C-Family Software Implementation Vulnerabilities
• Xeno Kovah • Kc Udonsi
Institute: OpenSecurityTraining
Course URL: https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Vulns1001_C-derived+2022_v1/about
Target: Any, developers, code auditors, vulnerability hunters
Delivery:
Description
This course is co-taught with Xeno Kovah. This is a dual-audience class. It targets developers who want to learn to write secure- or recognize unsecure- code. It’s suitable for aspiring code auditors and freelance vulnerability hunters.
This class is structured in 5 main topic areas, corresponding to the vulnerability types namely:
- (linear) stack buffer overflows
- (linear) heap buffer overflows
- (non-linear) out-of-bound writes
- integer overflows/underflows, and “other integer issues” (signed sanity checks, integer truncation, and sign extension.)
For each topic area, we explain at least 6 real vulnerabilities.
Additionally, for at least one of those vulnerabilities we explain exploitation opportunities. Students will understand that exploitation engineering is just a typical engineering discipline, akin to a specialized form of software engineering.
At the end of each topic area, we cover prevention, detection, and mitigation opportunities corresponding to the vulnerability types