Skip to main content

Vulnerabilities 1001: C-Family Software Implementation Vulnerabilities


About This Course

This is a dual-audience class. It is for both developers who want to learn how to write code without introducing new vulnerabilities (or how to detect existing vulnerabilities in their own code). But it's also a class for aspiring code auditors and freelance vulnerability hunters. And it's a prerequisite for eventually learning about vulnerability exploitation. So it's an epic battle between contentious developers and devious vulnerability hunters! Who will win?! Whoever most takes the lessons of this class to heart!

This class is structured in 5 main topic areas, corresponding to the vulnerability types we will cover: (linear) stack buffer overflows, (linear) heap buffer overflows, (non-linear) out-of-bound writes, integer overflows/underflows, and "other integer issues" (signed sanity checks, integer truncation, and sign extension.) For each topic area we explain at least 6 real vulnerabilities. And for at least one of those vulnerabilities we explain how it could be exploited, so that students can understand that exploitation engineering is just a typical engineering discipline, akin to a specialized form of software engineering. And thus even when vulnerabilities perhaps don't look exploitable, they still often are. At the end of each topic area, we cover prevention, detection, and mitigation options for dealing with that vulnerability type.

Real vulnerabilities covered in class

  1. (linear) Stack Buffer Overflows:
    1. CVE-2021-21574 "BIOS Disconnect" (Includes exploit walkthrough)
    2. CVE-2018-9312
    3. CVE-2018-9318
    4. CVE-2020-10005
    5. CVE-2021-43579
    6. CVE-2021-20294
    7. CVE-2022-0435
    8. CVE-Unknown Samsung Baseband
  2. (linear) Heap Buffer Overflows:
    1. CVE-2020-0917 (Includes exploit walkthrough)
    2. CVE-2019-7287
    3. CVE-2020-11901 #1 (Part of "Ripple20")
    4. CVE-2020-25111 (Part of "Amnesia:33")
    5. CVE-2020-27009 (Part of "NAME:WRECK")
    6. CVE-2021-21555
    7. CVE-2021-42739
  3. (non-linear) Out-of-Bounds Writes (OOB-W):
    1. CVE-2019-10540 (Includes exploit walkthrough)
    2. CVE-2020-0938 (Was a 0day)
    3. CVE-2020-1020 (Was a 0day)
    4. CVE-2020-13995
    5. CVE-2020-27930 (Was a 0day)
    6. CVE-2021-26675 "T-BONE"
    7. CVE-2021-28216
    8. CVE-2022-25636
  4. Integer Overflows/Underflows:
    1. CVE-2020-0796 "SMBGhost" (Includes exploit walkthrough)
    2. CVE-2019-5105
    3. CVE-2019-3568 (Was a 0day)
    4. CVE-2019-14192
    5. CVE-2020-11901 (Part of Ripple20)
    6. CVE-2020-16225
    7. CVE-2021-22636 (Part of "BadAlloc")
    8. CVE-2021-30860
  5. Other Integer Issues:
    1. CVE-2019-15948 (Includes exploit walkthrough)
    2. CVE-2019-14196
    3. CVE-2020-15999 (Was a 0day)
    4. CVE-2020-17087 (Was a 0day)
    5. CVE-2019-20561
    6. CVE-2021-33909 "Sequoia"

Learning Objectives
* Learn to recognize the common programming errors that lead to (linear) stack/heap buffer overflows, (non-linear) out-of-bound writes, integer overflows/underflows, and "other integer issues" (e.g. bypassing sanity checks due to signed comparisons, integer truncation, and signed integer extension errors.)
* Learn what options developers have in terms of prevention, detection, and mitigation for each vulnerability type.
* Showing examples of exploitation of a subset of the example vulnerabilities, that might otherwise seem unexploitable.

A non-goal of this class is to teach the student how to exploit the vulnerabilities themselves. That will be covered in a future Exploits 1001 class. (Therefore this class's job-applicability stops at "secure development" or "vulnerability auditor", and doesn't extend to "exploitation engineer".)
Another non-goal of this class is to cover design issues, which are more varied in their appearance and remediation guidance. This class is specifically about the most common implementation issues, which have been occuring for the last 30+ years and continue to occur today, despite some fairly straightforward guidance that can eliminate the majority of them.

This class is a prerequisite for the follow-on Vulnerabilities 1002 class, which will cover topic areas of uninitialized data access, race conditions, use-after-free, type confusion, and information disclosure.


