Workshop: (In)Security in C++

The course teaches C++ developers fundamental concepts from Exploit Development and Reverse Engineering, and uses these concepts to demonstrate common vulnerabilities in C++ codebases. This background is used to help the students to view their code from an attacker’s perspective. They develop a sense of what common vulnerable constructs in C++ look like, and also which tools can help them find different types of vulnerabilities in their existing code bases.

Attendees can expect to gain

  • A basic understanding of the mindset of an exploit developer. - An understanding of assembly
  • Good grasp of tooling that can be used to find vulnerable constructs
  • Good idea of things to look for in code reviews
  • Good overview of Secure Coding Practices in C++

Secure Coding Practices

The Secure Coding Practices taught are largely based on the C++ Core Guidelines, the Common Weakness Enumeration (CWE) and the SEI CERT Coding Standards for C++.


The attendees are assumed to be proficient C++


  1. Introduction and what specs exist?
  2. Undefined Behavior & Compiler Optimizations
  3. The anatomy of a Stack Buffer Overflow shellcode (on Linux)
  4. Exploration of simple Exploitation Techniques
  5. Introduction to Compilers, Static Analysis, Sanitizers and Fuzzers
  6. Exploitable Programming Constructs: Memory I
  7. Exploitable Programming Constructs: Memory II
  8. Exploitable Programming Constructs: Numbers
  9. Secure Programming Practices in C++: Prefer C++ to C
  10. Secure Programming Practices in C++: Resource Management
  11. Secure Programming Practices in C++: Avoid the Pitfalls
  12. Secure Programming Practices in C++: Functionality
  13. Insecure Coding 101


  1. Stack Buffer Overflow (CWE-121)
  2. Heap Buffer Overflow (CWE-122)
  3. Buffer Underflow (CWE-124)
  4. Use After Free (CWE-416)
  5. Double Free (CWE-415)
  6. Unsigned Integer Wraparound (CWE-190)
  7. Signed Integer Overflow (CWE-190)
  8. Numeric Truncation (CWE-197)
  9. Incorrect Type Conversion (CWE-704)
  10. Uncontrolled Format String (CWE-134)

Tools and Techniques

  • Exploitation: Stack Overflow Exploit, Return Oriented Programming and Format String Exploit
  • Vulnerability Mitigation: Static Analysis, Warnings, Sanitizers and Fuzzers Platform Mitigation: Stack Canaries, Address Space Layout Randomization (ASLR), Non-executable memory

Computer Setup

All attendees will need to bring their own laptops. The individual work will be in https://cyber-dojo.orgso only a computer with a browser is required. Some work might be done on the trainers computer.


Patricia Aas

Patricia Aas is an international speaker and has spoken at CppCon, ACCU, C++OnSea, NDC Security, NDC Oslo and many other conferences on subjects ranging from Sandboxing in Chromium to Vulnerabilities in C++. She has taught a range of subjects in Computer Science at the University of Oslo. Patricia has a masters degree in Computer Science and 13 years professional experience as a programmer, most of that time programming in C++. During that time she has worked in codebases with a high focus on security: two browsers (Opera and Vivaldi) and embedded Cisco telepresence systems.