Compared with other technologies, C and C++ pose unique and difficult challenges to the process of continuously writing and delivering quality code without security issues. The great power that a developer possesses over e.g. memory management results in the responsibility to write code that deals properly with object lifecycles, manages buffers correctly and many other aspects that have no equivalent in languages with automatic memory management.
This hands-on course is focused on introducing developers to the most critical mistakes that are made when writing C and C++ code, as well as how to properly mitigate them at the language and OS level and what exactly is the impact of such vulnerabilities – how an attacker could exploit buffer overflows, integer flaws or race conditions. The course is focused on the Linux platform, as many of the attack and mitigation techniques are OS-specific.
- Buffer Overflows
- Integer Security
- Integer rules in C and C++
- Vulnerabilities and mitigation
- Format String Vulnerabilities
- Linux File and I/O security
- File attributes in Linux
- TOCTOU vulnerabilities
- Path resolution and dynamic library injection
- Basics of Secure Network Programming
- Basics of Static and Dynamic analysis and countermeasures
Ideal for: The course is technical and the targeted participants are developers that use C and/or C++ on a daily basis, but have no particular experience in binary security.
Prerequisites: Knowledge of Linux, C and/or C++ and their respective toolchains.
Participants should bring a laptop/notebook with a Linux installation and the standard build toolchain for Linux – gcc, gdb, as well as any IDE/tools they have preference for.
Certificate: Upon successful completion of the course, attendees will receive a certificate from ESI CEE.