(In)Security in C++

Training aimed at providing a foundation for C++ programmers in security for native applications.

  • Jan 16
    Clarion Hotel Oslo
    2 days
    08:00 - 16:00 UTC
    Patricia Aas
    11 990 NOK

SECURE CODING PRACTICES IN C++

The training will provide its students with:

  • vocabulary to understand reported vulnerabilities
  • knowledge on how to receive vulnerability reports professionally
  • knowledge on how to use tools to find and fix vulnerabilities in their own code
  • knowledge on how to design a more secure product
  • knowledge on how to design a CI/CD pipeline that will improve the security of their own codebase

PRACTICAL INFORMATION

  • Chat - Slack: Will be setup a week in advance to facilitate resolving of any technical issue
  • Exercises - Cloud VMs and a Cyber Dojo cloud instance: guarantees same environment

This training is explicitly targeted at C++ developers, though C developers will also benefit.

GOALS OF THE TRAINING

  • Demystify exploitation, show that exploitation is a mindset, not a set of techniques
  • Demonstrate the motivation for mitigations in the platforms, languages and tools
  • Show that C++ and C are not easy to reason about
  • Teach the students to recognize constructs that have a higher risk of having vulnerabilities
  • Teach the students which tools can be used to find bugs before others find them
  • Teach the students about tools they can use locally while coding
  • Teach the students about tools they can integrate in their CI/CD pipeline
  • Help them think about how security fits into the team context
  • Help them view their application in a new ways

Agenda

DAY 1 - INTRODUCTION, FUZZING AND NUMBERS

  • Meta: Training
  • Theory: Introduction and Specs
  • Mitigations: Tooling
  • Exploitable: UB and Compiler Optimizations
  • Theory: Address Sanitizer
  • Exploit: Heartbleed
  • Theory: Fuzzing (on Linux)
  • Theory: Debugging in gdb

DAY 2 - STACK BUFFER OVERFLOW, SHELLCODE AND GOOD PRACTICES

  • Mitigations: Stack Buffer Overflow
  • Exploit: Shellcode 1 (on Linux)
  • Exploit: Shellcode 2 (on Linux)
  • Practice: Secure Coding Practices 1
  • Discussion: Conclusion

Patricia Aas
Senior Consultant & CTO at TurtleSec AS

Patricia Aas is an international speaker and has spoken at CppCon, ACCU, C++OnSea, NDC Security, NDC Oslo and many other conferences on subjects ranging from Sandboxing in Chromium to Vulnerabilities in C++. She has taught a range of subjects in Computer Science at the University of Oslo.

Patricia has a masters degree in Computer Science and 13 years professional experience as a programmer, most of that time programming in C++. During that time she has worked in codebases with a high focus on security: two browsers (Opera and Vivaldi) and embedded Cisco telepresence systems.

    NDC Conferences uses cookies to see how you use our website. We also have embeds from YouTube and Vimeo. How do you feel about that?