Course Length:

20 hours over 10 weeks (1 two-hour meeting per week)

Course Description:

Writing secure code in C, C++. Vulnerabilities based on strings, pointers dynamic memory management, integer arithmetic, formatted output, file I/O. Attack modes such as (stack and heap based) buffer overflow and format string exploits. Recommended practices.

Course Learning Objective:

Get student to avoid security pitfalls when writing C and C++ code.

Major Topics:

Introduction:   1. Risk Analysis,  2. Security Concepts,  3. C and C++,  4. Platforms; Strings: 1. Common String Manipulation Errors,  2. String Vulnerabilities, 3. Process Memory Organization, 4. Stack Smashing, Code Injection, Arc Injection, 5. Mitigation Strategies; Pointer Subterfuge: 1. Data Locations, 2. Function Pointers, 3. Data Pointers, 4. Modifying the Instruction Pointer, 5. Global Offset Table, 6. The .dtors Section, 7. Virtual Pointers, 8. atexit(), on-exit(), longjmp(), 9. Exception Handling, 10. Mitigation Strategies; Dynamic Memory Management; Integer Security; Formatted Output; File I/O; Recommended Practices

Method of Instruction:

Lecture

Evaluation Methods:

Homework: Detecting and repairing flawed open source code.  Mutual self-evaluation of code, followed by instructor evaluation of code.  Final Exam.