(In)Security in C++

SECURE CODING PRACTICES IN C++

The training will provide its students with:

• vocabulary to understand reported vulnerabilities
• knowledge on how to receive vulnerability reports professionally
• knowledge on how to use tools to find and fix vulnerabilities in their own code
• knowledge on how to design a more secure product
• knowledge on how to design a CI/CD pipeline that will improve the security of their own codebase

PRACTICAL INFORMATION

• Chat - Slack: Will be setup a week in advance to facilitate resolving of any technical issue
• Exercises - Cloud VMs and a Cyber Dojo cloud instance: guarantees same environment

This training is explicitly targeted at C++ developers, though C developers will also benefit.

GOALS OF THE TRAINING

• Demystify exploitation, show that exploitation is a mindset, not a set of techniques
• Demonstrate the motivation for mitigations in the platforms, languages and tools
• Show that C++ and C are not easy to reason about
• Teach the students to recognize constructs that have a higher risk of having vulnerabilities
• Teach the students which tools can be used to find bugs before others find them
• Teach the students about tools they can use locally while coding
• Teach the students about tools they can integrate in their CI/CD pipeline
• Help them think about how security fits into the team context
• Help them view their application in a new ways

Agenda

DAY 1 - INTRODUCTION, FUZZING AND NUMBERS

• Meta: Training
• Theory: Introduction and Specs
• Mitigations: Tooling
• Exploitable: UB and Compiler Optimizations
• Theory: Address Sanitizer
• Exploit: Heartbleed
• Theory: Fuzzing (on Linux)
• Theory: Debugging in gdb

DAY 2 - STACK BUFFER OVERFLOW, SHELLCODE AND GOOD PRACTICES

• Mitigations: Stack Buffer Overflow
• Exploit: Shellcode 1 (on Linux)
• Exploit: Shellcode 2 (on Linux)
• Practice: Secure Coding Practices 1
• Discussion: Conclusion