DEV543: Secure Coding in C & C++
The C and C++ programming languages are the bedrock for most operating systems, major network services, embedded systems and system utilities. Even though C and, to a lesser extent, C++ are well understood languages, the flexibility of the language and inconsistencies in the standard C libraries have led to an enormous number of discovered vulnerabilities over the years. The unfortunate truth is that there are probably more undiscovered vulnerabilities than there are known vulnerabilities!
This course will cover all of the most common programming flaws that affect C and C++ code. The course will specifically cover the issues identified by the GSSP (GIAC Secure Software Programmer) blueprint for C/C++ with some additional items from the CERT Secure Coding Standard. Each issue is described clearly with examples. Throughout the course students are asked to identify flaws in modern versions of common open-source software to provide hands-on experience identifying these issues in existing code. Exercises also require students to provide secure solutions to coding problems in order to demonstrate mastery of the subject.
- Off by one errors
- Problems with NTBSs
- Causes of buffer overflows
- Causes of heap overflows
- Common memory management errors
- Integer promotion standards
- Side effects of integer promotions
- Common integer errors
- Common semaphore issues
- File I/O errors
- Review process for identifying coding errors
A computer system running any operating system is required. If Windows is in use, VMware Player will be provided on the course DVD to allow the student to run the virtual machines. If you are running Linux or OS X, please come prepared with either VMware Player, VMware Workstation, or VMware Fusion pre-installed.
The actual computer must have a DVD drive, at least 6 gigs of free hard disk space, and at least 2 gigs of RAM. Neither wireless nor a working Ethernet connection is necessary for the class.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
*CPE/CMU credits not offered for the SelfStudy delivery method