(In)Security in C++
Training aimed at providing a foundation for C++ programmers in security for native applications.

(In)Security in C++
Secure Coding Practices in C++
The training will provide its students with:
- vocabulary to understand reported vulnerabilities
- knowledge on how to receive vulnerability reports professionally
- knowledge on how to use tools to find and fix vulnerabilities in their own code
- knowledge on how to design a more secure product
- knowledge on how to design a CI/CD pipeline that will improve the security of their own codebase
Practical information
The training can be done both remotely and on-site. When done remotely this setup is used:
- Audio/Video - Zoom + Zoom Breakout Rooms: Can be attended from a browser or a Zoom client
- Chat - Slack: Will be setup a week in advance to facilitate resolving of any technical issue
- Exercises - Cloud VMs and a Cyber Dojo cloud instance: guarantees same environment
This training is explicitly targeted at C++ developers, though C developers will also benefit.
Goals of the training
- Demystify exploitation, show that exploitation is a mindset, not a set of techniques
- Demonstrate the motivation for mitigations in the platforms, languages and tools
- Show that C++ and C are not easy to reason about
- Teach the students to recognize constructs that have a higher risk of having vulnerabilities
- Teach the students to which tools can be used to find bugs before others find them
- Teach the students about tools they can use locally while coding
- Teach the students about tools they can integrate in their CI/CD pipeline
- Help them think about how security fits into the team context
- Help them view their application in a new ways
Four day training
Day 1 - Introduction, Fuzzing and Numbers
- Introduction: Training
- Introduction: Specs
- Introduction: Tooling
- Introduction: UB and Compiler Optimizations
- Exploit: Heartbleed
- Theory: Fuzzing (on Linux)
- Exploitable: Numbers
Day 2 - Stack Buffer Overflow, Shellcode, Reverse Engineering and Sandboxing on Linux
- Mitigations: Stack Buffer Overflow
- Exploit: Shellcode 1 (on Linux)
- Exploit: Shellcode 2 (on Linux)
- Theory: Reverse Engineering
- Theory: Linux Sandboxing (Examples from Chromium)
Day 3 - Return Oriented Programming, Format String Vulnerabilities, Good Practices and Security Culture
- Exploit: Return Oriented Programming (ROP)
- Exploit: Format Strings (on Linux)
- Practice: Avoid the Pitfalls
- Practice: Functionality
- Practice: Resource Management
- Exploitable: Modern C++
- Discussion: Security Culture
- Practice: Make It Fixable
Day 4 - Memory, Heap Exploitation and Conclusion
- Theory: Memory Managers (on Linux)
- Theory: Heap Exploitation
- Exploitable: Memory 1
- Exploitable: Memory 2
- Exploit: Eternal Exploits
- Mitigations: Memory
- Practice: Prefer C++ to C
- Practice: I’d Really Rather You Didn’t
- Practice: 6 Hacks for Dev[Sec]Ops
- Discussion: Conclusion