Secure Coding: Training

Historical Documents Authorized Users of "CERT" Vulnerability Notes Database Vulnerability Disclosure Policy Courses

Training: Secure Coding in C and C++

Abstract

Secure Coding in C and C++ provides practical advice on secure practices in C and C++ programming. Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming. This training provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The training concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. It does not emphasize security issues involving interactions with external systems such as databases and web servers, as these are rich topics on their own. The intent is that this training be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.

Text

Secure coding training is based on the text Secure Coding in C and C++ published by Addison-Wesley.

Importance

Software Vulnerabilities are common and pervasive. As technology advances in to the most remote areas of our life, it is important to understand and learn from the past coding practices. Software companies are quickly recognizing the effect that vulnerabilities pose to the customer, and their own market success. Major software companies have begun to require that their software developers take courses specifically on secure coding practices.

Audience

The Secure Coding in C and C++ training should be useful to anyone involved in the development or maintenance of software in C and C++.

For a C/C++ programmer, this training will teach you how to identify common programming errors that result in software vulnerabilities, understand how these errors are exploited, and implement a solution in a secure fashion.
For a software project manager, this training identifies the risks and consequences of software vulnerabilities to guide investments in developing secure software.
For a computer science student, this training will teach you programming practices that will help you to avoid developing bad habits and enable you to develop secure programs during your professional career.
For a security analyst, this training provides a detailed description of common vulnerabilities, identifies ways to detect these vulnerabilities, and offers practical avoidance strategies.

Agenda

The one day tutorial consists of the following topics:

Strings
- Common String Manipulation Errors
  - unbounded string copies
  - null-termination errors
  - truncation
  - write outside array bounds
  - off-by-one errors
  - improper data sanitization
- String Vulnerabilities
  - Program Stacks
  - Buffer Overflow
  - Code Injection
  - Arc Injection
- Mitigation Strategies
  - Static strategies
  - Dynamic strategies
Integers
- Representation
- Types
- Conversions
- Error conditions
- Operations
- Vulnerabilities
  - Integer overflow
  - Sign error
  - Truncation
  - Non-exceptional
- Mitigation Strategies
  - Type range checking
  - Strong typing
  - Compiler checks
  - Safe integer operations
  - Testing and reviews
- Notable Vulnerabilities

The one-day tutorial can also be expanded to include additional topics:

Arbitrary memory write exploits that allows an attacker to write a single address to any location in memory. This topic describes how these exploits can be used to execute arbitrary code on a compromised machine.
Dynamic memory management vulnerabilities including dynamically allocated buffer overflows, writing to freed memory, and double-free vulnerabilities.
Correct and incorrect use of formatted output functions. Both format string and buffer overflow vulnerabilities resulting from the incorrect use of these functions are described.
Common vulnerabilities associated with file I/O including race conditions and time of creation, time of use (TOCTOU) vulnerabilities.
Specific development practices for improving the overall security of your C / C++ application. These recommendations are in addition to the recommendations already covered for addressing specific vulnerability classes.

Prerequisites

The Secure Coding in C and C++ training requires a basic to intermediate understanding of the C and C++ programming languages. It does not require an understanding of application security.

Experience

This training is usually delivered by Robert C. Seacord.

Robert is a senior vulnerability analyst at the CERT/Coordination Center (CERT/CC) at the Software Engineering Institute (SEI) in Pittsburgh, PA. Robert is the author of Secure Coding in C and C++ (Addison-Wesley, 2005) and coauthor of Building Systems from Commercial Components (Addison-Wesley, 2002) and Modernizing Legacy Systems (Addison-Wesley, 2003) as well as more than 40 papers on software security, component-based software engineering, Web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development.

Robert is part time faculty member at the University of Pittsburgh and Carnegie Mellon University where he has taught Software Engineering.

Robert started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. He also is actively involved in the JTC1/SC22/WG14 international standardization working group for the C programming language.

History

The Secure Coding in C and C++ tutorial has been presented at:

12th ACM Conference on Computer and Communications Security (CCS 2005) Hilton Alexandria Mark Center, Alexandria, VA, U.S.A
Software Security Summit. February 6-8, 2006. San Diego, Calif.
IEEE International Symposium on Secure Software Engineering. March 13-15, 2006
SANSFIRE 2007. July 25 - August 3, 2007. Washington, DC.

Last updated September 13, 2007