Main Menu
My Infosec
Main Menu
My Infosec

Secure Coding for C/C++ Training

Learn the most common programming bugs and their practical mitigation techniques through hands-on exercises that allow full understanding of the root causes of security problems.

Award Winning Training

For 17 years InfoSec has been one of the most awarded and trusted IT training vendors - 42 industry awards!

Analysts Recommended

IDC lists InfoSec Institute as Major Player in their Security Training Vendor Assessment.

C/C++ Secure Coding Course Overview

InfoSec Institute’s Secure Coding in C/C++ two day Intense Course provides in-depth coverage of common security vulnerabilities related to C/C++ programming bugs and explains practical mitigation techniques. It also includes hands-on exercises that allow full understanding of the root causes of security problems.

Secure Coding in C/C++ Course Description

InfoSec Institute’s Secure Coding in C/C++ Course explains in detail the mechanisms underlying typical C/C++ security relevant programming bugs – the common security vulnerabilities. The root causes of the problems are explained through a number of easy-to-understand source code examples, which depicts clearly how to find and correct these problems in practice. The real strength of the course lays in numerous hands-on exercises, which help the participants understand how easy it is to exploit these vulnerabilities by the attackers.

The course also gives an overview of practical protection methods that can be applied at different levels (hardware components, operating systems, programming languages, the compiler, the source code or in production) to prevent the occurrence of the various bugs, to detect them during development and before market launch, or to prevent their exploitation during system operation. Through exercises specially tailored to these mitigation techniques participants can learn how simple it is to get rid of various security problems.

Our classroom trainings come with a number of easy-to-understand exercises providing live hacking fun. By accomplishing these exercises with the lead of the trainer, participants can analyze vulnerable code snippets and commit attacks against them in order to fully understand the root causes of certain security problems. All exercises are prepared in a plug-and-play manner by using a pre-set desktop virtual machine, which provides a uniform development environment.

Secure Coding in C/C++ Course Objectives

InfoSec Institute’s Secure Coding in C/C++ Course offers you two days of training with a real C/C++ Security expert. Our experts have extensive C/C++ development experience as well as years of experience performing security code reviews. Upon completing our Secure Coding in C/C++ Course will provide you with valuable knowledge and skills including the ability to:

  • Understand basic concepts of security, IT security and secure coding
  • Realize the severe consequences of non-secure buffer handling
  • Understand the architectural protection techniques and their weaknesses
  • Learn about typical coding mistakes and how to avoid them
  • Be informed about recent vulnerabilities in various platforms, frameworks and libraries

Who Should Attend:

C/C++ developers, software architects and testers

The courses below are excellent follow-on classes:

  • Secure Coding in Java
  • Secure Coding in .NET
  • Secure Coding for Android Platform

View Pricing

We will never share any of your information, spam you or annoy you with pushy sales pitches.

Award-Winning Training

The C/C++ Secure Coding Experience

During the two (2) Day program, our instructors give you 110% of their time and dedication to ensure that your time is well spent. You will receive an all-inclusive immersion experience by receiving your hotel stay and most meals during your training experience; therefore you eat, sleep and train at the learning facility with no distractions!

