icon-carat-right menu search cmu-wordmark

Secure Coding in C and C++

Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming. This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. The intent is for this course to be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.

Please note: you must bring a laptop computer equipped with the latest version of Adobe Reader and VMware Player. See the Prerequisites section for download information.

The course assumes basic C and C++ programming skills but does not assume an in-depth knowledge of software security. The ideas presented apply to various development environments, but the examples are specific to Microsoft Visual Studio and Linux/GCC and the Intel 64-bit and 32-bit Architectures (x86-64 and IA-32). Material in this presentation was derived from Secure Coding in C and C++, Second Edition, SEI CERT C Coding Standard (2016 Edition) and SEI CERT C++ Coding Standard (2016 Edition). The two SEI CERT Coding Standards, for C and C++, are both available as free downloads. To learn more about the CERT Secure Coding eLearning and Professional Certificates, please go to: SEI Certificates

Audience

This course is designed for C and C++ developers.

Objectives

Participants should come away from this course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors. In particular, participants will learn how to

  • improve the overall security of any C or C++ application
  • thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic
  • avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions
  • eliminate integer-related problems: integer overflows, sign errors, and truncation errors
  • correctly use formatted output functions without introducing format-string vulnerabilities
  • avoid I/O vulnerabilities, including race conditions

Moreover, this course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow's attacks, not just today's.

Topics

  • string management
  • dynamic memory management
  • integer security
  • formatted output
  • file I/O

Subjects covered in the first two days are general, but examples are taken from both the Microsoft Visual Studio and GCC compilers on Windows and Linux platforms. Course material on integers uses examples from the x86-64 and IA-32 architectures.

The third and fourth days of the course focus on POSIX platforms. Doug Lea's malloc (dlmalloc) is used to demonstrate exploits in the Linux environment, while the file I/O sections focus on the POSIX standard and the Linux operating system.

Materials

The Secure Coding in C and C++, Second Edition book will be provided in class. Participants will also receive a DVD containing course and reference materials, including the 2016 Editions of the SEI CERT C Coding Standard and the SEI CERT C++ Coding Standard, which are also available as free downloads.

Prerequisites

It is recommended that participants have a basic to intermediate understanding of the C and C++ programming languages. Software security knowledge or experience is not required.

Required Equipment

Students must bring a personal computer equipped with

The following item is optional. We provide them, but the student is free to substitute their own if they wish:

  • C/C++ programming language development environments (compiler, editor, etc.), such as Microsoft Visual Studio

On the first day of the course, the instructor will provide the attendees with a DVD with the software and course exercises to download on their computers. The instructor will also provide instructions on using the Course Exercises Virtual Machine (VM) from the DVDs.

Inquire About This Course

 

IMPORTANT NOTICE:

Carnegie Mellon University/Software Engineering Institute offices will be closed for winter break, December 21, 2024-January 1, 2025. SEI course registrations received during this period will be confirmed and enrollment completed upon our return on January 2, 2025.

Course Questions?

Email: course-info@sei.cmu.edu
Phone: 412-268-7388

Related Courses

CERT Secure Coding in C and C++ Professional Certificate

ONLINE Secure Development, Cyber Workforce Development

The CERT Secure Coding in C and C++ Professional Certificate provides software developers with practical instruction based upon the CERT Secure Coding Standards.

Learn More

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.