COD 892: Creating Secure Code - Embedded C/C++

Live Training English
Course is offered in English

Course Overview

Most embedded system software is developed in C/C++. It is a natural choice because of its portability across platforms, efficient use of system resources, and ability to interact directly with embedded operating systems such as Linux. However, the trade-off of these features is that embedded C/C++programming is challenging because system resources are scarce, your tools are limited, and the risks are high.  Additionally, embedded C carries all the risk of large system C/C++ programming, often with less margin for error, and worse outcomes in the event the application is compromised.

This course examines coding errors and vulnerabilities in the context of embedded C/C++programming and provides detailed code examples of insecure practices and methods to find, fix and prevent each type of flaw. Participants are provided with a set of security coding best practices and practical recommendations.

At the end of this course, participants will be able to:

  • Understand the embedded vulnerability landscape
  • Proactively recognize and remediate coding errors that lead to vulnerabilities in embedded software
  • Implement techniques for mitigating risk against vulnerabilities
  • Perform threat modeling to identify vulnerabilities and analyze risk

Course Modules

  • The Embedded Security Landscape
  • Improper Neutralization of Special Elements
  • Buffer Copy without Checking Size of Input
  • Mitigating Buffer Overflow Conditions
  • Dangers of Uncontrolled Format Strings
  • Use of Hard-Coded Authentication Credentials and mitigation techniques
  • Reliance on Untrusted Inputs in a Security Decision
    • Common Authentication Errors
    • Mitigations
  • Validating that your Compiler is Set for Security
  • Insecure Coding Examples (detailed and specific to embedded C/C++)
  • Threat Modeling
    • Collecting Information
    • Decomposing the application
    • Building the activity matrix
    • Building the threat profile
    • Analyzing risks