C Programming and Security Fundamentals

Week 1: C Language and GDB Tool

• C Language function syntax, main function syntax, and arguments
• Data types: integer, float, char, arrays, and declarations
• Pointers and notation
• Input and output
• Conditionals and looping
• GDB Tool: executing with an executable file, listing and disassembling (disas), breakpoints, and register inspection
• Vulnerability and exploit definitions: difference between a vulnerability and exploit (and zero day)

Week 2: Integer Overflow

• Integer types: 8-bit equal to char, signed or unsigned
• Limits available as MACRO constants
• Byte sizes of types
• Effect of integer overflow: wrapping around positive or negative
• Implications in reality: usually triggered in loop iteration
• C Language: variable scope and variable types

Week 3: Stacks and Buffers

• Principle of a stack: stack frame organization, function entry and exit sequence
• How stacks work during execution and debugging in GDB
• Buffer and overflow principles: beneficial to a threat actor
• How buffers can be viewed in GDB: examples from lab

Week 4: Vulnerable Functions and Shellcode

• Vulnerable functions: gets, strcpy, strcat, sprintf
• Safer alternatives to these functions
• Shellcode: aim, usage, and how it works

Week 5: Format Strings

• Strings vs format strings: format string specifiers
• Functions: printf and sprintf
• What makes format strings vulnerable: properties
• Exploit setup: where does it read from initially?

Week 7: Heap Properties

• Heap properties and layout: vs the stack
• Functions using heap space: relation to the stack with variables
• Structure: chunks

Week 8: Fuzzing Principles

• Fuzzing principles: why and types
• Phases and methods of fuzzing
• Tools used in fuzzing

Week 9: More Fuzzing

• More fuzzing principles: issues with fuzzing approaches
• Code coverage: AFL tool

Week 10: Non-Executable Stack and Security

• Non-executable stack and implications
• Overrides: W^X, stack canaries, and ASLR