Common C Programming Mistakes: Buffer Overflows, Memory Bugs, and SEI CERT Coding Standards

Links:
Exercises:
1. Unsafe printf: https://drive.google.com/drive/folder...
2. Buffer Overflow and GDB: https://drive.google.com/drive/folder...
3. DCL30-C (Declare Objects with Appropriate Storage Durations): https://drive.google.com/drive/folder...

Resources:
Buffer Overflow (stack_function_call_example.zip): https://drive.google.com/file/d/1OIQ9...
GDB:
Summary Instructions: https://drive.google.com/file/d/1HL7K...
Source: https://drive.google.com/file/d/1oTyh...
SEI CERT C Coding Standard: https://wiki.sei.cmu.edu/confluence/s...
SEI CERT C++ Coding Standard: https://wiki.sei.cmu.edu/confluence/s...
SEI CERT Wiki: https://wiki.sei.cmu.edu/confluence/
Examples:
DCL30-C: https://wiki.sei.cmu.edu/confluence/s...
EXP33-C: https://wiki.sei.cmu.edu/confluence/s...
EXP34-C: https://wiki.sei.cmu.edu/confluence/s...
EXP42-C: https://wiki.sei.cmu.edu/confluence/s...
STR31-C: https://wiki.sei.cmu.edu/confluence/s...
MEM30-C: https://wiki.sei.cmu.edu/confluence/s...
FIO47-C: https://wiki.sei.cmu.edu/confluence/s...
ENV33-C: https://wiki.sei.cmu.edu/confluence/s...
MSC30-C: https://wiki.sei.cmu.edu/confluence/s...
MSC32-C: https://wiki.sei.cmu.edu/confluence/s...
FLP30-C: https://wiki.sei.cmu.edu/confluence/s...
Randomness 101: LavaRand in Production: https://blog.cloudflare.com/randomnes...


This comprehensive tutorial covers the most dangerous and common mistakes in C programming, starting with the classic buffer overflow attack that has plagued systems since the Morris worm of 1988. You will learn exactly how buffer overflows work by examining the stack structure, understanding how function calls store parameters, return addresses, and local variables, and seeing how strcpy can overwrite critical memory locations when destination buffers are too small.
The video includes a hands-on demonstration using GDB (GNU Debugger) to inspect the stack in real-time, showing you how to set breakpoints, examine registers (esp, ebp, eip), view memory contents, and understand the relationship between the stack pointer and base pointer. You will learn practical mitigation techniques, including using safe functions like strncpy instead of strcpy, and how stack canaries can detect overflow attacks.
The second half explores the SEI CERT C Coding Standard - a free resource documenting secure coding practices. Key rules covered include: DCL30-C (storage duration and dangling pointers), EXP33-C (uninitialized memory), EXP34-C (null pointer dereferencing), EXP42-C (comparing structs with padding), STR31-C (string buffer sizing and off-by-one errors), MEM30-C (accessing freed memory in linked lists), FIO47-C (format string vulnerabilities), ENV33-C (dangers of the system() call), MSC30-C (weak pseudorandom number generators), and FLP30-C (why floats should never be loop counters due to precision limitations). Each rule is illustrated with buggy code examples and their proper fixes.

#CyberSecurity #GDB #SecureCoding

Chapters
0:00 Introduction
1:08 Buffer Overflow
12:20 Demo Buffer Overflow and GDB
33:55 SEI CERT C/C++ Coding Standard
36:06 DCL30-C (Declare Objects with Appropriate Storage Durations)
41:00 EXP33-C (Do not read uninitialized Memory)
43:40 EXP34-C (Do not dereference NULL Pointers)
47:21 EXP42-C (Do not compare padding Data, packed structs)
58:06 STR31-C (Guarantee that Storage for Strings has sufficient Space for Characters and the NULL Terminator)
59:44 MEM30-C (Do not access freed Memory)
1:02:40 FIO47-C (Use valid Format Strings)
1:03:41 ENV33-C (Do not call system())
1:06:08 MSC30-C/MSC32-C (Pseudorandom Number Generators)
1:09:54 FLP30-C (Do not use Floating-Point Variables as Loop Counters, Floating Point Numbers in a Computer)
1:16:17 Summary and What's next?