IQSOFT - John Brice Oktatóközpont
IT Leadership Development Program - ITLDP

Secure C/C++ Programming

Tanfolyam célja

The training gives an insight to the typical C/C++ security relevant programming bugs like Buffer Overflows (BoF), printf format string bug (PFS), unicode bug, integer problems and covert channel attacks. Participants will learn how to find and correct these problems through several source code examples. Practical exercises will also provide a step-by-step introduction of the attacking techniques that exploit these common security vulnerabilities and the specific protection measures that can be applied at the architecture level to prevent the occurrences of these dangerous bugs, detect them before market launch or prevent their exploitation.
Aim of this training is to teach C/C++ developers how to write secure code and how to apply such architecture and coding level programming techniques that can avoid security relevant bugs and/or limit their exploitation.

Tematika

1. Fighting security flaws and vulnerabilities

  • Basic Security Concepts
    • Threat, damage and risk
    • Confidentiality, integrity and availability
  • Security vulnerabilities at large
    • Dangers of exploitable security vulnerabilities
    • Process of a typical attack
    • Technical, economical and political initiatives
    • Secure software development methods
  • Security vulnerabilities and countermeasure knowledge sources
    • Categorization of security flaws
    • Organizations - sources of vulnerabilities and countermeasures
    • Standards and guidelines
    • Legal background

2. Security relevant programming bugs and flaws

  • Common Security Vulnerabilities
    • Stack overflow (introduction to stack operations, buffer overflow, exploitation techniques)
    • Heap overflow (introduction to dynamic memory management, effects of memory corruption, exploitation techniques)
    • Integer vulnerabilities (widthness integer overflow, arithmetical overflow, signedness bug, impacts)
    • String vulnerabilities (processing printf format string parameters, cause of the flaw, exploitation techniques)
    • Array indexing error / Unicode bug
    • Side channel attacks
    • TOCTTOU - Time-of-checking-to-time-of-usage / Serialization errors / Racing conditions
    • File I/O risks, Directory Traversal Vulnerability (DTV)
    • Unsecure threads, risks using signaling mechanisms
    • Shared libraries / DLLs
    • C++ specific flaws and vulnerabilities
  • Other related vulnerabilities
    • Injection attacks (SQL-, Command-, DLL-, code-injection, XSS cross site scripting)
    • XML vulnerabilities
    • Security protocol vulnerabilities

3. Protection against security flaws

  • Countermeasures and strategies
    • Security design and protection principles
    • Specific protections against most frequent errors
    • Specific protection measures at different layers
  • Specific protection methods
    • Stack overflow
    • Heap overflow
    • Integer vulnerabilities
    • Covert channels
  • Software development principles
    • Saltzer's secure coding principles
    • Bishop's robust programming principles
    • Other handy principles
Kinek ajánljuk
Előfeltételek

Solid experience in C/C++ programming

Kapcsolódó tanfolyamok