Trail of Bits Blog
Follow
Master C and C++ with our new Testing Handbook chapter
A new chapter has been added to the Testing Handbook, providing a security checklist for C and C++ code. The chapter details common bugs, footguns, and API issues across multiple platforms. It is organized into sections for Linux, Windows, and seccomp, focusing on manual code review. An LLM-based tool is also in development, using the checklist for bug-finding prompts. Two challenges are included to test readers' review skills, with prizes for early correct submissions. The chapter covers a range of vulnerabilities, starting from language-level problems and moving to platform-specific issues. Linux sections address libc gotchas, while Windows sections focus on DLL planting and path traversal issues. The seccomp section addresses sandbox bypasses. The handbook will be continuously updated, and contributions are welcome. The challenges are to identify vulnerabilities in a simple ping program and a Windows driver. The authors emphasize that checklist-based review is a starting point for security, not a replacement for expertise.