Program Content Outline

  • IT security and secure coding
    • Nature of security
    • IT security related terms
    • Definition of risk
    • IT security vs. secure coding
    • From vulnerabilities to botnets and cyber crime
      • — Nature of security flaws — Reasons of difficulty — From an infected computer to targeted attacks
    • Classification of security flaws
      • — Landwehr’s taxonomy — The Fortify taxonomy — The Seven Pernicious Kingdoms — OWASP Top Ten 2013 — Landwehr’s taxonomy — The Fortify taxonomy — The Seven Pernicious Kingdoms — OWASP Top Ten 2013
  • Security relevant C/C++ programming bugs and flaws
    • Exploitable security flaws
    • Protection principles
      • — Specific protection methods — Protection methods at different layers — The PreDeCo matrix of software security
    • x86 machine code, memory layout, stack operations
      • — Intel 80×86 Processors – main registers — Intel 80×86 Processors – most important instructions — Intel 80×86 Processors – flags — Intel 80×86 Processors – control instructions — Intel 80×86 Processors – stack handling and flow control — The memory address layout — The function calling mechanism in C/C++ on x86 — Calling conventions — The local variables and the stack frame — Function calls – prologue and epilogue of a function — Stack frame of nested calls — Stack frame of recursive functions
  • Buffer Overflow
    •  Stack overflow
      • — Buffer overflow on the stack — Overwriting the return address — Exercise BOFIntro — Exercise BOFShellcode o Protection against stack overflow — Stack overflow – Prevention (during development) — Stack overflow – Detection (during execution) o Stack smashing protection — Stack smashing protection variants — Stack smashing protection in GCC — Exercise BOFShellcode – Stack smashing protection — Effects of stack smashing protection — Bypassing stack smashing protection – an example — Stack overflow – Anti-exploit techniques o Address Space Layout Randomization (ASLR) — Stack randomization with ASLR — Using ASLR — Circumventing ASLR: NOP sledding — Exercise BOFASLR – Circumventing ASLR with NOP sledging o Non executable memory areas – the NX bit — Protection through Virtual Memory Management — Access Control on memory segments — The Never eXecute (NX) bit — Exercise BOFShellcode – Enforcing NX memory segments o Return-to-libc attack – Circumventing the NX bit — Arc injection / Return-to-libc attack — Exercise BOFShellcode – The Return-to-libc attack — Multiple function calls with return-to-libc o Return oriented programming (ROP) — Exploiting with ROP — ROP gadgets — Combining the ROP gadgets — Exercise BOFROP
    • Heap overflow
      • — Memory allocation managed by a doubly-linked list — Buffer overflow on the heap — Steps of freein g and joining memory blocks — Freeing allocated memory blocks — TLS Heartbeat Extension — Heartbleed – a simple explanation — Heartbleed – fix in v1.0.1g — Protection against heap overflow
  • Common Coding Errors & Vulnerabilities
    • Input validation
      • — Input validation concepts — Integer problems — Representation of negative integers — Integer ranges — Integer representation by using the two’s complement — The integer promotion rule in C/C++ — Arithmetic overflow – spot the bug! — Exercise IntOverflow — So why ABS(INT_MIN)==INT_MIN? — Signedness bug – spot the bug! — Widthness integer overflow – spot the bug! — Exercise Board — A case study – Android Stagefright — Stagefright – a quick introduction — Some Stagefright code examples – spot the bugs! — Integer problem mitigation — Avoiding arithmetic overflow – addition — Avoiding arithmetic overflow – multiplication — Dealing with signed/unsigned integer promotion — Safe integer handling in C — The SafeInt class for C++ — Printf format string bug — Printf format strings — Printf format string bug – exploitation — Exercise Printf — Printf format string exploit – overwriting the return address — Mitigation of printf format string problem — Mitigation of Printf format string problem — Some otherinput validation problems — Array indexing – spot the bug! — The Unicode bug — Directory Traversal Vulnerability — Shellshock – basics of using functions in bash — Shellshock – vulnerability in bash — Exercise – Shellshock — Shellshock fix and counterattacks — Exercise – Command override with environment variables o Improper use of security features — Problems related to the use of security features — Insecure randomness — Week PRNGs in C — Stronger PRNGs in C and Linux — Hardware-based RNGs — Password management — Exercise – Google cracking — Password management and storage — Special purpose hash algorithms for password storage — BDKDF2 and bcrypt implementations in C/C++ — Some other typical password management problems
    • Improper error and exception handling
      • — Typical problems with error and exception handling — Empty catch block — Overly broad catch — Exercise ErrorHandling – spot the bug! 
    • Time and state problems
      • — Time and state related problems — Serialization errors (TOCTTOU) — Attacks with symbolic links — Exercise TOCTTOU  
    • o Code quality problems
      • — Dangers arising from poor code quality — Poor code quality – spot the bug! — Unreleased resources — Type mismatch – Spot the bug! — Exercise TypeMismatch
  • Advice and Principles
    • Matt Bishop’s principles of robust programming
    • The security principles of Saltzer and Schroeder
  • Knowledge Sources
    • Vulnerability databases
    • Secure coding sources – a starter kit

Book your course

    What Our Students Are Saying

    Without any question, InfoSec has the most gifted individual instructors. Our instructor for this class was both an excellent educator and a premier/world class security expert. He was able to clearly explain and impart to the students, the most complicated security techniques I have ever heard of or imagined. I simply can not find the words to recommend him and Infosec security training more highly.
    JH

    John Hollan GE

    Advanced Ethical Hacking Training Boot Camp

    Career Tracks

    • IT Audit Track

      The IT Audit track goes through all aspects of IT Auditing. Our goals with this set of courses is to create the most complete Security Auditor an organization could wish for.
    Ready to get started? Get instant pricing for this award-winning boot camp. View course pricing
    View instant course pricing