Secure Coding in C and C++
20 hours over 10 weeks (1 two-hour meeting per week)
Writing secure code in C, C++. Vulnerabilities based on strings,
pointers dynamic memory management, integer arithmetic, formatted
output, file I/O. Attack modes such as (stack and heap based) buffer
overflow and format string exploits. Recommended practices.
Course Learning Objective:
Get student to avoid security pitfalls when writing C and C++ code.
Introduction: 1. Risk Analysis, 2. Security
Concepts, 3. C and C++, 4. Platforms; Strings: 1. Common
String Manipulation Errors, 2. String Vulnerabilities, 3. Process
Memory Organization, 4. Stack Smashing, Code Injection, Arc Injection,
5. Mitigation Strategies; Pointer Subterfuge: 1. Data Locations, 2.
Function Pointers, 3. Data Pointers, 4. Modifying the Instruction
Pointer, 5. Global Offset Table, 6. The .dtors Section, 7. Virtual
Pointers, 8. atexit(), on-exit(), longjmp(), 9. Exception Handling, 10.
Mitigation Strategies; Dynamic Memory Management; Integer Security;
Formatted Output; File I/O; Recommended Practices
Method of Instruction:
Homework: Detecting and repairing flawed open source code. Mutual
self-evaluation of code, followed by instructor evaluation of
code. Final Exam.
| © 2006 Center for
Advanced Study and Practice of
Information Assurance (CASPIA), Santa Clara University