The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

C/C++ Security

Course Description

Writing secure code in C/C++ is far from trivial. This course introduces the complexity of working with the C/C++ family of languages, especially from a security perspective. Learn about major security flaws that can lead to insecure programs and how to combat them. Lesson topics include string handling, memory management, integer overflow and wrapping, format string attacks, and more.

Learning Objectives

  • Identify use cases where C/C++ is widely used
  • Apply new best practices for safely manipulating strings
  • Identify unsafe memory handling practices
  • Apply mitigation techniques to common integer mishandling
  • Understand issues with concurrency and parallelism
  • Describe best practices for access controls

Details

Delivery Format : eLearning

Duration: 1 hour 15 minutes

Level: Advanced

Intended Audience:

  • Architects
  • Back-End Developers
  • Front-End Developers
  • QA Engineers    

Prerequisites: 

 

Course Outline

Introduction

  • Brief History of C/C
  • Problems Facing C
  • Legacy Code 
  • Undefined Behavior

String Handling

  • Representation of Strings
  • Improperly Bounded String Copies
  • Off by One Errors
  • Null Termination Errors
  • Truncation Issues

Memory Management

  • Initialization Issues
  • Failing to Check Return Values
  • Writing to Freed Memory
  • Dereferencing NULL Pointers
  • Double Free
  • Memory Leaks
  • Zero Length Allocations
  • C++ Memory Management

Integers

  • Wraparound Issues
  • Truncation Errors

Format String Attacks

  • Crashing Programs
  • Reading From the Stack
  • Reading From Arbitrary Memory Addresses
  • Buffer Overflows
  • Writing to Arbitrary Memory Addresses

Concurrency

  • Race Conditions
  • Value Corruption
  • Volatile Objects
  • Deadlock

File I/O 

  • Access Control Overview
  • Access Control: Elevated Privileges
  • Access Control Example: Elevating Privileges
  • Temporarily Dropping Privileges
  • Permanently Dropping Privileges
  • Directory Traversal
  • Time of Check Time of Use (TOCTOU) 

 

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster