Loading...

Course Description

This course is the continuation of SEC520 - Cyber Secure Coding With C++.

Producing secure programs requires secure designs. The best software design can lead to insecure programs if developers are unaware of the security pitfalls inherent in programming. This three-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. This course will cover topics and techniques for development of secure C++ programs. Topics will range the gamut from high level security and risk concepts and design strategies to low-level memory access exploitation and injection attacks. General secure development approaches applicable to any language will be discussed, but the course will also focus on C++-specific techniques and pitfalls to avoid. Topics include string management, dynamic memory management, integer security, formatted output, and file I/O. 

This course is designed for a developer or architect who is looking for an understanding of today's best practices in secure software development

Course Outline

Memory Access Errors

  • Principle: Bounded data sequences
  • Stack overflow attacks
  • Heap overflow attacks
  • Array indexing attacks
  • Format string attacks
  • Unsafe vs. safe APIs (and standard-compliance issues)
  • C++ safer alternatives to C-style pointer buffers
  • Runtime checks (e.g., checked STL implementation)

Integer Overflows

  • Compiler safeguards and static checking tools
  • Principle: Be explicit with numeric subranges
  • Integer and floating point overflows
  • Two's complement and signed vs. unsigned issues
  • The danger of implicit casting rules
  • Safe integer libraries
  • Compiler safeguards

Input Validation and Injection Attacks

  • Principle: Data vs. code and the importance of grammars
  • Principle: Untrusted vs. trusted data
  • Blacklist vs. whitelist approach
  • Dangers in data type conversions
  • Regular expression: sometimes helpful, sometimes dangerous
  • Parser generators
  • Escaping/Quoting data
  • Attack scenario: SQL injection

Secure File Handling

  • Principle: Input validation (carryover)
  • Filename canonicalization (incl. directory traversal & symbolic link attacks)
  • Principle: Least privilege & self-constraint
  • File permissions and ACLs
  • Danger of shared directories
  • Timing attacks and fsync
  • Closing files when no longer needed
  • Chroots and other process namespace restrictions

Cryptography in C/C++

  • High-level crypto pieces: ciphers, public key crypto, hashes, HMACs, KDFs & PRNGs
  • How NOT to use cryptography!
  • The importance of good randomness sources
  • Vetted, widely-used crypto protocols (e.g., transport, storage, etc.)
  • Respected crypto libraries & tools
  • Attack scenario: Weak homebrew encryption

Additional Information

Applies Towards the Following Certificates

Prerequisites

SEC520 - Cyber Secure Coding With C++

Duration

2 Days | 4 Nights

Applies Towards the Following Certificates

Loading...
Enroll Now - Select a section to enroll in
Section Title
Cyber Secure Coding with C++, Advanced
Type
Instructor-Led
Days
M, W
Time (Central Time)
5:00PM to 8:00PM
Dates
Nov 07, 2022 to Nov 16, 2022
Schedule and Location
# of Course Hours
12.0
Delivery Option
Course Fee(s)
Rate non-credit $1,325.00
Potential Discount(s)
Required fields are indicated by .
*Academic Unit eligibility to be determined by college/university in which you are enrolled in a degree seeking program.