Monday
Room 3
09:00 - 17:00
(UTC+01)
2 Days
(In)Secure C++: Sec Edition
Training aimed at providing an introduction to finding and exploiting vulnerabilities in C and C++ applications.
Security
C++
SECURE CODING PRACTICES IN C++
The training will provide its students with:
- knowledge on how to use tools to find vulnerabilities in native applications
- give a hands-on experience in some exploitation techniques
PRACTICAL INFORMATION
- Chat - Slack: Will be setup a week in advance to facilitate resolving of any technical issue
- Exercises - Cloud VMs and a Cyber Dojo cloud instance: guarantees same environment
This training is explicitly targeted at security professionals with some programming experience in C or C++.
GOALS OF THE TRAINING
- Demystify exploitation, show that exploitation is a mindset, not a set of techniques
- Demonstrate the motivation for mitigations in the platforms, languages and tools
- Show that C++ and C are not easy to reason about
- Teach the students to recognize constructs that have a higher risk of having vulnerabilities
- Teach the students which tools can be used to find bugs
TWO-DAY TRAINING
DAY 1 - FINDING VULNERABILITIES USING FUZZING
- Meta: Training
- Theory: Introduction and Specs
- Mitigations: Tooling
- Exploitable: UB and Compiler Optimizations
- Theory: Address Sanitizer
- Exploit: Heartbleed
- Theory: Fuzzing (AFL and libFuzzer)
- Theory: Debugging in gdb
DAY 2 - EXPLOITATION AND WRITING SHELLCODE
- Exploit: Format Strings Vulnerabilities
- Exploit: Stack Buffer Overflow
- Exploit: Shellcode 1
- Exploit: Shellcode 2
- Exploit: Return Oriented Programming (ROP)
- Discussion: Conclusion