Secure Coding in C and C++

PT20463
Summary
This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. The intent is for this course to be useful to anyone involved in developing secure C and C++ programs regardless of the specific application. We teach developers to identify common security flaws including:
  • Buffer overflows
  • Integer overflow
  • Dangerous compiler optimizations
  • Race conditions
  • Memory management errors
  • Logical errors
  • Invalid assumptions
For each of these security flaws, we demonstrate specific remediation techniques as well as general secure coding practices that help prevent the introduction of vulnerabilities. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors. Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s. The duration and content of this course can be customized to any organization’s needs; including an optional fifth day focused on developing multi-threaded, data race-free programs.
Prerequisites
The course assumes basic C and C++ programming skills, but does not assume an in-depth knowledge of software security. The ideas presented apply to various development environments, but the examples are specific to Microsoft Visual Studio and Linux/GCC and the 32-bit Intel Architecture. Material in this presentation was derived from the Addison-Wesley books Secure Coding in C and C++ and The CERT C Secure Coding Standard.
Duration
4 Days/Lecture & Lab
Audience
This course will be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.
Topics
  • Improve the overall security of any C or C++ application
  • Thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic
  • Dangerous compiler optimizations and how to avoid and detect them
  • Avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions
  • Eliminate integer-related problems: integer overflows, sign errors, and truncation errors
  • Correctly use formatted output functions without introducing format-string vulnerabilities
  • Avoid I/O vulnerabilities, including race conditions
  • Optional: Writing data race-free code using C11, C++11, Cilk Plua C++11,CilkPlus, and OpenMP

Related Scheduled Courses