GrabYourPitchforks

Sample threat model for MCP weather API tutorial

Introduction

This is a sample showing how to threat model a library API. This model applies the "Introduction to Trust" principles to the C# helper functions located at https://modelcontextprotocol.io/quickstart/server as of Apr. 10, 2025 (Internet Archive link).

This sample discusses:

• applying the "Introduction to Trust" guidance to take a structured approach to reasoning about assumptions, inputs, and data flows;
• assessing these in the context of cross-party contract fulfillment;
• applying reasonable beliefs to simplify our threat analysis;

GrabYourPitchforks

Memory<T> usage guidelines

This document describes the relationship between Memory<T> and its related classes (MemoryPool<T>, IMemoryOwner<T>, etc.). It also describes best practices when accepting Memory<T> instances in public API surface. Following these guidelines will help developers write clear, bug-free code.

First, a tour of the basic exchange types

• Span<T> is the basic exchange type that represents contiguous buffers. These buffers may be backed by managed memory (such as T[] or System.String). They may also be backed by unmanaged memory (such as via stackalloc or a raw void*). The Span<T> type is not heapable, meaning that it cannot appear as a field in classes, and it cannot be used across yield or await boundaries.

• Memory is a wrapper around an object that can generate a Span. For instance, Memory instances can be backed by T[], System.String (readonly), and even SafeHandle instances. Memory cannot be backed by "transient" unmanaged me

GrabYourPitchforks

using System;

// It's a bit naive in that it performs more copies than necessary, but it's clearly linear time.
// The extra copies and other overhead can be optimized away if needed.
// [Yes, it's a naive implementation of radix sort. :)]

static void Sort(Span<uint> span)
{
    Span<uint> scratch = new uint[span.Length];

GrabYourPitchforks

Memory<T> API documentation and samples

This document describes the APIs of Memory<T>, IMemoryOwner<T>, and MemoryManager<T> and their relationships to each other.

See also the Memory<T> usage guidelines document for background information.

First, a brief summary of the basic types

• Memory<T> is the basic type that represents a contiguous buffer. This type is a struct, which means that developers cannot subclass it and override the implementation. The basic implementation of the type is aware of contigious memory buffers backed by T[] and System.String (in the case of ReadOnlyMemory<char>).

GrabYourPitchforks

// 'valueIfTrue' and 'valueIfFalse' really should be compile-time constants for maximum throughput.
[MethodImpl(MethodImplOptions.AggressiveInlining)]
private static int ConditionalSelect(bool condition, int valueIfTrue, int valueIfFalse)
{
    // From https://software.intel.com/sites/default/files/managed/9e/bc/64-ia-32-architectures-optimization-manual.pdf
    // Example 3.2. We're taking advantage of the fact that bools are passed by value as 32-bit integers,
    // so we'll blit it directly into a 1 or a 0 without a jump.
    // Codegen will emit a movzx, but on Ivy Bridge (and later) the CPU itself elides the instruction.
    return ((-Unsafe.As<bool, int>(ref condition)) & (valueIfTrue - valueIfFalse)) + valueIfFalse;
}

GrabYourPitchforks

using System;
using System.Buffers;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Runtime.Intrinsics;
using System.Runtime.Intrinsics.X86;
using System.Text;
using System.Text.Unicode;
using BenchmarkDotNet.Attributes;

GrabYourPitchforks

Problem summary

While working on the System.Text.Encodings.Web refactoring I noticed that we have several duplicates of the System.Text.Rune type (or its backing logic) throughout our projects.

The official implementation exposed by System.Runtime:

• https://github.com/dotnet/runtime/blob/main/src/libraries/System.Private.CoreLib/src/System/Text/Rune.cs

A copy used by the Utf8String OOB:

• https://github.com/dotnet/runtimelab/blob/feature/Utf8String/src/libraries/System.Utf8String.Experimental/ref/System.Utf8String.Experimental.Rune.cs

GrabYourPitchforks

using System;
using System.Runtime.InteropServices;
using System.Text;

class Program
{
    static void Main(string[] args)
    {
        {
            // the text below is meaningless

GrabYourPitchforks

public sealed class PublicKeyToken : IEquatable<PublicKeyToken>
{
    public PublicKeyToken(byte[] publicKeyTokenBytes);
    public PublicKeyToken(ReadOnlySpan<byte> publicKeyTokenBytes);
    public PublicKeyToken(string publicKeyTokenHexString);
    public PublicKeyToken(ReadOnlySpan<char> publicKeyTokenHexString);

    public ReadOnlySpan<byte> RawBytes { get; }
    public string TokenString { get; }
    public byte[] GetPublicKeyTokenBytes();

GrabYourPitchforks

Problem statement and core scenario

We want to introduce the idea of a value type where the underlying data is only ever "live" in at most one place. The canonical example is the internal ValueStringBuilder struct type, which performs internal ArrayPool management.

ValueStringBuilder builder = new ValueStringBuilder(); // VSB is a struct type
builder.Append("foo");
builder.Append(obj);
HelperMethod(ref builder); // builder passed by ref to helper methods
return builder.ToString(); // ToString releases underlying rented arrays back to pool