Workshop: (In)Security in C++
The course teaches C++ developers fundamental concepts from Exploit Development and Reverse Engineering, and uses these concepts to demonstrate common vulnerabilities in C++ codebases. This background is used to help the students to view their code from an attacker’s perspective. They develop a sense of what common vulnerable constructs in C++ look like, and also which tools can help them find different types of vulnerabilities in their existing code bases.
Attendees can expect to gain
- A basic understanding of the mindset of an exploit developer. - An understanding of assembly
- Good grasp of tooling that can be used to find vulnerable constructs
- Good idea of things to look for in code reviews
- Good overview of Secure Coding Practices in C++
Secure Coding Practices
The Secure Coding Practices taught are largely based on the C++ Core Guidelines, the Common Weakness Enumeration (CWE) and the SEI CERT Coding Standards for C++.
The attendees are assumed to be proficient C++
- Introduction and what specs exist?
- Undefined Behavior & Compiler Optimizations
- The anatomy of a Stack Buffer Overflow shellcode (on Linux)
- Exploration of simple Exploitation Techniques
- Introduction to Compilers, Static Analysis, Sanitizers and Fuzzers
- Exploitable Programming Constructs: Memory I
- Exploitable Programming Constructs: Memory II
- Exploitable Programming Constructs: Numbers
- Secure Programming Practices in C++: Prefer C++ to C
- Secure Programming Practices in C++: Resource Management
- Secure Programming Practices in C++: Avoid the Pitfalls
- Secure Programming Practices in C++: Functionality
- Insecure Coding 101
- Stack Buffer Overflow (CWE-121)
- Heap Buffer Overflow (CWE-122)
- Buffer Underflow (CWE-124)
- Use After Free (CWE-416)
- Double Free (CWE-415)
- Unsigned Integer Wraparound (CWE-190)
- Signed Integer Overflow (CWE-190)
- Numeric Truncation (CWE-197)
- Incorrect Type Conversion (CWE-704)
- Uncontrolled Format String (CWE-134)
Tools and Techniques
- Exploitation: Stack Overflow Exploit, Return Oriented Programming and Format String Exploit
- Vulnerability Mitigation: Static Analysis, Warnings, Sanitizers and Fuzzers Platform Mitigation: Stack Canaries, Address Space Layout Randomization (ASLR), Non-executable memory
All attendees will need to bring their own laptops. The individual work will be in https://cyber-dojo.orgso only a computer with a browser is required. Some work might be done on the trainers computer.
Patricia Aas is an international speaker and has spoken at CppCon, ACCU, C++OnSea, NDC Security, NDC Oslo and many other conferences on subjects ranging from Sandboxing in Chromium to Vulnerabilities in C++. She has taught a range of subjects in Computer Science at the University of Oslo. Patricia has a masters degree in Computer Science and 13 years professional experience as a programmer, most of that time programming in C++. During that time she has worked in codebases with a high focus on security: two browsers (Opera and Vivaldi) and embedded Cisco telepresence systems.