactful-release-since-c11/
CppCon, Nov 2024, Peering Forward - C++’s Next Decade - Herb Sutter - CppCon 2024, https://www.youtube.com/watch?v=FNi1-x4pojs
Keishi Hattori, Sergei Glazunov, Bartek Nowierski, MiraclePtr team, January 11, 2024, MiraclePtr: protecting users from use-after-free vulnerabilities on more platforms Google Security Blog, https://security.googleblog.com/2024/01/miracleptr-protecting-users-from-use.html
Adrian Taylor, Bartek Nowierski and Kentaro Hara, MiraclePtr team September 13, 2022 Use-after-freedom: MiraclePtr, https://security.googleblog.com/2022/09/use-after-freedom-miracleptr.html
Anton Bikineev, Michael Lippautz and Hannes Payer, Chrome security team, May 26, 2022 Retrofitting Temporal Memory Safety on C++, https://security.googleblog.com/2022/05/retrofitting-temporal-memory-safety-on-c.html
Alex Rebert Christoph Kern 2024, Secure by Design: Google's Perspective on Memory Safety, Google Security Engineering, https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/ https://storage.googleapis.com/gweb-research2023-media/pubtools/7665.pdf
ChuanqiXu, Nov 2024, [RFC] A ClangIR based Safe C++, Clang Frontend, https://discourse.llvm.org/t/rfc-a-clangir-based-safe-c/83245
duneroadrunner, Nov 2024, SaferCPlusPlus: About A collection of safe data types that are compatible with, and can substitute for, common unsafe native c++ types, https://github.com/duneroadrunner/SaferCPlusPlus
duneroadrunner, Oct 2024, scpptool: scpptool is a command line tool to help enforce a memory and data race safe subset of C++. https://github.com/duneroadrunner/scpptool
Nikita Popov, December 11, 2024, Making memcpy(NULL, NULL, 0) well-defined, https://developers.redhat.com/articles/2024/12/11/making-memcpynull-null-0-well-defined
David Cassel, Dec 6th, 2024, Google ‘Retrofits’ Spatial Memory Safety Onto C++, Google researchers showed they were able to "retrofit" spatial safety onto their C++ codebases, and to do it with a surprisingly low impact on performance. https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
Alex Rebert, Max Shavrick, and Kinuko Yasuda, November 15, 2024, Retrofitting spatial safety to hundreds of millions of lines of C++, https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
Juan Vazquez, Feb 12, 2024, LLVM's 'RFC: C++ Buffer Hardening' at Google, https://bughunters.google.com/blog/6368559657254912/llvm-s-rfc-c-buffer-hardening-at-google
Aymeric Fromherz, Jonathan Protzenko, 19 Dec 2024, Compiling C to Safe Rust, Formalized, https://arxiv.org/abs/2412.15042
Aleksandra Uvarova, Dec 28 2024, Court is in session: Top 10 most notorious C and C++ errors in 2024, https://pvs-studio.com/en/blog/posts/cpp/1208/
Corentin Jabot, 2025-01-13 The Plethora of Problems With Profiles Document P3586R0, https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2025/p3586r0.html
C++ Stories, 20 January 2025, Improving Code Safety in C++26: Managers and Dangling References, https://www.cppstories.com/2025/cpp26-safety-temp/
Úlfar Erlingsson, 27 Mar 2025, How to Secure Existing C and C++ Software without Memory Safety, https://arxiv.org/pdf/2503.21145 (Examines four risk mitigation techniques for memory safety.)

Rust vs C++

Thomas Claburn, Tue 20 Sep 2022, In Rust We Trust: Microsoft Azure CTO shuns C and C++, Mark Russinovich goes hardcore against old languages, https://www.theregister.com/2022/09/20/rust_microsoft_c/
Tim Anderson Thu 18 Jul 2019, Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again. Redmond engineer hints at taking super-lang for a spin, https://www.theregister.com/2019/07/18/microsoft_rust_security/
Thomas Claburn, Thu 7 Dec 2023, Dump C++ and in Rust you should trust, Five Eyes agencies urge, Memory safety vulnerabilities need to be crushed with better code, https://www.theregister.com/2023/12/07/memory_correction_five_eyes/
Diane Hosfelt, February 28, 2019, Implications of Rewriting a Browser Component in Rust, https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/
Aymeric Fromherz, Jonathan Protzenko, 19 Dec 2024, Compiling C to Safe Rust, Formalized, https://arxiv.org/abs/2412.15042

