Secure Coding in C and C++ for Automotive (SECC-CCPPA) – Outline

Gedetailleerde cursusinhoud

DAY 1

Cyber security basics

  • What is security?
  • Threat and risk
  • Cyber security threat types
  • Consequences of insecure software
    • Constraints and the market
    • The dark side
  • Categorization of bugs
    • The Seven Pernicious Kingdoms
    • SEI CERT Secure Coding Guidelines
  • Coding standards in automotive
    • ISO 26262
    • MISRA C 2012
    • MISRA C++ 2008
    • AUTOSAR C++14 and the future
    • CERT C Coding Standard
    • CERT C++ Coding Standard
  • Cyber security in the automotive sector
    • Software security in the automotive world
    • Threats and trends in automotive
    • Self-driving car threats
    • The CAN bus and security
    • Case study – controlling the CAN bus through the infotainment system

Buffer overflow

  • Assembly basics and calling conventions
    • ARM assembly essentials
    • Registers and addressing
    • Basic ARM64 instructions
    • ARM calling conventions
      • The calling convention
      • The stack frame
      • Calling convention implementation on ARM64
      • Stacked function calls
  • Memory management vulnerabilities
    • Memory management and security
    • Vulnerabilities in the real world
    • Mapping to MISRA
    • Buffer security issues
    • Buffer overflow on the stack
      • Buffer overflow on the stack – stack smashing
      • Exploitation – Hijacking the control flow
      • Lab – Buffer overflow 101, code reuse
      • Exploitation – Arbitrary code execution
      • Injecting shellcode
      • Lab – Code injection, exploitation with shellcode
    • Buffer overflow on the heap
      • Unsafe unlinking
      • Case study – Heartbleed
    • Pointer manipulation
      • Modification of jump tables
      • Overwriting function pointers
  • Best practices and some typical mistakes
    • Unsafe functions
    • Dealing with unsafe functions
    • Lab – Fixing buffer overflow
    • What’s the problem with asctime()?
    • Lab – The problem with asctime()
    • Using std::string in C++

DAY 2

Buffer overflow

  • Some typical mistakes leading to BOF
    • Unterminated strings
    • readlink() and string termination
    • Manipulating C-style strings in C++
    • Malicious string termination
    • Lab – String termination confusion
    • String length calculation mistakes
    • Off-by-one errors
    • Allocating nothing

Memory management hardening

  • Mapping to MISRA
  • Securing the toolchain
    • Securing the toolchain in C and C++
    • Compiler warnings and security
    • Using FORTIFY_SOURCE
    • Lab – Effects of FORTIFY
    • AddressSanitizer (ASan)
      • Using AddressSanitizer (ASan)
      • ASan changes to the prologue
      • ASan changes to memory read/write operations
      • ASan changes to epilogue
    • Stack smashing protection
      • Detecting BoF with a stack canary
      • Argument cloning
      • Stack smashing protection on various platforms
      • SSP changes to the prologue and epilogue
      • Lab – Effects of stack smashing protection
  • Runtime protections
    • Runtime instrumentation
    • Address Space Layout Randomization (ASLR)
      • ASLR on various platforms
      • Lab – Effects of ASLR
      • Circumventing ASLR – NOP sleds
      • Heap spraying
    • Non-executable memory areas
      • The NX bit
      • Write XOR Execute (W^X)
      • NX on various platforms
      • Lab – Effects of NX
      • NX circumvention – Code reuse attacks
        • Return-to-libc / arc injection
      • Return Oriented Programming (ROP)
        • Lab – ROP demonstration
        • Protection against ROP

Common software security weaknesses

  • Security features
    • Authentication
      • Authentication basics
      • Multi-factor authentication
      • Authentication weaknesses – spoofing
      • Case study – Hacking the Mitsubishi Outlander PHEV hybrid
    • Password management
      • Inbound password management
        • Storing account passwords
        • Password in transit
        • Lab – Is just hashing passwords enough?
        • Dictionary attacks and brute forcing
        • Salting
        • Adaptive hash functions for password storage
        • Password policy
          • NIST authenticator requirements for memorized secrets
        • Case study – The Ashley Madison data breach
          • The dictionary attack
          • The ultimate crack
          • Exploitation and the lessons learned
        • Password database migration
      • Outbound password management
        • Hard coded passwords
        • Best practices
        • Lab – Hardcoded password
        • Protecting sensitive information in memory
          • Challenges in protecting memory
          • Heap inspection
          • Compiler optimization challenges
          • Lab – Zeroization challenges
          • Sensitive info in non-locked memory
    • Authorization
      • Access control basics
      • File system access control
        • Improper file system access control
        • Ownership
        • chroot jail
        • Using umask()
        • Linux filesystem
        • LDAP

