Security testing C and C++ applications

DAY 1

Cybersecurity basics

• What is security?
• Threats and risks
• Types of Cybersecurity Threats – The CIA Triad
• Types of Cybersecurity Threats – The STRIDE Model
• Consequences of insecure software
• Restrictions and the market

Vulnerabilities in memory management

• Basics of assembly and calling conventions
• x64 assembly essentials
• Records and addressing
• The most common instructions
• Calling Conventions on x64
• Call conventions – what is it all about
• The stacking frame
• Stacked function calls
• Buffer overflow
• Memory Management and Security
• Real-world vulnerabilities
• Buffer security issues
• Buffer overflow on the stack
• Buffer overflow on the stack – stack smashing
• Exploitation – Hijacking the control flow
• Lab – Buffer overflow 101, code reuse
• Exploit – arbitrary execution of code
• Shell code injection
• Lab – Code injection, shellcode exploit
• Buffer overflow on the heap
• Uncertain decoupling
• Case Study – Heartbleed
• Pointer Manipulation
• Modification of jump tables
• Function pointer overwriting
• Best practices and some typical mistakes
• Uncertain features
• Handling of insecure features
• Lab – Fixing Buffer Overflow
• What is the problem with asctime()?
• Lab – The problem with asctime()
• Using std::string in C++
• Strings that don’t terminate
• readlink() and string termination
• Manipulating C-style strings in C++
• Intentional string termination
• Lab – Confusion about string termination
• Mistakes when calculating string length
• Off-by-one error
• Allocate nothing
• Test for typical mistakes

DAY 2 — Strengthening memory management

• Runtime protection
• Runtime Instrumentation
• Address Space Layout Randomization (ASLR)
• ASLR on different platforms
• Lab – Effects of ASLR
• Bypass ASLR – NOP Sleds
• Bypass ASLR – Memory Leak – Non-Executable Memory Ranges
• The NX bit
• Write XOR Execute (W^X)
• NX on different platforms
• Lab – Effects of NX
• NX Prompts – Code Reuse Attacks
• Return-to-libc/arc injection
• Return Oriented Programming (ROP)
• Protection against ROP

Security testing

• Security Testing vs. Functional Testing
• Manual and automated methods
• Methodology for security testing
• Security testing – objectives and methods
• Overview of security testing processes
• Asset identification and valuation
• Preparation
• Asset identification
• Attack surface detection
• Assigning security requirements
• Lab – Asset Identification and Valuation
• Threat modeling
• SDL threat modeling
• Mapping STRIDE to DFD
• Examples of DFD
• Attacking trees
• Examples of infestation trees
• Lab – Creating an Infestation Tree
• Cases of abuse
• Examples of cases of abuse
• Risk analysis
• Laboratory work – Risk analysis
• Reporting, recommendations and review

Common software security flaws

• Security features
• Authentication
• Basics of authentication
• Multi-factor authentication
• Weaknesses in authentication
• Case Study – PayPal 2FA Bypass
• Password Management
• Inbound password management
• Account password storage
• Passwords in transit
• Lab – Is it enough to just hash passwords?
• Dictionary attacks and brute forcing
• Salting
• Adaptive hash functions for storing passwords
• Password policy
• NIST authenticator requirements for memorized secrets
• Case study – The Ashley Madison data breach
• The attack with a dictionary
• The ultimate crack
• Exploitation and lessons learned
• Password database migration
• Testing for password management issues

DAY 3 — Common Software Security Flaws

• Validation of input
• Input validation principles
• Denylists and allowlists
• What to validate – the attack surface
• Where to validate – defense in depth
• When to Validate – Validation vs. Transformations
• Validation with regex
• Injection
• Injection Principles
• Injection attacks
• Code injection
• Injection of OS commands
• Lab – Command Injection
• Best practices for injecting OS commands
• Avoid command injection with the right APIs
• Lab – Best Practices for Command Injection
• Case Study – Shellshock
• Laboratory – Shellshock
• Command Injection Testing – Process Control – Library Injection
• Hijacking of libraries
• Lab – Library Hijacking
• Problems with handling integers
• Impersonate signed speeches
• Integer visualization
• Integer Marketing
• Abundance of integers
• Lab – Abundance of Integers
• Confusion between signed and unsigned
• Case study – Stockholm Stock Exchange
• Lab – Confusion of signed and unsigned characters
• Integer truncation
• Laboratory – Truncation of integers
• Case Study – WannaCry
• Best practices
• Upcasting
• Prep testing
• Post-conditioning testing
• Best practices in C
• UBSan changes to arithmetic
• Lab – Toolchain-level Handling of Integer Overruns in C and C++
• Best practices in C++
• Laboratory – Best Practices for Handling Integers in C++
• Numerical Problem Testing
• Files and streams
• Path Traversal
• Lab – Traversing Path
• Example of path traversal
• Best practices for trail traversal
• Lab – Path Canonicalization
• Path Traversal Test

Security testing (continued)

• Security Testing Techniques and Tools
• Code analysis
• Static Application Security Testing (SAST)
• Laboratory work – Use of tools for static analysis
• Dynamic analytics
• Safety testing at the drive
• Penetration testing
• Stress testing
• Dynamic analytics tools
• Dynamic Application Security Testing (DAST)
• Fuzzing
• Fuzzing Techniques
• Fuzzing – Observing the process

Closure

• Secure Coding Principles
• Principles of Robust Programming by Matt Bishop
• Principles of Safe Design by Saltzer and Schroeder
• And now what?
• Sources and Further Reading on Software Security
• C and C++ Resources
• Security testing resources