Memory Safety

Alex Rebert, Chandler Carruth, Jen Engel, Andy Qin, October 15, 2024, Safer with Google: Advancing Memory Safety, Google Security Blog, https://security.googleblog.com/2024/10/safer-with-google-advancing-memory.html
Sean Baxter, Oct 15, 2024, Memory Safety without Lifetime Parameters, Document #D3444, https://safecpp.org/draft-lifetimes.html
Mohamed Tarek Ibn Ziad, Sana Damani, Aamer Jaleel, Stephen W. Keckler, Mark Stephenson, June 19, 2023, cuCatch: A Debugging Tool for Efficiently Catching Memory Safety Violations in CUDA Applications, ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Proceedings of the ACM on Programming Languages, Volume 7, Issue PLDI, Article No.: 111, Pages 124 - 147, https://doi.org/10.1145/359122 https://dl.acm.org/doi/10.1145/3591225 https://research.nvidia.com/publication/2023-06_cucatch-debugging-tool-efficiently-catching-memory-safety-violations-cuda https://dl.acm.org/doi/pdf/10.1145/3591225
Floris Gorter, Enrico Barberis, Raphael Isemann, Erik van der Kouwe, Cristiano Giuffrida, Herbert Bos, November 1, 2023, FloatZone: How Floating Point Additions can Detect Memory Errors, https://download.vusec.net/papers/floatzone_sec23.pdf https://github.com/vusec/floatzone
David Spuler, Oct 2024, CUDA C++ Debugging: Safer GPU Kernel Programming, https://www.amazon.com/dp/B0DJJVDJBW/
Davidson Francis (Theldus), Nov 2024 (accessed), safemalloc: A safe wrapper for [m,c,re]alloc/free functions =), https://github.com/Theldus/safemalloc/tree/master (A safe malloc wrapper library that is thread-safe and MIT licensed.)
Andreas Hager-Clukas and Konrad Hohentanner. 2024. DMTI: Accelerating Memory Error Detection in Precompiled C/C++ Binaries with ARM Memory Tagging Extension. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (ASIA CCS '24). Association for Computing Machinery, New York, NY, USA, 1173–1185. https://doi.org/10.1145/3634737.3637655 https://dl.acm.org/doi/abs/10.1145/3634737.3637655 https://dl.acm.org/doi/pdf/10.1145/3634737.3637655
Kang Sun, Daliang Xu, Dongwei Chen, Xu Cheng, Dong Tong, 20 Apr 2020, S3Library: Automatically Eliminating C/C++ Buffer Overflow using Compatible Safer Libraries, https://arxiv.org/abs/2004.09062
Kumar Avijit, Prateek Gupta, and Deepak Gupta. Tied, libsafeplus: Tools for runtime buffer overflow protection. In USENIX Security Symposium, pages 45–56, 2004. https://www.usenix.org/conference/13th-usenix-security-symposium/tied-libsafeplus-tools-runtime-buffer-overflow-protection http://usenix.org/publications/library/proceedings/sec04/tech/full_papers/avijit/avijit_html/index.html http://usenix.org/publications/library/proceedings/sec04/tech/full_papers/avijit/avijit.pdf
Ayman Alheraki, October 2, 2024, Will C++26 Solve the Memory Safety Issue? https://simplifycpp.org/?id=a0310
Wikipedia, Oct 2024 (accessed), Buffer Overflow Protection, https://en.wikipedia.org/wiki/Buffer_overflow_protection
Zhenpeng Lin, Zheng Yu, Ziyi Guo, Simone Campanoni, Peter Dinda, and Xinyu Xing, 2023, CAMP:Compiler and Allocator-based Heap Memory Protection, https://www.usenix.org/system/files/sec23winter-prepub-402-lin.pdf
Adriaan Jacobs and Stijn Volckaert, DistriNet, KU Leuven Aug 2024, Not Quite Write: On the Effectiveness of Store-Only Bounds Checking, 18th USENIX WOOT Conference on Offensive Technologies. August 12–13, 2024 • Philadelphia, PA, USA, https://www.usenix.org/conference/woot24/presentation/jacobs https://www.usenix.org/system/files/woot24-jacobs.pdf
Megan Crouse, November 4, 2024, Software Makers Encouraged to Stop Using C/C++ by 2026, https://www.techrepublic.com/article/cisa-fbi-memory-safety-recommendations/
CISA, October 16, 2024, Product Security Bad Practices, Request for Comment on Product Security Bad Practices Guidance, https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
CISA, December 06, 2023, The Case for Memory Safe Roadmaps, Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, https://www.cisa.gov/resources-tools/resources/case-memory-safe-roadmaps https://www.cisa.gov/sites/default/files/2023-12/The-Case-for-Memory-Safe-Roadmaps-508c.pdf
CWE, Nov 2024 (accessed), CWE CATEGORY: Comprehensive Categorization: Memory Safety, Category ID: 1399, https://cwe.mitre.org/data/definitions/1399.html
Chris Riotta, October 17, 2024, CISA Unveils 'Exceptionally Risky' Software Bad Practices. CISA and FBI Warn Software Providers to Avoid Risky Development Practices, https://www.healthcareinfosecurity.com/cisa-unveils-exceptionally-risky-software-bad-practices-a-26556
CISA, Nov 2024 (accessed), Known Exploited Vulnerabilities Catalog, https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Clang, Nov 2024, C++ Safe Buffers, https://clang.llvm.org/docs/SafeBuffers.html
Sandor Dargo, Nov 2024, Use std::span instead of C-style arrays, https://www.sandordargo.com/blog/2024/11/06/std-span
Open Source Security Foundation (OpenSSF) Best Practices Working Group, 2024-10-31, Compiler Options Hardening Guide for C and C++ https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
Martin Sebor, February 22, 2017, Memory Error Detection Using GCC, https://developers.redhat.com/blog/2017/02/22/memory-error-detection-using-gcc
Martin Sebor, April 30, 2021, Detecting memory management bugs with GCC 11, Part 1: Understanding dynamic allocation, https://developers.redhat.com/blog/2021/04/30/detecting-memory-management-bugs-with-gcc-11-part-1-understanding-dynamic-allocation
