(In)Security in C++

The course teaches C++ developers fundamental concepts from Exploit Development and Reverse Engineering, and uses these concepts to demonstrate common vulnerabilities in C++ codebases. This background is used to help the students to view their code from an attacker’s perspective. They develop a sense of what common vulnerable constructs in C++ look like, and also which tools can help them find different types of vulnerabilities in their existing code bases.

Attendees can expect to gain

  • A basic understanding of the mindset of an exploit developer. - An understanding of assembly
  • Good grasp of tooling that can be used to find vulnerable constructs
  • Good idea of things to look for in code reviews
  • Good overview of Secure Coding Practices in C++

Secure Coding Practices

The Secure Coding Practices taught are largely based on the C++ Core Guidelines, the Common Weakness Enumeration (CWE) and the SEI CERT Coding Standards for C++.


The attendees are assumed to be proficient C++

Day 1 - Theme - Vulnerability

The first day is dedicated to learning ways to find vulnerabilities using tooling and fuzzing. We will go through common vulnerable constructs and show which tools can find them and how they can be fixed. We will use fuzzing to find the Heartbleed vulnerability. We round off the day looking at sandboxing as a tool to limit the impact of vulnerabilities.

Plan for the day:

  • Introduction: Trainer
  • Introduction: Specs
  • Introduction: Tooling
  • Introduction: UB and Compiler Optimizations
  • Exploit: Heartbleed
  • Theory: Fuzzing (on Linux)
  • Theory: Fuzzing with AFL (on Linux)
  • Exercise: Fuzzing (on Linux)
  • Exploitable: Numbers
  • Exercise: Numbers Dojo
  • Practice: constexpr numbers
  • Practice: Avoid the Pitfalls
  • Practice: Functionality
  • Theory: Linux Sandboxing (Chromium)

Day 2 - Theme - Exploitation

The second day is dedicated to understanding how vulnerabilities can be used in exploitation. We will write shellcode and study traditional stack buffer overflow exploits, and use that to understand the platform mitigations that have been introduced over the years. We will then look at memory exploitation and see how all of this can be used together in real life by looking at the Eternal Exploits. We will round off the day with some rules of thumb and discussion.

Plan for the day:

  • Exploit: Shellcode 1 (on Linux)
  • Exploit: Shellcode 2 (on Linux)
  • Exercise: Shellcode (on Linux)
  • Mitigations: Memory
  • Exploitable: Memory 1 & 2
  • Theory: Memory Managers (on Linux)
  • Theory: Heap Exploitation
  • Exploit: Eternal Exploits
  • Exploitable: Modern C++
  • Exercise: Memory Dojo
  • Practice: Resource Management
  • Practice: Prefer C++ to C
  • Practice: I'd Really Rather You Didn't
  • Discussion: Conclusion

Tools and Techniques

  • Exploitation: Stack Overflow Exploit, Return Oriented Programming and Format String Exploit
  • Vulnerability Mitigation: Static Analysis, Warnings, Sanitizers and Fuzzers Platform Mitigation: Stack Canaries, Address Space Layout Randomization (ASLR), Non-executable memory

Computer Setup

All attendees will need to bring their own laptops. The individual work will be in https://cyber-dojo.org so only a computer with a browser is required. Some work might be done on the trainers computer.

Patricia Aas
Senior Consultant & CTO at TurtleSec AS

Patricia Aas is an international speaker and has spoken at CppCon, ACCU, C++OnSea, NDC Security, NDC Oslo and many other conferences on subjects ranging from Sandboxing in Chromium to Vulnerabilities in C++. She has taught a range of subjects in Computer Science at the University of Oslo.

Patricia has a masters degree in Computer Science and 13 years professional experience as a programmer, most of that time programming in C++. During that time she has worked in codebases with a high focus on security: two browsers (Opera and Vivaldi) and embedded Cisco telepresence systems.

Programutvikling uses cookies to see how you use our website. We also have embeds from YouTube and Vimeo. How do you feel about that?