Code responsibly with generative AI in C++

Code responsibly with generative AI in C++CRWGAIC++CYCydrillCY-CRWGAIC++1.0<ul> <li>Understanding the essentials of responsible AI</li><li>Getting familiar with essential cyber security concepts</li><li>Correctly implementing various security features</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in C++</li><li>Managing vulnerabilities in third party components</li><li>Input validation approaches and principles</li><li>All this put into the context of GitHub Copilot</li></ul><h4>Wrap up</h4><ul> <li>Secure coding principles <ul> <li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schroeder</li></ul></li><li>And now what?</li><li>Software security sources and further reading <ul> <li>C and C++ resources</li><li>Responsible AI principles in software development</li><li>Generative AI – Resources and additional guidance</li></ul></li></ul><p>General C++ and C development</p><p>C/C++ developers using Copilot or other GenAI tools</p><h4>Day 1</h4> <h4>Coding responsibly with GenAI</h4><ul> <li>What is responsible AI?</li><li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types – the CIA triad</li><li>Cyber security threat types – the STRIDE model</li><li>Consequences of insecure software</li><li>Security and responsible AI in software development</li><li>GenAI tools in coding: Copilot, Codeium and others</li></ul> <h4>Memory management vulnerabilities</h4><ul> <li>Assembly basics and calling conventions <ul> <li>x64 assembly essentials</li><li>Registers and addressing</li><li>Most common instructions</li><li>Calling conventions on x64</li><li>Calling convention – what it is all about</li><li>Calling convention on x64</li></ul></li><li>The stack frame</li><li>Stacked function calls</li><li>Buffer overflow <ul> <li>Memory management and security</li><li>Buffer security issues</li><li>Buffer overflow on the stack</li><li>Buffer overflow on the stack – stack smashing</li><li>Exploitation – Hijacking the control flow</li><li>Lab – Buffer overflow 101, code reuse</li><li>Exploitation – Arbitrary code execution</li><li>Injecting shellcode</li><li>Lab – Code injection, exploitation with shellcode</li><li>Case study – Stack BOF in FriendlyName handling of the Wemo Smart Plug</li></ul></li><li>Pointer manipulation <ul> <li>Modification of jump tables</li><li>Overwriting function pointers</li><li>Best practices and some typical mistakes</li></ul></li><li>Unsafe functions <ul> <li>Dealing with unsafe functions</li><li>Lab – Fixing buffer overflow (exploring with Copilot)</li></ul></li><li>Using std::string in C++ <ul> <li>Manipulating C-style strings in C++</li><li>Malicious string termination</li><li>Lab – String termination confusion (exploring with Copilot)</li><li>String length calculation mistakes</li></ul></li></ul><h4>Day 2</h4><h4>Memory management hardening</h4><ul> <li>Securing the toolchain <ul> <li>Securing the toolchain in C++</li><li>Using FORTIFY_SOURCE</li><li>Lab – Effects of FORTIFY</li></ul></li><li>AddressSanitizer (ASan) <ul> <li>Using AddressSanitizer (ASan)</li><li>Lab – Using AddressSanitizer</li></ul></li><li>Stack smashing protection <ul> <li>Detecting BoF with a stack canary</li><li>Argument cloning</li><li>Stack smashing protection on various platforms</li><li>SSP changes to the prologue and epilogue</li><li>Lab – Effects of stack smashing protection</li></ul></li><li>Runtime protections <ul> <li>Runtime instrumentation</li><li>Address Space Layout Randomization (ASLR) <ul> <li>ASLR on various platforms</li><li>Lab – Effects of ASLR</li><li>Circumventing ASLR – NOP sleds</li><li>Circumventing ASLR – memory leakage</li></ul></li></ul></li><li>Non-executable memory areas <ul> <li>The NX bit</li><li>Write XOR Execute (W^X)</li><li>NX on various platforms</li><li>Lab – Effects of NX</li><li>NX circumvention – Code reuse attacks</li><li>Return-to-libc / arc injection</li><li>Return Oriented Programming (ROP)</li><li>Protection against ROP</li></ul></li><li>Case study – Systematic exploitation of a MediaTek buffer overflow</li></ul><h4>Day 3</h4><h4>Common software security weaknesses</h4><ul> <li>Security features <ul> <li>Authentication</li><li>Password management <ul> <li>Inbound password management</li><li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Password policy</li><li>NIST authenticator requirements for memorized secrets</li><li>Password database migration</li></ul></li></ul></li><li>Code quality <ul> <li>Code quality and security</li></ul></li><li>Data handling <ul> <li>Type mismatch</li><li>Lab – Type mismatch (exploring with Copilot)</li><li>Initialization and cleanup <ul> <li>Constructors and destructors</li><li>Initialization of static objects</li><li>Lab – Initialization cycles (exploring with Copilot)</li></ul></li><li>Unreleased resource</li><li>Array disposal in C++</li><li>Lab – Mixing delete and delete[] (exploring with Copilot)</li></ul></li><li>Object oriented programming pitfalls <ul> <li>Accessibility modifiers</li><li>Are accessibility modifiers a security feature?