This class has minimal prerequisites. It just requires that you are comfortable with reading small (< 100 line) C programs.

Frequently Asked Questions

What learning paths is this class used in?

Secure Development, Vulnerability Hunting and Exploitation, System Security

Does the instructor teach this class in person?

Xeno does, but only occasionally. Xeno's preferred in-person delivery method is a hybrid structure where we get everyone in the same room, and students proceed through the class at their own pace by watching videos. Xeno is then available in person and chat to answer questions immediately when they occur. This is called an "OST2 All-you-can-learn Buffet" (OST2-B) class. The next such class will be held at CanSecWest May 14-17th 2022. He only does "live-lecture" classes for companies that have sponsored OST2, if they insist that they want this anachronistic and arguably suboptimal delivery method.

To be or not to be?

That is the question...

Course Staff

Xeno's Twitter Pic!

Xeno Kovah

Xeno founded OpenSecurityTraining in 2011 to share his and others' trainings more widely. He relaunched OST2 in 2021.

Xeno's from Minnesota and has a BS in CS from UMN. He received a MS in computer security from Carnegie Mellon through the National Science Foundation "CyberCorps Scholarship for Service". But the US government didn't really yet know what to do with "cyber" people in 2007; so he ended up going to work for a Federally Funded Research and Development Center - MITRE. Xeno worked exclusively on internal-funded research projects, first as a participant and later as a leader on Windows kernel malware detection and trusted computing projects. Towards the end, other cool researchers inspired him to dig into BIOS and firmware level threats.

Xeno left MITRE to start an independent consultancy, LegbaCore, with Corey Kallenberg in 2015. Less than a year later, under mysterious circumstances that he's legally prevented from stating, he started working for Apple. While at Apple he helped get SecureBoot on Macs with the addition of the T2 chip. He also led the SecureBoot design and implementation project for the ARM-based M1 Macs. But between those big, visible, multi-year, projects, he was silently improving the security of a bunch of the 3rd party peripheral processors' hardware and firmware. He liked working at Apple because he had a bully pulpit where he could force 3rd parties to do the right thing or lose their business. But he likes OST better, so he left in 2020 to work on this full time.

Xeno has a touch of the illness known as being a "collector" (it's not quite to the level of being a "hoarder", so he can't get on TV for it or anything...) Consequently he has presented at IEEE S&P, ACM CCS, BlackHat USA/EUR, Defcon, CanSecWest, PacSec, Hack in the Box KUL/AMS/GSEC, Microsoft BlueHat, Shmoocon,, NoSuchCon, SummerCon, RSA, ToorCon, DeepSec, VirusBulletin, MIRCon, AusCERT, Trusted Infrastructure Workshop, NIST NICE Workshop, and the DOD Information Assurance Symposium. And yet he still says "MORE!"

Xeno's Twitter Pic!

Kc Udonsi

Kc (legal name: Kelechukwu) is Nigerian and based in Toronto ON, with a CS degree from U of T. His interest in cybersecurity began during his second year when a fellow student and veteran CTF player introduced him to the book “Hacking the Art of Exploitation” by Jon Ericson. During the summer of third year, Kc decided against summer school in favor of advancing independent studies in cybersecurity. It was finally time to read all the books, bookmarked blogs and URLs and videos relevant to the industry! It was at this time he joined DC416- the Defcon Toronto chapter and also discovered Xeno’s OpenSecurityTraining version 1, an invaluable source of information and video training. Kc considers himself an alumni of DC416 and OpenSecurityTraining.

Kc’s professional career began as a Security Engineer at TD Bank where he contributed to the design and building of a security testing platform for which a patent with application number 16/936,229 was filed. He then moved to TrendMicro to learn the art of vulnerability research. He’s credited with discovering CVEs affecting Adobe, Microsoft and Apache products and contributing to the Trend Micro ZDI blog. Kc currently leads the security research objective at Arctic Wolf

Kc loves learning and sharing what he has learned. Much of his growth in the industry has stemmed from following the guidance of folks who have willingly shared their knowledge. Kc began teaching at U of T; first as a TA for select 3rd & 4th year courses, then a club leader and a guest lecturer post-graduation. While the instruction format here is different and very much another learning opportunity, he is thrilled to guide you on the exciting journey of mastering C-family Software Implementation Vulnerabilities with Xeno!