Monday 

Room 2 

09:00 - 17:00 

(UTC+01

2 Days

(In)Security in C++

Training aimed at providing a foundation for C++ programmers in security for native applications.

Security
C++

SECURE CODING PRACTICES IN C++

The training will provide its students with:

  • vocabulary to understand reported vulnerabilities
  • knowledge on how to receive vulnerability reports professionally
  • knowledge on how to use tools to find and fix vulnerabilities in their own code
  • knowledge on how to design a more secure product
  • knowledge on how to design a CI/CD pipeline that will improve the security of their own codebase

PRACTICAL INFORMATION

  • Chat - Slack: Will be setup a week in advance to facilitate resolving of any technical issue
  • Exercises - Cloud VMs and a Cyber Dojo cloud instance: guarantees same environment

This training is explicitly targeted at C++ developers, though C developers will also benefit.

GOALS OF THE TRAINING

  • Demystify exploitation, show that exploitation is a mindset, not a set of techniques
  • Demonstrate the motivation for mitigations in the platforms, languages and tools
  • Show that C++ and C are not easy to reason about
  • Teach the students to recognize constructs that have a higher risk of having vulnerabilities
  • Teach the students which tools can be used to find bugs before others find them
  • Teach the students about tools they can use locally while coding
  • Teach the students about tools they can integrate in their CI/CD pipeline
  • Help them think about how security fits into the team context
  • Help them view their application in a new ways

Agenda

DAY 1 - INTRODUCTION, FUZZING AND NUMBERS

  • Meta: Training
  • Theory: Introduction and Specs
  • Mitigations: Tooling
  • Exploitable: UB and Compiler Optimizations
  • Theory: Address Sanitizer
  • Exploit: Heartbleed
  • Theory: Fuzzing (on Linux)
  • Theory: Debugging in gdb

DAY 2 - STACK BUFFER OVERFLOW, SHELLCODE AND GOOD PRACTICES

  • Mitigations: Stack Buffer Overflow
  • Exploit: Shellcode 1 (on Linux)
  • Exploit: Shellcode 2 (on Linux)
  • Practice: Secure Coding Practices 1
  • Discussion: Conclusion

Patricia Aas

Patricia Aas is an international speaker and has spoken at CppCon, ACCU, C++OnSea, NDC Security, NDC Oslo and many other conferences on subjects ranging from Sandboxing in Chromium to Vulnerabilities in C++. She has taught a range of subjects in Computer Science at the University of Oslo.

Patricia has a masters degree in Computer Science and 13 years professional experience as a programmer, most of that time programming in C++. During that time she has worked in codebases with a high focus on security: two browsers (Opera and Vivaldi) and embedded Cisco telepresence systems.