Identifying Security Vulnerabilities in C/C++Programming

This course is part of Secure Coding Practices Specialization

Instructor: Matthew Bishop, PhD

What you'll learn

Apply “what to watch out for” and “where to look” to evaluate fragility of C++ library code.
Given a fragile C++ library, code a robust version.
Identify problems w/ privilege, trusted environments, input validation, files & sub-processes, resource mngmt, asynchronicity, & randomness in C/C++.
Remediate examples of problems that apply to C/C++ interactions with the programming environment.

Skills you'll gain

Details to know

Shareable certificate

Add to your LinkedIn profile

Assessments

8 assignments

Taught in English

See how employees at top companies are mastering in-demand skills

Learn more about Coursera for Business

Build your subject-matter expertise

This course is part of the Secure Coding Practices Specialization

When you enroll in this course, you'll also be enrolled in this Specialization.

Learn new concepts from industry experts
Gain a foundational understanding of a subject or tool
Develop job-relevant skills with hands-on projects
Earn a shareable career certificate

Earn a career certificate

Add this credential to your LinkedIn profile, resume, or CV

Share it on social media and in your performance review

There are 4 modules in this course

This course builds upon the skills and coding practices learned in both Principles of Secure Coding and Identifying Security Vulnerabilities, courses one and two, in this specialization. This course uses the focusing technique that asks you to think about: “what to watch out for” and “where to look” to evaluate and ultimately remediate fragile C++ library code.

The techniques you’ll be examining will make your programs perform accurately and be resistant to attempts to perform inaccurately. This is really what the term secure programming means. You will be shown common errors that people make, and then learn how to program more robustly. You will apply tips and best practices to help you improve your programming style and help you to avoid common problems like buffer overflows, which may or may not cause security problems.

In this module, you will be able to manage users and privileges when you run programs or sub-programs. You will be able to identify and use the different types of privileges on a Linux (and UNIX-like) system. You'll be able to identify how program shells preserve environment settings. You will be able to examine how your shell (or other program that uses the PATH variable) deals with multiple versions of that variable.

What's included

17 videos4 readings2 assignments4 discussion prompts

17 videosTotal 107 minutes

Course Introduction2 minutesPreview module
Module 1 Introduction2 minutes
Users and Privileges Overview7 minutes
Identifying Users and Changing Privileges7 minutes
Spawning Subprocesses8 minutes
Identifying Users Incorrectly1 minute
Establishing Users and Setting UIDs8 minutes
Establishing Groups and GIDs3 minutes
Establishing Privileges for Users and Groups11 minutes
How Root Privileges Work3 minutes
Lesson 1 Summary1 minute
Environment Variables Overview2 minutes
Programming Explicitly4 minutes
Addressing Various Attacks16 minutes
Dynamic Loading and Associated Attacks16 minutes
Programming Implicitly3 minutes
The Moral of the Story5 minutes

4 readingsTotal 35 minutes

A Note From UC Davis10 minutes
Who Are You? - What is Going On?10 minutes
Resetting the PATH - What is Going On?10 minutes
Multiple PATH Environment Variables - What's Going On?5 minutes

2 assignmentsTotal 60 minutes

Module 1 Practice Quiz30 minutes
Module 1 Quiz30 minutes

4 discussion promptsTotal 190 minutes

Learning Goals10 minutes
Who Are You? (Suggested Activity)60 minutes
Resetting the PATH (Suggested Activity)60 minutes
Multiple PATH Environment Variables (Suggested Activity)60 minutes

In this module, you will be able to breakdown how the process of checking inputs, known as validation and verification works. You will be able to avoid and buffer numeric overflows in your programs. You will be able to discover what happens when you call functions with parameters that cause overflows. And finally, you will be able to detect various input injections such as cross-site scripting and SQL injections and be able to describe the consequences of not examining input.

What's included

17 videos2 readings2 assignments2 discussion prompts

17 videosTotal 161 minutes

Module 2 Introduction2 minutesPreview module
Validation and Verification Overview8 minutes
Metacharacters11 minutes
The Heartbleed Bug and Other Exploits21 minutes
Inputs15 minutes
Fixes6 minutes
Lesson 3 Summary1 minute
Buffer Overflows Overview2 minutes
Buffer Overflow Examples18 minutes
Selective Buffer Overflow and Utilizing Canaries17 minutes
Numeric Overflows Overview7 minutes
Numeric Overflow Examples8 minutes
Lesson 4 Summary2 minutes
Input Injections Overview1 minute
Cross-Site Scripting Attacks18 minutes
SQL Injections10 minutes
Lesson 5 Summary5 minutes

2 readingsTotal 20 minutes

Path Names - What's Going On?10 minutes
Numeric and Buffer Overflows - What's Going On?10 minutes

2 assignmentsTotal 45 minutes

Module 2 Practice Quiz15 minutes
Module 2 Quiz30 minutes

2 discussion promptsTotal 120 minutes

Path Names (Suggested Activity)60 minutes
Numeric and Buffer Overflows (Suggested Activity)60 minutes

In this module, you will be able to describe how files and subprocesses interact and be able to create subprocesses and shell scripts. You will also be able to identify and prevent race conditions in your programs and practice cleaning out environments to make them safe for untrusted subprocesses.

What's included

13 videos1 reading2 assignments1 discussion prompt

13 videosTotal 79 minutes

Module 3 Introduction2 minutesPreview module
Files and Subprocesses Overview0 minutes
Creating a Child Process5 minutes
Subprocess Environment10 minutes
Files and Subprocesses Design Tips5 minutes
Lesson 6 Summary2 minutes
Race Conditions Overview8 minutes
A Classic Race Condition Example9 minutes
Time of Check to Time of Use12 minutes
Programming Condition5 minutes
Environmental Condition7 minutes
Race Conditions6 minutes
Linux Locks and FreeBSD System Calls4 minutes

1 readingTotal 10 minutes

The Environmental Condition - What's Going On?10 minutes

2 assignmentsTotal 45 minutes

Module 3 Practice Quiz15 minutes
Module 3 Quiz30 minutes

1 discussion promptTotal 60 minutes

The Environmental Condition (Suggested Activity)60 minutes

In this module you will be able to distinguish between pseudo-randomness and actual randomness. You will be able to apply randomness in the coding environment and generate random numbers and look at their distribution. You'll be able to identify and describe how and why cryptography is used, as well as why you should use trusted cryptography code libraries instead of crafting your own solution. You will be able to analyze and consider best practices for handling sensitive information, passwords, crypto keys, how to handle errors in security sensitive programs, and how to defend against string attacks. You will be able to hash a password and then try to guess another one. You will be able to practice cleaning out environments to make them safe for untrusted subprocesses, as well as practice handling integer overflow.

What's included

19 videos4 readings2 assignments5 discussion prompts

19 videosTotal 96 minutes

Module 4 Introduction2 minutesPreview module
Randomness and Cryptography Overview2 minutes
Pseudorandom vs. Random6 minutes
Producing Random Numbers4 minutes
Sowing Seeds12 minutes
Cryptography Basics3 minutes
Using Cryptography for Secrecy and Integrity8 minutes
Some Cryptography Examples9 minutes
Lesson 8 Summary1 minute
Handling Sensitive Information and Errors and Formatting Strings Overview1 minute
All About Passwords7 minutes
Adding a Pinch of Salt4 minutes
Managing Sensitive Data4 minutes
Practice a Secure Function8 minutes
Error Handling Part 14 minutes
Error Handling Part 26 minutes
Format Strings5 minutes
Lesson 9 Summary2 minutes
Course Summary0 minutes