Workshop: Secure Coding in C (and C++)

A two day course for experienced C and C++ programmers

Programming is hard. To write correct C and C++ is particularly hard. Even mature codebases developed and maintained by dedicated professionals usually contains lots of bugs and security vulnerabilities. Many of these issues could have been avoided if programmers had a better understanding of the limitations and potentials of the C programming language. The key is to accept that C is not really a high-level language, it is often better to think about it as just a portable assembler (and this is to some extent also true for C++).

The course is aimed at experienced C and C++ programmers that would like to further deepen their understanding and knowledge of the C programming language (*). Throughout the course we will refer to what the C standard say and try to understand what modern compilers are allowed to do, and often will do, when optimizing and/or porting code to different architectures. We will discuss gotchas introduced by the preprocessor, details on how expressions are evaluated, proper declaration and initialization, memory model, object life-times, input/output, type conversions, how to correctly think about strings, arrays and pointers, and much more. We will also discuss and demonstrate typical security vulnerabilities and exploits, and we will learn about mitigation techniques and available security defence mechanisms. In addtion to lectures there will be some exercises with focus on techniques and best-practice for writing solid and secure code.

(*) Except from a few topics, most of the issues discussed in this class also applies to C++.

You will learn more about:

  • Unspecified and undefined behavior
  • Sequencing and sequence points
  • Portability and optimization issues
  • Working with pointers, arrays and structures
  • The memory model
  • Security vulnerabilities, exploits and mitigation strategies
  • Preprocessing, translation, linking and execution
  • Modern development techniques and design issues
  • Some similarities and differences between C and C++
  • The different C standards (K&R, ANSI/ISO C, C99, C11, C18)
  • History and spirit of C (and C++)

Computer setup:
Bring a laptop with a modern web browser, we will use cyber-dojo.org for exercises.

About the instructor:
Olve Maudal works for Cisco Systems where he is involved in developing collaboration solutions and telepresence technology. He loves to write code, but he is just as interested in how software is developed as what it actually does. Main interests are embedded systems, C, C++, Python, TDD, secure coding, software architecture and machine learning. Olve is based in Oslo and he is a Cisco Security Ninja (Black Belt). www.olvemaudal.com