Le portail de la formation tout au long de la vie
LU
DE
EN
FR
PT
Vous êtes ici: Accueil > Formations > Proximus Luxembourg

C/C++ Secure Coding

3 jour(s)

Objectifs

The training explains in details the mechanisms underlying typical C/C++ security relevant programming bugs – the common security vulnerabilities. The root causes of the problems are explained through a number of easy-to-understand source code examples, which at the same time make clear how to find and correct these problems in practice. The real strength of the course lays in numerous hands-one exercises, which help the participants understand how easy it is to exploit these vulnerabilities by the attackers.

The course also gives an overview of practical protection methods that can be applied at different levels (hardware components, the operating system, programming languages, the compiler, the source code or in production) to prevent the occurrence of the various bugs, to detect them during development and before market launch, or to prevent their exploitation during system operation. Through exercises specially tailored to these mitigation techniques participants can learn how simple – and moreover cheap – it is to get rid of various security problems.

Contenu

Common security vulnerabilities:
  • Buffer Overflow (BOF), stack and heap overflow
  • Heartbleed
  • array indexing problems, the unicode bug
  • missing or improper input validation, integer problems, widthness bug, signedness bug, arithmetic overflow, integer mishandling case study – Android Stagefright bug, Print format string bug (PFS), Directory Traversal Vulnerability (DTV)
  • improper use of security features, weak randomness, password management
  • error handling-related problems
  • race conditions, Time-of-Checking- to-Time-of-Usage (TOCTTOU) vulnerability, safe signal handling, and many more...
Mitigation techniques:
  • Never eXecute (NX bit) access mode of Virtual Memory Management (VMM)
  • Address Space Layout Randomization (ASLR) – PaX, ExecShield
  • Stack smashing protection (SSP), StackGuard, ProPolice
Exercises:
  • exploiting stack overflow – executing shell codes
  • applying protection techniques (stack smashing protection, non-executable stack and heap, ASLR)
  • circumventing protections with NOP sledding, Return-to-libc attack, Return Oriented Programming (ROP)
  • understanding Shellshock
  • understanding integer problems
  • applying mitigation techniques
  • crafting a print format attack string – write-what-where (WWW) possibilities
  • password management; problems of exception-based error handling
  • exploiting race conditions with symlinks
  • and many spot- and-correct-the-bug exercises

Public cible

Prérequis

Advanced C/C++

Voir les coordonnées de l'organisme


Le contenu de ce descriptif de formation est de la seule responsabilité de son auteur, l'organisme de formation Telindus Training Institute / Proximus Luxembourg .

Imprimer Tout voir/cacher
Partager sur Facebook Partager sur Twitter Partager sur LinkedIn Partager sur Google+ Envoyer à un ami
Voir les coordonnées de l'organisme
Caractéristiques
Niveau Avancé
Organisation Formation intra-entreprise
Langues de prestation
lifelong-learning.lu utilise des cookies

En consultant ce site, vous acceptez l'utilisation des cookies nécessaires à la navigation et permettant de réaliser des statistiques.

Vous pouvez modifier les paramètres des cookies à tout moment dans votre navigateur.

OK En savoir plus