Martin Sebor, May 5, 2021, Detecting memory management bugs with GCC 11, Part 2: Deallocation functions, https://developers.redhat.com/blog/2021/05/05/detecting-memory-management-bugs-with-gcc-11-part-2-deallocation-functions
Thomas Claburn, 12 Nov 2024 , To kill memory safety bugs in C code, try the TrapC fork. Memory-safe variant is planned for next year, https://www.theregister.com/2024/11/12/trapc_memory_safe_fork/
Robin Rowe, Nov 11, 2024, Safe Smart Contracts, TrapC: Memory Safe Fork of C, W2140 Bangkok, https://vimeo.com/1028578347
Tim Anderson, November 12, 2024, ISO C++ Chair Herb Sutter leaves Microsoft, declares forthcoming C++ 26 ‘most impactful release since C++11’, https://devclass.com/2024/11/12/iso-c-chair-herb-sutter-leaves-microsoft-declares-forthcoming-c-26-most-impactful-release-since-c11/
E. Vintila, P. Zieris and J. Horsch, "Evaluating the Effectiveness of Memory Safety Sanitizers," in 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2025, pp. 88-88, doi: 10.1109/SP61157.2025.00088. https://www.computer.org/csdl/proceedings-article/sp/2025/223600a088/21TfesaEHTy https://www.computer.org/csdl/pds/api/csdl/proceedings/download-article/21TfesaEHTy/pdf
Keishi Hattori, Sergei Glazunov, Bartek Nowierski, MiraclePtr team, January 11, 2024, MiraclePtr: protecting users from use-after-free vulnerabilities on more platforms Google Security Blog, https://security.googleblog.com/2024/01/miracleptr-protecting-users-from-use.html
Adrian Taylor, Bartek Nowierski and Kentaro Hara, MiraclePtr team September 13, 2022 Use-after-freedom: MiraclePtr, https://security.googleblog.com/2022/09/use-after-freedom-miracleptr.html
Anton Bikineev, Michael Lippautz and Hannes Payer, Chrome security team, May 26, 2022 Retrofitting Temporal Memory Safety on C++, https://security.googleblog.com/2022/05/retrofitting-temporal-memory-safety-on-c.html
Memory Safety, Nov 2024, What is memory safety and why does it matter?, https://www.memorysafety.org/docs/memory-safety/#how-common-are-memory-safety-vulnerabilities
Alex Rebert Christoph Kern 2024, Secure by Design: Google's Perspective on Memory Safety, Google Security Engineering, https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/ https://storage.googleapis.com/gweb-research2023-media/pubtools/7665.pdf
onathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: revisiting RISC in an age of risk. SIGARCH Comput. Archit. News 42, 3 (June 2014), 457–468. https://doi.org/10.1145/2678373.2665740 https://dl.acm.org/doi/10.1145/2678373.2665740 https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201406-isca2014-cheri.pdf
duneroadrunner, Nov 2024, SaferCPlusPlus: About A collection of safe data types that are compatible with, and can substitute for, common unsafe native c++ types, https://github.com/duneroadrunner/SaferCPlusPlus
duneroadrunner, Oct 2024, scpptool: scpptool is a command line tool to help enforce a memory and data race safe subset of C++. https://github.com/duneroadrunner/scpptool
Manos Pavlidakis, Giorgos Vasiliadis, Stelios Mavridis, Anargyros Argyros, Antony Chazapis, and Angelos Bilas. 2024. Guardian: Safe GPU Sharing in Multi-Tenant Environments. Proceedings of the 25th International Middleware Conference (MIDDLEWARE '24). Association for Computing Machinery, New York, NY, USA, 313–326. https://doi.org/10.1145/3652892.3700768 https://dl.acm.org/doi/abs/10.1145/3652892.3700768 https://arxiv.org/abs/2401.09290 (GPU bounds checking via PTX instrumentation with an average 9% overhead cost.)
Nikita Popov, December 11, 2024, Making memcpy(NULL, NULL, 0) well-defined, https://developers.redhat.com/articles/2024/12/11/making-memcpynull-null-0-well-defined
David Cassel, Dec 6th, 2024, Google ‘Retrofits’ Spatial Memory Safety Onto C++, Google researchers showed they were able to "retrofit" spatial safety onto their C++ codebases, and to do it with a surprisingly low impact on performance. https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
Alex Rebert, Max Shavrick, and Kinuko Yasuda, November 15, 2024, Retrofitting spatial safety to hundreds of millions of lines of C++, https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
Juan Vazquez, Feb 12, 2024, LLVM's 'RFC: C++ Buffer Hardening' at Google, https://bughunters.google.com/blog/6368559657254912/llvm-s-rfc-c-buffer-hardening-at-google
Corentin Jabot, 2025-01-13 The Plethora of Problems With Profiles Document P3586R0, https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2025/p3586r0.html
C++ Stories, 20 January 2025, Improving Code Safety in C++26: Managers and Dangling References, https://www.cppstories.com/2025/cpp26-safety-temp/
S Wang, 2024, C++ Related Security Hardenings and Windows UI Analysis, Ph.D. Thesis, Computer Science, Binghamton University, State University of New York, https://www.proquest.com/openview/708fc6bdfeba6ee6701bf74fcacaf845/1?pq-origsite=gscholar&cbl=18750&diss=y
David Spuler, 7th March, 2025, 100 C++ Memory Safety Techniques, Aussie AI Blog, https://www.aussieai.com/blog/cpp-memory-safety
Úlfar Erlingsson, 27 Mar 2025, How to Secure Existing C and C++ Software without Memory Safety, https://arxiv.org/pdf/2503.21145 (Examines four risk mitigation techniques for memory safety.)
J Lee, E Chung, S Singh, S Na, Y Kim, J Lee, H Kim, March 2025, Let-Me-In:(Still) Employing In-pointer Bounds Metadata for Fine-grained GPU Memory Safety 2025 IEEE International Symposium on High Performance Computer Architecture (HPCA), https://seonjinna.github.io/assets/pdf/LMI_hpca25.pdf

