Exploiting Modern C++

“Exploiting Modern C++” is a two-day training course with programming exercises taught by Matthew Butler. It is offered at the Gaylord Rockies from 9AM to 5PM on Saturday and Sunday, September 21st and 22nd (immediately following the conference). Lunch is included.

Course Description

Writing secure code is often shrouded in mystery. But writing secure code begins with writing high-quality code. If you write high-quality, bug-free code you are most of the way to having secure code by default. The difference between a garden variety bug and a security vulnerability lies in how close that bug is to an attack surface. In this class we’ll learn how to design, write, review and test code to its highest quality in the context of software security. In the process we’ll learn how to build highly dependable, secure systems.

So, how do hackers penetrate a system written in Modern C++ that’s been extensively code reviewed and tested?

How do small bugs become the gateway for massive security breaches?

How do you recognize security vulnerabilities during code reviews?

What tools are available for testing a system from a security point of view?

In this hands-on course, you’ll discover the answers to all of those questions and more as you exploit a live system written in Modern C++. The vulnerabilities we’ll explore are drawn from real-world examples that were exploited by real-world hackers. All had real-world consequences. You probably have most or all of these in your code base now.

By the end of the course, you will have learned:

  • How to identify security vulnerabilities in code you didn’t write.
  • What tools and techniques hackers use to exploit those vulnerabilities from the outside and from the inside.
  • How to analyze a system using threat modeling.
  • How to use different testing techniques to expose each vulnerability, including: static analysis, dynamic analysis, fuzz testing, penetration testing.
  • How to deploy these design, coding and testing techniques into your own development environments.

We’ll also cover:

  • How to build security into Modern C++ applications from the early design stages.
  • How code structure and coding decisions affect security outcomes.
  • How to design secure systems and write secure code.
  • Best practices for writing secure code for an insecure world.

Want to know how hackers see your code and exploit it? After this workshop, you’ll know exactly how they do it. More importantly, you’ll know exactly what to do to stop it.

Course Topics

This two day course is a hands-on workshop where students will practice hacking into a system with known vulnerabilities written in Modern C++. Then they’ll use security testing techniques to find those vulnerabilities and fix them.

Day 1:

Lecture: Hacker culture and how hacker’s view systems. Students will learn the mentality of a hacker and what their true goals and objectives are.

Lecture: Threat Modeling and Threat Hunting techniques.

Exercise: Students will threat model the system looking at the system as a whole to identify potential attack vectors and attack surfaces.

Lecture: Code review techniques for security.

Exercise: Students will use code review techniques specific to security vulnerabilities to review source code and learn what to look for in specific types of security vulnerabilities.

Lecture: Penetration techniques and tools.

Exercise: Capture-the-Flag exercise where students will practice hacking the system from the outside just like a hacker would.

Day 2:

Lecture: Basic testing strategies and tools

Exercise: Static Analysis

Exercise: Dynamic Analysis

Exercise: Fuzz Testing

Exercise: Penetration Testing

Lecture: Secure designs, code structure and techniques for writing hardened code.

Exercise: Capture-the-Flag exercise on the now secure system.

Lecture: Best Practices for secure software design

Prerequisites

Students should have a basic knowledge of C++ including C++11 and have some experience debugging code.

Students are not required to bring a laptop. However this is an interactive class where we will be working on a running system so a laptop is helpful.

For those using laptops, please have the latest versions of VirtualBox and Visual Studio installed. All other tools will be provided before class begins.

Course Instructor

Matthew Butler

Matthew Butler has spent the last three decades as a systems architect and software engineer developing systems for network security, law enforcement and the military. He primarily works in signals intelligence using C, C++ and Modern C++ to build systems running on hardware platforms ranging from embedded micro-controllers to FPGAs to large-scale airborne platforms.

Much of his experience has come in either building systems that defend against attackers or building highly sensitive systems that are targets. He is actively involved in the C++ community and is on various planning committees for C++Now and CppCon as well as being a speaker at both. He is also a member of the ISO C++ Standards Committee.

Over the past thirty years, he has learned the harsh lessons on how we often write systems that fail, not because they don’t scale, but because they aren’t designed to be secure.

He can be reached at mbutler@laurellye.com