</li><li>Inheritance and object slicing</li><li>Implementing the copy operator</li><li>The copy operator and mutability</li><li>Mutability</li><li>Mutable predicate function objects</li><li>Lab – Mutable predicate function object</li></ul></li></ul> <h4>Using vulnerable components</h4><ul> <li>Security of AI generated code</li><li>Practical attacks against code generation tools</li><li>Dependency hallucination via generative AI</li><li>Case study – A history of GitHub Copilot weaknesses (up to mid 2024)</li></ul><p> [/list]</p><ul> <li>Coding responsibly with GenAI</li><li>Memory management vulnerabilities</li><li>Memory management hardening</li><li>Common software security weaknesses</li><li>Using vulnerable components</li><li>Wrap up</li></ul>- Understanding the essentials of responsible AI - Getting familiar with essential cyber security concepts - Correctly implementing various security features - Identify vulnerabilities and their consequences - Learn the security best practices in C++ - Managing vulnerabilities in third party components - Input validation approaches and principles - All this put into the context of GitHub Copilot Wrap up - Secure coding principles - Principles of robust programming by Matt Bishop - Secure design principles of Saltzer and Schroeder - And now what? - Software security sources and further reading - C and C++ resources - Responsible AI principles in software development - Generative AI – Resources and additional guidanceGeneral C++ and C developmentC/C++ developers using Copilot or other GenAI toolsDay 1 Coding responsibly with GenAI - What is responsible AI? - What is security? - Threat and risk - Cyber security threat types – the CIA triad - Cyber security threat types – the STRIDE model - Consequences of insecure software - Security and responsible AI in software development - GenAI tools in coding: Copilot, Codeium and others Memory management vulnerabilities - Assembly basics and calling conventions - x64 assembly essentials - Registers and addressing - Most common instructions - Calling conventions on x64 - Calling convention – what it is all about - Calling convention on x64 - The stack frame - Stacked function calls - Buffer overflow - Memory management and security - Buffer security issues - Buffer overflow on the stack - Buffer overflow on the stack – stack smashing - Exploitation – Hijacking the control flow - Lab – Buffer overflow 101, code reuse - Exploitation – Arbitrary code execution - Injecting shellcode - Lab – Code injection, exploitation with shellcode - Case study – Stack BOF in FriendlyName handling of the Wemo Smart Plug - Pointer manipulation - Modification of jump tables - Overwriting function pointers - Best practices and some typical mistakes - Unsafe functions - Dealing with unsafe functions - Lab – Fixing buffer overflow (exploring with Copilot) - Using std::string in C++ - Manipulating C-style strings in C++ - Malicious string termination - Lab – String termination confusion (exploring with Copilot) - String length calculation mistakes Day 2 Memory management hardening - Securing the toolchain - Securing the toolchain in C++ - Using FORTIFY_SOURCE - Lab – Effects of FORTIFY - AddressSanitizer (ASan) - Using AddressSanitizer (ASan) - Lab – Using AddressSanitizer - Stack smashing protection - Detecting BoF with a stack canary - Argument cloning - Stack smashing protection on various platforms - SSP changes to the prologue and epilogue - Lab – Effects of stack smashing protection - Runtime protections - Runtime instrumentation - Address Space Layout Randomization (ASLR) - ASLR on various platforms - Lab – Effects of ASLR - Circumventing ASLR – NOP sleds - Circumventing ASLR – memory leakage - Non-executable memory areas - The NX bit - Write XOR Execute (W^X) - NX on various platforms - Lab – Effects of NX - NX circumvention – Code reuse attacks - Return-to-libc / arc injection - Return Oriented Programming (ROP) - Protection against ROP - Case study – Systematic exploitation of a MediaTek buffer overflow Day 3 Common software security weaknesses - Security features - Authentication - Password management - Inbound password management - Storing account passwords - Password in transit - Lab – Is just hashing passwords enough? - Dictionary attacks and brute forcing - Salting - Adaptive hash functions for password storage - Password policy - NIST authenticator requirements for memorized secrets - Password database migration - Code quality - Code quality and security - Data handling - Type mismatch - Lab – Type mismatch (exploring with Copilot) - Initialization and cleanup - Constructors and destructors - Initialization of static objects - Lab – Initialization cycles (exploring with Copilot) - Unreleased resource - Array disposal in C++ - Lab – Mixing delete and delete[] (exploring with Copilot) - Object oriented programming pitfalls - Accessibility modifiers - Are accessibility modifiers a security feature? - Inheritance and object slicing - Implementing the copy operator - The copy operator and mutability - Mutability - Mutable predicate function objects - Lab – Mutable predicate function object Using vulnerable components - Security of AI generated code - Practical attacks against code generation tools - Dependency hallucination via generative AI - Case study – A history of GitHub Copilot weaknesses (up to mid 2024) [/list]- Coding responsibly with GenAI - Memory management vulnerabilities - Memory management hardening - Common software security weaknesses - Using vulnerable components - Wrap up3 jours2250.002250.002250.002250.002250.00