Undefined Behavior

Undefined behavior is any types of operations where the results are not fully described by the C++ standard. Examples include uninitialized variables, null pointer dereferences, arithmetic overflows, and all sorts of other obscure malfeasance. The aim of Safe C++ is to either prevent or normalize all undefined behavior.

Papers and articles on undefined behavior in C++:

Nikita Popov, December 11, 2024, Making memcpy(NULL, NULL, 0) well-defined, https://developers.redhat.com/articles/2024/12/11/making-memcpynull-null-0-well-defined
David Cassel, Dec 6th, 2024, Google ‘Retrofits’ Spatial Memory Safety Onto C++, Google researchers showed they were able to "retrofit" spatial safety onto their C++ codebases, and to do it with a surprisingly low impact on performance. https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
Alex Rebert, Max Shavrick, and Kinuko Yasuda, November 15, 2024, Retrofitting spatial safety to hundreds of millions of lines of C++, https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
Juan Vazquez, Feb 12, 2024, LLVM's 'RFC: C++ Buffer Hardening' at Google, https://bughunters.google.com/blog/6368559657254912/llvm-s-rfc-c-buffer-hardening-at-google

Memory Tagging

Memory tagging, also called pointer tagging, is a method of tagging addresses and pointer variables with extra information in relation to their status and safety.

Andreas Hager-Clukas and Konrad Hohentanner. 2024. DMTI: Accelerating Memory Error Detection in Precompiled C/C++ Binaries with ARM Memory Tagging Extension. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (ASIA CCS '24). Association for Computing Machinery, New York, NY, USA, 1173–1185. https://doi.org/10.1145/3634737.3637655 https://dl.acm.org/doi/abs/10.1145/3634737.3637655 https://dl.acm.org/doi/pdf/10.1145/3634737.3637655
Seo, J., Bang, I., Cho, Y. et al. Exploring effective uses of the tagged memory for reducing bounds checking overheads. J Supercomput 79, 1032–1064 (2023). https://doi.org/10.1007/s11227-022-04694-y https://link.springer.com/article/10.1007/s11227-022-04694-y
Michael B. Sullivan, Mohamed Tarek Ibn Ziad, Aamer Jaleel, and Stephen W. Keckler. 2023. Implicit Memory Tagging: No-Overhead Memory Safety Using Alias-Free Tagged ECC. In Proceedings of the 50th Annual International Symposium on Computer Architecture (ISCA '23). Association for Computing Machinery, New York, NY, USA, Article 67, 1–13. https://doi.org/10.1145/3579371.3589102 https://dl.acm.org/doi/pdf/10.1145/3579371.3589102
Myoung Jin Nam, Periklis Akritidis, and David J Greaves. 2019. FRAMER: a tagged-pointer capability system with memory safety applications. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC '19). Association for Computing Machinery, New York, NY, USA, 612–626. https://doi.org/10.1145/3359789.3359799 https://dl.acm.org/doi/abs/10.1145/3359789.3359799
Konrad Hohentanner, Philipp Zieris, and Julian Horsch. 2023. CryptSan: Leveraging ARM Pointer Authentication for Memory Safety in C/C++. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing (SAC '23). Association for Computing Machinery, New York, NY, USA, 1530–1539. https://doi.org/10.1145/3555776.3577635 https://dl.acm.org/doi/abs/10.1145/3555776.3577635
Kroes, T., 2020, How to Keep Your Memory Safe and Your Software Fast, https://research.vu.nl/ws/portalfiles/portal/107720519/941816.pdf (Uses pointer tagging.)
X. Wang, B. Zhang, C. Tang and L. Zhang, "Highly Comprehensive and Efficient Memory Safety Enforcement with Pointer Tagging," 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), Brisbane, Australia, 2024, pp. 74-81, doi: 10.1109/DSN-W60302.2024.00026. https://ieeexplore.ieee.org/abstract/document/10646907
Lukas Bernhard, Michael Rodler, Thorsten Holz, Lucas Davi, 8 Mar 2022, xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64, https://arxiv.org/abs/2203.04117
L. Bernhard, M. Rodler, T. Holz and L. Davit, "xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64," 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), Genoa, Italy, 2022, pp. 502-519, doi: 10.1109/EuroSP53844.2022.00038. https://ieeexplore.ieee.org/abstract/document/9797369
CISA, December 06, 2023, The Case for Memory Safe Roadmaps, Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, https://www.cisa.gov/resources-tools/resources/case-memory-safe-roadmaps https://www.cisa.gov/sites/default/files/2023-12/The-Case-for-Memory-Safe-Roadmaps-508c.pdf
K. Gondow and Y. Arahori, "EarlyDLDetect: an Early Root-Cause Locator of Dangling Pointers and Memory Leaks," in IEEE Access, doi: 10.1109/ACCESS.2024.3515133. https://ieeexplore.ieee.org/document/10792904 https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10792904 https://github.com/gondow/EarlyDLDetect
RangeSanitizer: Detecting Memory Errors with Efficient Range Checks Floris Gorter, Cristiano Giuffrida, Feb 2025, https://download.vusec.net/papers/rsan_sec25.pdf

Runtime Memory Checker Tools

Runtime memory checkers include tools like Valgrind or AddressSanitizer. There is a lot of research theory:

