Secure Coding in C and C++

Secure Coding Training in C and C++ is a four-day course that provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. This course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries.

This course teaches developers to identify common security flaws including:

• Buffer overflows
• Integer overflow
• Dangerous compiler optimizations
• Race conditions
• Memory management errors
• Logical errors
• Invalid assumptions

For each of these security flaws, we demonstrate specific remediation techniques as well as general secure coding practices that help prevent the introduction of vulnerabilities.

This course will be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.

Learning Objectives

Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.

In particular, participants will learn how to:

• Improve the overall security of any C or C++ application
• Thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic
• Dangerous compiler optimizations and how to avoid and detect them
• Avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions
• Eliminate integer-related problems: integer overflows, sign errors, and truncation errors
• Correctly use formatted output functions without introducing format-string vulnerabilities
• Avoid I/O vulnerabilities, including race conditions

Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

Prerequisites

The course assumes basic C and C++ programming skills, but does not assume an in-depth knowledge of software security. The ideas presented apply to various development environments, but the examples are specific to Microsoft Visual Studio and Linux/GCC and the 32-bit Intel Architecture. Material in this presentation was derived from the Addison-Wesley books Secure Coding in C and C++ and The CERT C Secure Coding Standard.

Required Equipment

Students must bring a personal computer equipped with the following:

• 4GB or greater of free hard disk space
• USB port
• Adobe Reader
• Oracle VM VirtualBox
• A Zip decompression utility, such as WinZip or 7-zip

Students are also encouraged to bring their own C and C++ programming language development environments (compiler, editor, etc.), such as Microsoft Visual Studio, Xcode, GCC, or Clang.

Trainer

Robert C. Seacord is a Principal Security Consultant with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Robert is the author of six books, including The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014) Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). Robert is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.