Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming. This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. The intent is for this course to be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.
Please note: you must bring a laptop computer equipped with the latest version of Adobe Reader and VMware Player. See the Prerequisites section for download information.
The course assumes basic C and C++ programming skills but does not assume an in-depth knowledge of software security. The ideas presented apply to various development environments, but the examples are specific to Microsoft Visual Studio and Linux/GCC and the 32-bit Intel Architecture (IA-32). Material in this presentation was derived from the Addison-Wesley books Secure Coding in C and C++ and The CERT C Secure Coding Standard.
This course is designed for C and C++ developers.
Subjects covered in the first two days are general, but examples are taken from both the Microsoft Visual Studio and GCC compilers on Windows and Linux platforms. Course material on integers uses examples from the IA-32 architecture.
The third and fourth days of the course focus on POSIX platforms. Doug Lea's malloc (dlmalloc) is used to demonstrate exploits in the Linux environment, while the file I/O sections focus on UNIX and the UNIX file system (UFS).
An online demonstration version of the integer module of this course can be accessed at http://oli.web.cmu.edu. Enter the course key: scodedemo.
Participants should come away from this course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors. In particular, participants will learn how to
Moreover, this course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow's attacks, not just today's.
It is recommended that participants have a basic to intermediate understanding of the C and C++ programming languages. Software security knowledge or experience is not required.
Students must bring a personal computer equipped with
The following items are optional. We provide them, but the student is free to substitute their own if they wish:
On the first day of the course, the instructor will provide the attendees with a DVD with the software and course exercises to download on their computers. The instructor will also provide instructions on using the Rosebud Virtual Machine (VM) from the DVDs. The DVD also contains Microsoft Visual Studio Express 2010, and students may use it to do the exercises if they wish (it is not required). Microsoft provides the download free at: http://www.microsoft.com/express/Downloads/.
The Secure Coding in C and C++, Second Edition and The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems (2nd Edition) books authored by Robert C. Seacord and published by Addison-Wesley will be provided. Participants will also receive a CD containing course and reference materials.
This four-day class meets at the following times:
Days 1-4, 9:00 a.m. - 5:00 p.m. (U.S. Locations)
Days 1-4, 9:30 a.m. - 5:30 p.m. (non-U.S. Locations)