Security testing C and C++ applications

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types – the CIA triad
• Cyber security threat types – the STRIDE model
• Consequences of insecure software
• Constraints and the market

Memory management vulnerabilities

• Assembly basics and calling conventions
  – x64 assembly essentials
  – Registers and addressing
  – Most common instructions
  – Calling conventions on x64
  – Calling convention – what it is all about
  – The stack frame
  – Stacked function calls
• Buffer overflow
  – Memory management and security
  – Vulnerabilities in the real world
  – Buffer security issues
  – Buffer overflow on the stack
  – Buffer overflow on the stack – stack smashing
  – Exploitation – Hijacking the control flow
  – Lab – Buffer overflow 101, code reuse
  – Exploitation – Arbitrary code execution
  – Injecting shellcode
  – Lab – Code injection, exploitation with shellcode- Buffer overflow on the heap
  – Unsafe unlinking
  – Case study – Heartbleed- Pointer manipulation
  – Modification of jump tables
  – Overwriting function pointers
• Best practices and some typical mistakes
  – Unsafe functions
  – Dealing with unsafe functions
  – Lab – Fixing buffer overflow
  – What’s the problem with asctime()?
  – Lab – The problem with asctime()
  – Using std::string in C++
  – Unterminated strings
  – readlink() and string termination
  – Manipulating C-style strings in C++
  – Malicious string termination
  – Lab – String termination confusion
  – String length calculation mistakes
  – Off-by-one errors
  – Allocating nothing*
  – Testing for typical mistakes

DAY 2
Memory management hardening

• Runtime protections
  – Runtime instrumentation
  – Address Space Layout Randomization (ASLR)
  – ASLR on various platforms
  – Lab – Effects of ASLR
  – Circumventing ASLR – NOP sleds
  – Circumventing ASLR – memory leakage- Non-executable memory areas
  – The NX bit
  – Write XOR Execute (W^X)
  – NX on various platforms
  – Lab – Effects of NX
  – NX circumvention – Code reuse attacks
  – Return-to-libc / arc injection
  – Return Oriented Programming (ROP)
  – Protection against ROP

Security testing

• Security testing vs functional testing
• Manual and automated methods
• Security testing methodology
  – Security testing – goals and methodologies
  – Overview of security testing processes
  – Identifying and rating assets
  – Preparation
  – Identifying assets
  – Identifying the attack surface
  – Assigning security requirements
  – Lab – Identifying and rating assets
  – Threat modeling
  – SDL threat modeling
  – Mapping STRIDE to DFD
  – DFD example
  – Attack trees
  – Attack tree example
  – Lab – Crafting an attack tree
  – Misuse cases
  – Misuse case examples
  – Risk analysis
  – Lab – Risk analysis
  – Reporting, recommendations, and review

Common software security weaknesses

• Security features
  – Authentication
  – Authentication basics
  – Multi-factor authentication
  – Authentication weaknesses
  – Case study – PayPal 2FA bypass- Password management
  – Inbound password management
  – Storing account passwords
  – Password in transit
  – Lab – Is just hashing passwords enough?
  – Dictionary attacks and brute forcing
  – Salting
  – Adaptive hash functions for password storage
  – Password policy
  – NIST authenticator requirements for memorized secrets
  – Case study – The Ashley Madison data breach
  – The dictionary attack
  – The ultimate crack
  – Exploitation and the lessons learned
  – Password database migration
  – Testing for password management issues

DAY 3
Common software security weaknesses

• Input validation
  – Input validation principles
  – Denylists and allowlists
  – What to validate – the attack surface
  – Where to validate – defense in depth
  – When to validate – validation vs transformations
  – Validation with regex
  – Injection
  – Injection principles
  – Injection attacks
  – Code injection
  – OS command injection
  – Lab – Command injection
  – OS command injection best practices
  – Avoiding command injection with the right APIs
  – Lab – Command injection best practices
  – Case study – Shellshock
  – Lab – Shellshock
  – Testing for command injection- Process control – library injection
  – Library hijacking
  – Lab – Library hijacking- Integer handling problems
  – Representing signed numbers
  – Integer visualization
  – Integer promotion
  – Integer overflow
  – Lab – Integer overflow
  – Signed / unsigned confusion
  – Case study – The Stockholm Stock Exchange
  – Lab – Signed / unsigned confusion
  – Integer truncation
  – Lab – Integer truncation
  – Case study – WannaCry
  – Best practices
  – Upcasting
  – Precondition testing
  – Postcondition testing
  – Best practices in C
  – UBSan changes to arithmetics
  – Lab – Handling integer overflow on the toolchain level in C and C++
  – Best practices in C++
  – Lab – Integer handling best practices in C++- Testing for numeric problems
  – Files and streams
  – Path traversal
  – Lab – Path traversal
  – Path traversal-related examples
  – Path traversal best practices
  – Lab – Path canonicalization
  – Testing for path traversal

Security testing

• Security testing techniques and tools
  – Code analysis
  – Static Application Security Testing (SAST)
  – Lab – Using static analysis tools- Dynamic analysis
  – Security testing at runtime
  – Penetration testing
  – Stress testing
  – Dynamic analysis tools
  – Dynamic Application Security Testing (DAST)- Fuzzing
  – Fuzzing techniques
  – Fuzzing – Observing the process

Wrap up

• Secure coding principles
  – Principles of robust programming by Matt Bishop
  – Secure design principles of Saltzer and Schroeder
• And now what?
  – Software security sources and further reading
  – C and C++ resources
  – Security testing resources