The C and C++ programming languages have some serious shortcomings from the point of view of security. Certain kinds of bugs in these languages can have disastrous consequences. Stack- or heap-based buffer overruns, double frees, dangling pointers, race conditions and format-string related vulnerabilities are typical examples of bugs that can make a C/C++ application vulnerable to extremely powerful attacks such as code injection. In a code injection attack, an attacker succeeds in running code of his choosing on the target machine. This talk will discuss the most important types of vulnerabilities, and will explain how these can be exploited.
Programmers must avoid these vulnerabilities by observing strict coding disciplines to compensate for the freedom offered by the language and execution environment. Recently, improvements to the compiler and run-time environment have aided in mitigating the risk. An overview of such recent infrastructural improvements is also presented.