Andreas Hager-Clukas and Konrad Hohentanner. 2024. DMTI: Accelerating Memory Error Detection in Precompiled C/C++ Binaries with ARM Memory Tagging Extension. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (ASIA CCS '24). Association for Computing Machinery, New York, NY, USA, 1173–1185. https://doi.org/10.1145/3634737.3637655 https://dl.acm.org/doi/abs/10.1145/3634737.3637655 https://dl.acm.org/doi/pdf/10.1145/3634737.3637655
Seo, J., Bang, I., Cho, Y. et al. Exploring effective uses of the tagged memory for reducing bounds checking overheads. J Supercomput 79, 1032–1064 (2023). https://doi.org/10.1007/s11227-022-04694-y https://link.springer.com/article/10.1007/s11227-022-04694-y
Michael B. Sullivan, Mohamed Tarek Ibn Ziad, Aamer Jaleel, and Stephen W. Keckler. 2023. Implicit Memory Tagging: No-Overhead Memory Safety Using Alias-Free Tagged ECC. In Proceedings of the 50th Annual International Symposium on Computer Architecture (ISCA '23). Association for Computing Machinery, New York, NY, USA, Article 67, 1–13. https://doi.org/10.1145/3579371.3589102 https://dl.acm.org/doi/pdf/10.1145/3579371.3589102
Myoung Jin Nam, Periklis Akritidis, and David J Greaves. 2019. FRAMER: a tagged-pointer capability system with memory safety applications. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC '19). Association for Computing Machinery, New York, NY, USA, 612–626. https://doi.org/10.1145/3359789.3359799 https://dl.acm.org/doi/abs/10.1145/3359789.3359799
Emanuel Q. Vintila, Philipp Zieris, and Julian Horsch. 2021. MESH: A Memory-Efficient Safe Heap for C/C++. In Proceedings of the 16th International Conference on Availability, Reliability and Security (ARES '21). Association for Computing Machinery, New York, NY, USA, Article 16, 1–10. https://doi.org/10.1145/3465481.3465760 https://dl.acm.org/doi/abs/10.1145/3465481.3465760
Konrad Hohentanner, Philipp Zieris, and Julian Horsch. 2023. CryptSan: Leveraging ARM Pointer Authentication for Memory Safety in C/C++. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing (SAC '23). Association for Computing Machinery, New York, NY, USA, 1530–1539. https://doi.org/10.1145/3555776.3577635 https://dl.acm.org/doi/abs/10.1145/3555776.3577635
Kroes, T., 2020, How to Keep Your Memory Safe and Your Software Fast, https://research.vu.nl/ws/portalfiles/portal/107720519/941816.pdf (Uses pointer tagging.)
X. Wang, B. Zhang, C. Tang and L. Zhang, "Highly Comprehensive and Efficient Memory Safety Enforcement with Pointer Tagging," 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), Brisbane, Australia, 2024, pp. 74-81, doi: 10.1109/DSN-W60302.2024.00026. https://ieeexplore.ieee.org/abstract/document/10646907
Lukas Bernhard, Michael Rodler, Thorsten Holz, Lucas Davi, 8 Mar 2022, xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64, https://arxiv.org/abs/2203.04117
L. Bernhard, M. Rodler, T. Holz and L. Davit, "xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64," 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), Genoa, Italy, 2022, pp. 502-519, doi: 10.1109/EuroSP53844.2022.00038. https://ieeexplore.ieee.org/abstract/document/9797369
Kaiming Huang, Jack Sampson, Mathias Payer, Gang Tan, Zhiyun Qian, Trent Jaeger, Oct 2024, Top of the Heap: Efficient Memory Error Protection of Safe Heap Objects, CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA, https://doi.org/10.1145/3658644.3690310 https://nebelwelt.net/publications/files/24CCS.pdf
Ruizhe Wang, Meng Xu, N. Asokan, 29 May 2024 (v2), S2malloc: Statistically Secure Allocator for Use-After-Free Protection And More, https://arxiv.org/abs/2402.01894
Wikipedia, Oct 2024 (accessed), Buffer Overflow Protection, https://en.wikipedia.org/wiki/Buffer_overflow_protection
Zhenpeng Lin, Zheng Yu, Ziyi Guo, Simone Campanoni, Peter Dinda, and Xinyu Xing, 2023, CAMP:Compiler and Allocator-based Heap Memory Protection, https://www.usenix.org/system/files/sec23winter-prepub-402-lin.pdf
Adriaan Jacobs and Stijn Volckaert, DistriNet, KU Leuven Aug 2024, Not Quite Write: On the Effectiveness of Store-Only Bounds Checking, 18th USENIX WOOT Conference on Offensive Technologies. August 12–13, 2024 • Philadelphia, PA, USA, https://www.usenix.org/conference/woot24/presentation/jacobs https://www.usenix.org/system/files/woot24-jacobs.pdf
Mohamed Tarek Ibn Ziad, Sana Damani, Aamer Jaleel, Stephen W. Keckler, and Mark Stephenson. 2023. CuCatch: A Debugging Tool for Efficiently Catching Memory Safety Violations in CUDA Applications. Proc. ACM Program. Lang. 7, PLDI, Article 111 (June 2023), 24 pages. https://doi.org/10.1145/3591225 https://dl.acm.org/doi/abs/10.1145/3591225 PDF: https://dl.acm.org/doi/pdf/10.1145/3591225
Geoff Gerfin Vyas Venkataraman, Oct 2024, Debugging Experience with CUDA-GDB and CUDA-MEMCHECK, GPU Conference, https://picture.iczhiku.com/resource/paper/WhiSzdKjTtFhhNnm.pdf
E. Vintila, P. Zieris and J. Horsch, "Evaluating the Effectiveness of Memory Safety Sanitizers," in 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2025, pp. 88-88, doi: 10.1109/SP61157.2025.00088. https://www.computer.org/csdl/proceedings-article/sp/2025/223600a088/21TfesaEHTy https://www.computer.org/csdl/pds/api/csdl/proceedings/download-article/21TfesaEHTy/pdf
onathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: revisiting RISC in an age of risk. SIGARCH Comput. Archit. News 42, 3 (June 2014), 457–468. https://doi.org/10.1145/2678373.2665740 https://dl.acm.org/doi/10.1145/2678373.2665740 https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201406-isca2014-cheri.pdf
Floris Gorter, Enrico Barberis, Raphael Isemann, Erik van der Kouwe, Cristiano Giuffrida, Herbert Bos, November 1, 2023, FloatZone: How Floating Point Additions can Detect Memory Errors, https://download.vusec.net/papers/floatzone_sec23.pdf https://github.com/vusec/floatzone
Felipe R. Monteiro, Erickson H. da S. Alves, Isabela S. Silva, Hussama I. Ismail, Lucas C. Cordeiro, and Eddie B. de Lima Filho. 2018. ESBMC-GPU A context-bounded model checking tool to verify CUDA programs. Sci. Comput. Program. 152, C (January 2018), 63–69. https://doi.org/10.1016/j.scico.2017.09.005 https://dl.acm.org/doi/10.1016/j.scico.2017.09.005 https://pure.manchester.ac.uk/ws/files/77048933/jscp2017.pdf
Zeyu Chen, Daiping Liu, Jidong Xiao, and Haining Wang. 2023. All Use-After-Free Vulnerabilities Are Not Created Equal: An Empirical Study on Their Characteristics and Detectability. In Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID '23). Association for Computing Machinery, New York, NY, USA, 623–638. https://doi.org/10.1145/3607199.3607229 https://dl.acm.org/doi/10.1145/3607199.3607229 https://vtechworks.lib.vt.edu/bitstream/handle/10919/116595/3607199.3607229.pdf
M Marini, DC D'Elia, M Payer, L Querzoni, Dec 2024, QMSan: Efficiently Detecting Uninitialized Memory Errors During Fuzzing, https://nebelwelt.net/files/25NDSS3.pdf (Binary instrumentation to detect UUM errors.)
K. Gondow and Y. Arahori, "EarlyDLDetect: an Early Root-Cause Locator of Dangling Pointers and Memory Leaks," in IEEE Access, doi: 10.1109/ACCESS.2024.3515133. https://ieeexplore.ieee.org/document/10792904 https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10792904 https://github.com/gondow/EarlyDLDetect
RangeSanitizer: Detecting Memory Errors with Efficient Range Checks Floris Gorter, Cristiano Giuffrida, Feb 2025, https://download.vusec.net/papers/rsan_sec25.pdf

