Loading...

Course Description

Producing secure programs requires secure designs. The best software design can lead to insecure programs if developers are unaware of the security pitfalls inherent in programming. This three-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. This course will cover topics and techniques for development of secure C++ programs. Topics will range the gamut from high level security and risk concepts and design strategies to low-level memory access exploitation and injection attacks. General secure development approaches applicable to any language will be discussed, but the course will also focus on C++-specific techniques and pitfalls to avoid. Topics include string management, dynamic memory management, integer security, formatted output, and file I/O. 

This course is designed for a developer or architect who is looking for an understanding of today's best practices in secure software development 

Course Outline

 

  • Introductory Topics and Principles o Security during the entire application lifecycle 
    • Security assumptions 
    • Thinking like an attacker 
    • Security is always a trade-off: Contemplating risk 
    • Principles of complexity and self-constraint 
    • Principle of segmentation 
    • Principle of least privilege 
    • Principle of trusted/untrusted code - Failing securely 
    • Layering security 
    • Design level attacks 
    • Implementation level attacks 
    • Deployment level attacks 
  • Memory Access Errors
    • Principle: Bounded data sequences 
    • Stack overflow attacks 
    • Heap overflow attacks 
    • Array indexing attacks 
    • Format string attacks 
    • Unsafe vs. safe APIs (and standard-compliance issues) 
    • C++ safer alternatives to C-style pointer buffers 
    • Runtime checks (e.g., checked STL implementation) 
  • Integer Overflows
    • Compiler safeguards and static checking tools 
    • Principle: Be explicit with numeric subranges 
    • Integer and floating point overflows 
    • Two's complement and signed vs. unsigned issues 
    • The danger of implicit casting rules 
    • Safe integer libraries 
    • Compiler safeguards 
  • Input Validation and Injection Attatcks
    • Principle: Data vs. code and the importance of grammars 
    • Principle: Untrusted vs. trusted data 
    • Blacklist vs. whitelist approach 
    • Dangers in data type conversions 
    • Regular expression: sometimes helpful, sometimes dangerous 
    • Parser generators 
    • Escaping/Quoting data 
    • Attack scenario: SQL injection 
  • Secure File Handling
    • Principle: Input validation (carryover) 
    • Filename canonicalization (incl. directory traversal & symbolic link attacks) 
    • Principle: Least privilege & self-constraint 
    • File permissions and ACLs 
    • Danger of shared directories 
    • Timing attacks and fsync 
    • Closing files when no longer needed 
    • Chroots and other process namespace restrictions 
  • Cryptography in C/C++
    • Intro to cryptography: Actors, Communication & Secrets 
    • High-level crypto pieces: ciphers, public key crypto, hashes, HMACs, KDFs & PRNGs 
    • How NOT to use cryptography! 
    • The importance of good randomness sources 
    • Vetted, widely-used crypto protocols (e.g., transport, storage, etc.) 
    • Respected crypto libraries & tools 
    • Attack scenario: Weak homebrew encryption

Prerequisites

The course assumes basic C and C++ programming skills but does not assume an in-depth knowledge of software security. CLA200 – Programming in C++ or equivalent experience is required. 

Duration

3 Days | 6 Nights

Applies Towards the Following Certificates

Loading...
Enroll Now - Select a section to enroll in
Section Title
Cyber Secure Coding with C++
Type
Instructor-Led
Days
M, W
Time
5:00PM to 8:00PM
Dates
Oct 11, 2021 to Oct 27, 2021
Schedule and Location
# of Course Hours
18.0
Delivery Option
Course Fee(s)
Rate non-credit $2,295.00
Potential Discount(s)
Required fields are indicated by .
*Academic Unit eligibility to be determined by college/university in which you are enrolled in a degree seeking program.