(In)Secure C++: Sec Edition

UNDERSTANDING EXPLOITATION AND FINDING VULNERABILITIES

Gain essential knowledge, and hands-on experience, in effective vulnerability detection tools and techniques, and how these vulnerabilities are wielded in exploitation of C++ and C applications. By deepening your understanding of exploitation, the motivations driving mitigations, and the identification of high-risk constructs, you will be able to design software that better meets your security needs.

This training is explicitly targeted at C++ developers, though C developers will also benefit.

SECURE CODING PRACTICES IN C++

The training will provide its students with:

• knowledge on how to use tools to find vulnerabilities in native applications
• give a hands-on experience in some exploitation techniques

PRACTICAL INFORMATION

• Chat - Slack: Will be setup a week in advance to facilitate resolving of any technical issue
• Exercises - Cloud VMs and a Cyber Dojo cloud instance: guarantees same environment

This training is explicitly targeted at security professionals with some programming experience in C or C++.

SOME OF THE TOPICS COVERED

• Fuzzing and Sanitizers: How to use tools like Address Sanitizer and fuzzers like AFL/libFuzzer to find and fix security vulnerabilities. Here you will use fuzzing to find the Heartbleed vulnerability in OpenSSL. You will also be tasked with fixing Heartbleed, and then reviewing the fix that was shipped at the time, to get a realistic impression of how difficult it can be to analyze and fix vulnerabilities in real life scenarios.
• Exploiting Buffer Overflows with Custom Exploit Shellcode: How to exploit buffer overflows and execute arbitrary code, and the mitigations that can help prevent it from happening. Here you will exploit a program with your own custom shellcode.
• Return Oriented Programming (ROP) and Format Strings: How to bypass stack protection mechanisms using ROP and generated ROP chains. And we’ll use format string vulnerabilities as an example of a completely different way of exploiting applications.

TRAINING SCHEDULE

DAY 1 - FINDING VULNERABILITIES USING FUZZING

• Introduction and Setup
• Introduction to exploitation, vulnerabilities and specifications
• Mitigations and Tooling: Static and Dynamic Analysis
• Undefined Behaviour and Compiler Optimizations
• Address Sanitizer
• Case Study: Heartbleed
• Fuzzing: AFL and libFuzzer
• Debugging Shellcode in GDB

DAY 2 - EXPLOITATION AND WRITING SHELLCODE

• Exploitation: Format String Exploitation
• Vulnerability: Stack Buffer Overflow
• Exploitation: Writing and Testing Custom Shellcode
• Exploitation: Return Oriented Programming (ROP)
• Summary and Conclusion