Floating-Point Runtime Error Checkers

Research papers on tools that detect floating-point errors and exceptions at runtime:

Lawrence Livermore National Laboratory, Oct 024, FP Checker: dynamic analysis tool to detect floating-point errors in HPC applications, https://fpchecker.org/index.html https://github.com/LLNL/FPChecker
Laguna, Ignacio. "FPChecker: Detecting Floating-point Exceptions in GPU Applications." In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 1126-1129. IEEE, 2019. https://ieeexplore.ieee.org/abstract/document/8952258 https://www.osti.gov/servlets/purl/1574625
Michael Bentley, Ian Briggs, Ganesh Gopalakrishnan, Ignacio Laguna, Harshitha Menon, Tristan Vanderbruggen, Cindy Rubio González, 2020, FPChecker Detecting Floating-Point Exceptions in GPUs, https://fpanalysistools.org/pearc19/slides/Module-FPChecker.pdf
Ignacio Laguna, Xinyi Li, and Ganesh Gopalakrishnan. 2022. BinFPE: accurate floating-point exception detection for GPU applications. In Proceedings of the 11th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis (SOAP 2022). Association for Computing Machinery, New York, NY, USA, 1–8. https://doi.org/10.1145/3520313.3534655 https://dl.acm.org/doi/10.1145/3520313.3534655 https://dl.acm.org/doi/pdf/10.1145/3520313.3534655 https://github.com/LLNL/BinFPE
Xinyi Li, Ignacio Laguna, Katarzyna Swirydowicz, Bo Fang, Ang Li, and Ganesh Gopalakrishnan. Design and evaluation of GPU-FPX: A low-overhead tool for floating-point excep tion detection in NVIDIA GPUs. In ACM HPDC 2023, 2023. doi:10.11578/dc.20230713.4. https://dl.acm.org/doi/pdf/10.1145/3588195.3592991
Peter Dinda, Alex Bernat, and Conor Hetland. Spying on the Floating Point Behavior of Existing, Unmodified Sci entific Applications. In HPDC, pages 5–16. ACM, 2020. doi:10.1145/3369583.3392673. http://pdinda.org/Papers/hpdc20.pdf

Secure C++

John Viega, Matt Messier, 19 August 2003, Secure Programming Cookbook for C and C++, https://www.amazon.com/Secure-Programming-Cookbook-C/dp/0596003943/
Robert C. Seacord, 2 April 2013, Secure Coding in C and C++ (SEI Series in Software Engineering), Addison-Wesley Professional, https://www.amazon.com/Secure-Coding-Robert-C-Seacord/dp/0321822137/
Robert C. Seacord, 25 April 2014, CERT® C Coding Standard, Second Edition, The: 98 Rules for Developing Safe, Reliable, and Secure Systems (SEI Series in Software Engineering) 2nd Edition, Addison-Wesley Professional, https://www.amazon.com/dp/B00JXMO1CE/
CMU, Robert Schiela, Feb 14, 2024, SEI CERT C++ Coding Standard https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682
Frank M. Carrano,, Timothy M. Henry, 6 February 2024, Secure Data Structures and Algorithms with C++: Walls and Mirrors, 8th edition , Pearson;, https://www.amazon.com/Secure-Data-Structures-Algorithms-Mirrors-ebook/dp/B0CV7SHRWY/
Sandipan Roy, Mar 23, 2023, 10 Essential Tips for Writing Secure C++ Code, https://medium.com/@bytehackr/10-essential-tips-for-writing-secure-c-code-best-practices-and-safer-alternatives-bb4800b8e5a2
David Svoboda, April 17, 2017, CERT C++ Secure Coding Guidelines, https://insights.sei.cmu.edu/blog/cert-c-secure-coding-guidelines/
CMU, March 14, 2017, SEI CERT C++ Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition), CERT Research Report, https://insights.sei.cmu.edu/library/sei-cert-c-coding-standard-rules-for-developing-safe-reliable-and-secure-systems-2016-edition-2/
CMU, June 30, 2016, SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition), CERT Research Report, https://insights.sei.cmu.edu/library/sei-cert-c-coding-standard-rules-for-developing-safe-reliable-and-secure-systems-2016-edition/ (This is for C not C++.)
CMU, Robert Schiela, Sep 19, 2024 SEI CERT Coding Standards https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards
Microsoft contributors, 08/03/2021, Security Best Practices for C++, https://learn.microsoft.com/en-us/cpp/security/security-best-practices-for-cpp?view=msvc-170
Aaron Ballman, September 26, 2016, Secure Coding in C++11 and C++14, https://insights.sei.cmu.edu/blog/secure-coding-in-c11-and-c14/
Alexander Obregon, Jun 24, 2024, Secure Coding Practices in C++, https://medium.com/@AlexanderObregon/secure-coding-practices-in-c-12b756af90fe
Microsoft contributors, 09/28/2023, Build reliable and secure C++ programs, https://learn.microsoft.com/en-us/cpp/code-quality/build-reliable-secure-programs?view=msvc-170
MSRC Team, July 16, 2019, A proactive approach to more secure code, https://msrc.microsoft.com/blog/2019/07/a-proactive-approach-to-more-secure-code/
Chromium, Oct 2024 (accessed), Memory safety, https://www.chromium.org/Home/chromium-security/memory-safety/
Google, October 3, 2024, Project Zero. News and updates from the Project Zero team at Google, https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html
Ben Hawkes, 2019-05-15, 0day "In the Wild", Google, https://googleprojectzero.blogspot.com/p/0day.html
Alex Rebert, Christoph Kern, 2024, Secure by Design: Google's Perspective on Memory Safety, Google Security Engineering, https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/
CISA, October 16, 2024, Product Security Bad Practices, Request for Comment on Product Security Bad Practices Guidance, https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
CISA, December 06, 2023, The Case for Memory Safe Roadmaps, Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, https://www.cisa.gov/resources-tools/resources/case-memory-safe-roadmaps https://www.cisa.gov/sites/default/files/2023-12/The-Case-for-Memory-Safe-Roadmaps-508c.pdf
Craig Hale, Nov 11, 2024, US government wants businesses to stop using C and C++, claims they are insecure, https://www.msn.com/en-us/news/technology/us-government-wants-businesses-to-stop-using-c-and-c-claims-they-are-insecure/ar-AA1tTg8r?ocid=BingNewsVerp
Phoebe Lee and Kristina Joos, Jan 25, 2024, Advancing Production AI with NVIDIA AI Enterprise, https://developer.nvidia.com/blog/advancing-production-ai-with-nvidia-ai-enterprise/ ("... advances in NVIDIA AI software deliver up to 54% performance gains without a hardware upgrade...")

Use-After-Free Errors

Research papers on use-after-free vulnerabilities:

