CppCon 2015: Gwendolyn Hunt “Secure C++ Programming”

preview_player
Показать описание


Security vulnerabilities are fundamentally defects in our code. We know many of these defects stem from string processing, buffer overflows and integer underflow and overflows. These defects become security vulnerabilities when an attacker can crash an application, cause undefined behavior that leads to a Denial of Service, privilege escalation or hidden installation of rogue software.

So how do we build more secure C++ software? It starts by gaining an understanding of the basics of security vulnerabilities and how to identify them using the rich set of tools we now have available. With this foundation we can build a development culture where security considerations are pervasive and treated as important as program and algorithm correctness.

This session begins with a survey of common C/C++ string, integer and STL container issues and mitigations for these vulnerabilities. Follows with two detailed examples of vulnerabilities and how to fix their problems. Finishes with a survey of tools and references we have available today.

Gwendolyn Hunt has been in the trenches programming C++ for 20-years. Starting with card swipe systems with EDS, asynchronous messaging client server systems with IBM and high resolution surveillance systems for a bleeding edge startup, Gwendolyn has had the opportunity to build a wide-variety of production and commercial software applications. The last four years she has been the development lead for new generation security applications for Tripwire, Inc. When she is not cranking code, Gwendolyn finds telemark skiing and riding technical singletrack to calm the mind.


*-----*
*-----*
Рекомендации по теме
Комментарии
Автор

Gwen - nice presentation. Congratulations on getting a good positive feedback. Also thanks for mentioning the Safe Numerics library in the Boost Library Incubator.

robertramey
Автор

Signed int overflow behaviour is actually undefined in C++ unless you compile with -fwrapv

iddn
Автор

tip for next time: it's breach, not breech. A breech is a part of a cannon, or a pair of knee-length trousers!

treyquattro
Автор

is there any book with examples on how to exploit those security issues? so you can easily assign a severity.

ocallesp
Автор

Secure C++ programming - uses Macbook - "into the trash it goes.jpeg"

rigwarlthunderkeg