Secure Code Development Boot Camp

Trainer Name: Rafael Boix Carpi & Martijn Bogaard
Title: Secure Code Development Boot Camp
Duration: 2 Days
Dates: 27^th - 28^th Feb 2019

Overview

The course is an intense 2 days program aimed for those involved in the design, development and maintenance of software required to protect assets in real world application.

This course is hands on and has numerous examples of good and bad coding practices from open source projects. The program will be led by 2 leading embedded security professionals with an extensive working background in various embedded technologies.

During the program, you will learn how to remove software vulnerabilities early in the development cycle of complex embedded systems. A primer for any professional concerned with writing secure code.

You will learn from real examples how attackers find vulnerabilities in an application code base, why compliance with code standards (e.g. MISRA-C) is not equivalent with secure code development and how compliance code can still have vulnerabilities.

For each of the vulnerability classes presented during the training we discuss their potential impact on the system and strategies to help prevent the introduction of such vulnerabilities.

After we discuss common vulnerabilities, such as buffer overflows, string format issues and integer wrap-around, you will learn to identify vulnerabilities in code of slowly increasing complexity and evaluate their potential impact.

Many software vulnerabilities are caused by unintended or undefined code behavior and therefore we cover these two topics in depth. We will also discuss command injection and heap management vulnerabilities, race conditions as well as type confusion issues, common crypto mistakes and issues specific to operating system kernels.

During the entire duration of the course, the participants are expected to learn the following:

• Early identification of issues and prevent security vulnerabilities during development cycle.
• Understand the most common and severe weaknesses in code (C) and gain working knowledge for identifying different types of vulnerabilities in complex systems.
• Continuous improvement of product development process by utilizing best practices for secure software development.
• Good understanding of secure coding guidelines and why compliance with standard coding guidelines (e.g. MISRA_-C) is no equivalent with secure code development
• Unique knowledge for selecting applicable software hardening techniques for embedded systems.

Teaching methodology

This is a combined theory and technical hands-on course to gain working knowledge on real world examples for every module.

Course Outline

Day-1

Module 0: Introduction to vulnerability discovery techniques

• What are security vulnerabilities?
• Coding guidelines and security vulnerabilities (MISRA-C)
• Vulnerability discovery techniques

Module 1: Brief introduction to C

• Different standards
• Platform-specific behavior
• Compilers
• Coupled to undefined behavior

Module 2: Classic security vulnerabilities

• Program memory corruption
• Program memory layout
• Buffer overflows

Module 3: C Language issues

• Data storage and representation
• Type conversion issues
• Integer over-/underflows
• Pointer arithmetic issues
• Undefined behavior
• Implementation dependent behavior
• Typos
• Sizeof
• Format strings

Module 4: Common Mitigation techniques

• Raising the bar of scalable attacks
• Memory corruption exploitation

Day-2: Input, memory and behavio

Module 5: Injection techniques

Module 6: Race Conditions

Module 7: Type

• Invalid cast
• Unions
• Etc

Module 8: Timing attacks and other common failures

Module 9: Heap Management (e.g. use-after-free)

Module 10: Common Crypto issues

• Obsolete crypto
• Incorrect use (e.g. integrity ->hashing alg.)
• Implementation bugs (e.g. Heartbleed)
• Side channel attacks
• Randomness issues
• Padding oracle attacks

Module 11: Kernel issues (Pointer verification)

Module 12: Coding best practices

Labs:

15-20 lab exercises

Who should take this course?

Code auditors, software security architects, software developers and system design engineers

Student requirements

Experienced (C) developer, ideally in a Linux environment

What should students bring?

The requirement for the course is a laptop with a C development environment, administrative, USB and internet access.

What students will be provided with?

• Presentation material and associated PDF material
• Certification

Trainer Profile

Martijn Bogaard

Martijn joined Riscure in 2015, where he specializes in Security Evaluations of Embedded Systems used in content protection and (mobile) payment solutions. His expertise is source code reviews and penetration testing (exploitation of logical hardware and software vulnerabilities as well as Fault Injection attacks) of (real-time) operating systems, drivers and applications used in Trusted Execution Environments and dedicated security subsystems of SoCs. He likes to engage directly with customers helping them to better understand the evaluation results, put them into perspective both from a technical and business perspective, and work with them to improve the security of their solutions. Technical Lead of security evaluation projects consisting of 2-4 analysts. Martijn received his master degree from University of Amsterdam (Cum Laude).

Rafael Boix Carpi

Rafa is a Principal Security Trainer & Specialist, working at Riscure since 2013. He has a MSc. in Computer Science Engineering from Universitat Politecnica de Valencia, Spain. His fields of expertise include Side Channel Analysis, Fault Injection, and low-level Embedded Systems protocols. Rafa has given talks, lead workshops, authored and co-authored research papers in several worldwide conferences. Rafa is really good at basically tearing apart any device with chips on it until its secrets are revealed, and sharing how to do it.