Keishi Hattori, Sergei Glazunov, Bartek Nowierski, MiraclePtr team, January 11, 2024, MiraclePtr: protecting users from use-after-free vulnerabilities on more platforms Google Security Blog, https://security.googleblog.com/2024/01/miracleptr-protecting-users-from-use.html
Adrian Taylor, Bartek Nowierski and Kentaro Hara, MiraclePtr team September 13, 2022 Use-after-freedom: MiraclePtr, https://security.googleblog.com/2022/09/use-after-freedom-miracleptr.html
Anton Bikineev, Michael Lippautz and Hannes Payer, Chrome security team, May 26, 2022 Retrofitting Temporal Memory Safety on C++, https://security.googleblog.com/2022/05/retrofitting-temporal-memory-safety-on-c.html
Memory Safety, Nov 2024, What is memory safety and why does it matter?, https://www.memorysafety.org/docs/memory-safety/#how-common-are-memory-safety-vulnerabilities
Zeyu Chen, Daiping Liu, Jidong Xiao, and Haining Wang. 2023. All Use-After-Free Vulnerabilities Are Not Created Equal: An Empirical Study on Their Characteristics and Detectability. In Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID '23). Association for Computing Machinery, New York, NY, USA, 623–638. https://doi.org/10.1145/3607199.3607229 https://dl.acm.org/doi/10.1145/3607199.3607229 https://vtechworks.lib.vt.edu/bitstream/handle/10919/116595/3607199.3607229.pdf
B. Gui, W. Song, H. Xiong and J. Huang, "Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone?," in IEEE Transactions on Software Engineering, vol. 48, no. 11, pp. 4569-4589, 1 Nov. 2022, doi: 10.1109/TSE.2021.3121994. https://ieeexplore.ieee.org/document/9583875
Lukas Bernhard, Michael Rodler, Thorsten Holz, Lucas Davi, 8 Mar 2022, xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64, https://arxiv.org/abs/2203.04117
H. Wei, L. Chen, X. Nie, Z. Zhang, Y. Zhang and G. Shi, "An Efficient Metric-Based Approach for Static Use-After-Free Detection," 2022 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom), Melbourne, Australia, 2022, pp. 58-65, doi: 10.1109/ISPA-BDCloud-SocialCom-SustainCom57177.2022.00015. https://ieeexplore.ieee.org/document/10070682
Floris Gorter, Koen Koning, Herbert Bos, and Cristiano Giuffrida. 2022. DangZero: Efficient Use-After-Free Detection via Direct Page Table Access. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS '22). Association for Computing Machinery, New York, NY, USA, 1307–1322. https://doi.org/10.1145/3548606.3560625 https://dl.acm.org/doi/10.1145/3548606.3560625 https://download.vusec.net/papers/dangzero_ccs22.pdf https://github.com/vusec/dangzero
K. Gondow and Y. Arahori, "EarlyDLDetect: an Early Root-Cause Locator of Dangling Pointers and Memory Leaks," in IEEE Access, doi: 10.1109/ACCESS.2024.3515133. https://ieeexplore.ieee.org/document/10792904 https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10792904 https://github.com/gondow/EarlyDLDetect

Bounds Checking

Research papers on bounds checking:

Sandor Dargo, Nov 2024, Use std::span instead of C-style arrays, https://www.sandordargo.com/blog/2024/11/06/std-span
Open Source Security Foundation (OpenSSF) Best Practices Working Group, 2024-10-31, Compiler Options Hardening Guide for C and C++ https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
Martin Sebor, February 22, 2017, Memory Error Detection Using GCC, https://developers.redhat.com/blog/2017/02/22/memory-error-detection-using-gcc
Martin Sebor, April 30, 2021, Detecting memory management bugs with GCC 11, Part 1: Understanding dynamic allocation, https://developers.redhat.com/blog/2021/04/30/detecting-memory-management-bugs-with-gcc-11-part-1-understanding-dynamic-allocation
Martin Sebor, May 5, 2021, Detecting memory management bugs with GCC 11, Part 2: Deallocation functions, https://developers.redhat.com/blog/2021/05/05/detecting-memory-management-bugs-with-gcc-11-part-2-deallocation-functions
Manos Pavlidakis, Giorgos Vasiliadis, Stelios Mavridis, Anargyros Argyros, Antony Chazapis, and Angelos Bilas. 2024. Guardian: Safe GPU Sharing in Multi-Tenant Environments. Proceedings of the 25th International Middleware Conference (MIDDLEWARE '24). Association for Computing Machinery, New York, NY, USA, 313–326. https://doi.org/10.1145/3652892.3700768 https://dl.acm.org/doi/abs/10.1145/3652892.3700768 https://arxiv.org/abs/2401.09290 (GPU bounds checking via PTX instrumentation with an average 9% overhead cost.)
David Cassel, Dec 6th, 2024, Google ‘Retrofits’ Spatial Memory Safety Onto C++, Google researchers showed they were able to "retrofit" spatial safety onto their C++ codebases, and to do it with a surprisingly low impact on performance. https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
Alex Rebert, Max Shavrick, and Kinuko Yasuda, November 15, 2024, Retrofitting spatial safety to hundreds of millions of lines of C++, https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
Juan Vazquez, Feb 12, 2024, LLVM's 'RFC: C++ Buffer Hardening' at Google, https://bughunters.google.com/blog/6368559657254912/llvm-s-rfc-c-buffer-hardening-at-google

Refactoring

Research papers on refactoring:

David Spuler, March 2024, Chapter 40. Reliability, Generative AI in C++: Coding Transformers and LLMs, https://www.amazon.com/dp/B0CXJKCWX9
Jonatan Kruszewski, Oct 2024, Why Zero Tech Debt is a Myth (and Maybe a Red Flag), https://levelup.gitconnected.com/why-zero-tech-debt-is-a-myth-and-maybe-a-red-flag-4a83ebc66e60
Josh Fruhlinger, Dec 02, 2024, Refactoring AI code: The good, the bad, and the weird, https://www.infoworld.com/article/3610521/refactoring-ai-code-the-good-the-bad-and-the-weird.html
Benjamin Ritz, Aleksandar Karakaš, Denis Helic, 24 Feb 2025, Refactoring Detection in C++ Programs with RefactoringMiner++, https://arxiv.org/abs/2502.17716 https://cloud.tugraz.at/index.php/s/oCzmjfFSaBxNZoe

Safe C++ Blog Articles

Safe C++ Book

The new Safe C++ coding book by David Spuler:

Memory Safety
Rust versus C++
The Safe C++ Standard
Pragmatic Memory Safety

Get your copy from Amazon: Safe C++: Fixing Memory Safety Issues