DAY 3

Common software security weaknesses

  • Input validation
    • Input validation principles
      • Blacklists and whitelists
      • Data validation techniques
      • What to validate – the attack surface
      • Attack surface in automotive
      • Where to validate – defense in depth
      • How to validate – validation vs transformations
      • Output sanitization
      • Encoding challenges
      • Validation with regex
      • Mapping to MISRA
    • Injection
      • Injection principles
      • Injection attacks
      • Code injection
        • OS command injection
          • Lab – Command injection
          • OS command injection best practices
          • Avoiding command injection with the right APIs
          • Lab – Command injection best practices
          • Case study – Shellshock
          • Lab – Shellshock
          • Case study – Command injection in Jeep Cherokee
        • Process control – library injection
          • DLL hijacking
          • Lab – DLL hijacking
    • Integer handling problems
      • Representing signed numbers
      • Integer visualization
      • The MISRA essential type model
      • Integer promotion
      • Composite expressions and type conversion
      • Integer overflow
      • Lab – Integer overflow
      • Signed / unsigned confusion
      • Lab – Signed / unsigned confusion
      • Integer truncation
      • Lab – Integer truncation
      • Case study – WannaCry
      • Best practices
        • Upcasting
        • Precondition testing
        • Postcondition testing
        • Using big integer libraries
        • Best practices in C
        • Lab – Handling integer overflow on the toolchain level in C/C++
        • Best practices in C++
        • Lab – Integer handling best practices in C++
    • Other numeric problems
      • Security issues with bitfields
      • Division by zero
      • Working with floating-point numbers
    • Files and streams
      • Path traversal
      • Path traversal-related examples
      • Lab – Path traversal
      • Link and shortcut following
      • Virtual resources
      • Path traversal best practices
      • Lab – Path canonicalization
        • Format string issues
        • The problem with printf()
        • Lab – Exploiting format string

DAY 4

Common software security weaknesses

  • Time and state
    • Mapping to MISRA
    • Race conditions
      • Race condition in object data members
      • File race condition
        • Time of check to time of usage – TOCTTOU
        • Lab – TOCTTOU
        • Insecure temporary file
      • Potential race conditions in C/C++
        • Race condition in signal handling
        • Forking
        • Bit-field access
  • Errors
    • Error and exception handling principles
    • Mapping to MISRA
    • Error handling
      • Returning a misleading status code
      • Error handling in C
      • Error handling in C++
      • Using std::optional safely
      • Information exposure through error reporting
    • Exception handling
      • In the catch block. And now what?
      • Empty catch block
      • Exception handling in C++
      • Lab – Exception handling mess
  • Code quality
    • Data handling
      • Type mismatch
      • Lab – Type mismatch
      • Initialization and cleanup
        • Constructors and destructors
        • Initialization of static objects
        • Lab – Initialization cycles
      • Unreleased resource
        • Array disposal in C++
        • Lab – Mixing delete and delete[]
    • Control flow
      • Incorrect block delimitation
      • Dead code
      • Leftover debug code
      • Backdoors, dev functions and other undocumented functions
      • Using if-then-else and switch defensively
    • Signal handling
      • Signal handlers
      • Best practices
    • Object oriented programming pitfalls
      • Inheritance and object slicing
      • Implementing the copy operator
      • The copy operator and mutability
      • Mutability
        • Mutable predicate function objects
        • Lab – Mutable predicate function object
    • Memory and pointers
      • Memory and pointer issues
      • Pointer handling pitfalls
      • Alignment
      • Null pointers
        • NULL dereference
        • NULL dereference in pointer-to-member operators
      • Pointer usage in C and C++
        • Use after free
        • Lab – Use after free
        • Lab – Runtime instrumentation
        • Double free
        • Memory leak
        • Smart pointers and RAII
        • Smart pointer challenges
        • Incorrect pointer arithmetics
    • File I/O
      • Working with file descriptors, structures and objects
      • File reading and writing
      • File access functions and methods

Using vulnerable components

  • Assessing the environment
  • Hardening
  • Vulnerability management
    • Patch management
    • Bug bounty programs
    • Vulnerability databases
    • Vulnerability rating – CVSS
    • Lab – Finding vulnerabilities in third-party components
    • DevOps, the build process and CI / CD
    • Insecure compiler optimization

Security testing

  • Security testing vs functional testing
  • Manual and automated methods
  • Security testing techniques and tools
    • Code analysis
      • Security aspects of code review
      • Static Application Security Testing (SAST)
      • Lab – Using static analysis tools
    • Dynamic analysis
      • Security testing at runtime
      • Penetration testing
      • Stress testing
      • Dynamic analysis tools
        • Dynamic Application Security Testing (DAST)
      • Fuzzing
        • Fuzzing techniques
        • Fuzzing – Observing the process

Wrap up

  • Secure coding principles
    • Principles of robust programming by Matt Bishop
    • Secure design principles of Saltzer and Schröder
  • And now what?
    • Software security sources and further reading
    • C and C++ resources
    • Links to automotive coding standards