the security professional's guide to programming - eric vanderburg
DESCRIPTION
The security professional's guide to programming - Eric VanderburgTRANSCRIPT
THE SECURITY PROFESSIONAL’S GUIDE TO PROGRAMMINGERIC VANDERBURG
2
OBJECTIVES• Explain basic programming concepts
• Write a simple C program
• Explain how Web pages are created with HTML
• Describe and create basic Perl programs
• Explain basic object-oriented programming concepts
3
INTRODUCTION TO COMPUTER PROGRAMMING
• Computer programmers must understand the rules of programming languages• Programmers deal with syntax errors
• One minor mistake and the program will not run• Or worse, it will produce unpredictable results
• Being a good programmer takes time and patience
4
COMPUTER PROGRAMMING FUNDAMENTALS
• Fundamental concepts• Branching, Looping, and Testing (BLT)• Documentation
5
BRANCHING, LOOPING, AND TESTING (BLT)
• Function
• Mini program within a main program that carries out a task
• Branching
• Takes you from one area of the program to another area
• Looping
• Act of performing a task over and over
• Testing
• Verifies some condition and returns true or false
6
BRANCHING, LOOPING, AND TESTING (BLT) (CONTINUED)
main()
{
int a = 1 /* Variable initialized as an integer, value 1 */
if (a > 2) /* Testing if "a" is greater than 2 */
printf("A is greater than 2");
else
GetOut(); /* Branching--calling a different function */
GetOut() /* Do something interesting here */
{
for(a=1; a<11; a++) /* Loop to print 10 times */
{
printf("I'm in the GetOut() function");
}
}
}
7
BRANCHING, LOOPING, AND TESTING (BLT)
• Algorithm
• Defines steps for performing a task
• Keep it as simple as possible
• Bug
• An error that causes unpredictable results
• Pseudocode
• English-like language used to create the structure of a program
8
DOCUMENTATION
• Documenting your work is essential
• Add comments to your programs
• Comments should explain what you are doing
• Many programmers find it time consuming and tedious
• Helps others understand your work
• Industry standard
• One bug for every 2000 lines of code
• Windows 2000 contains almost 50 million lines
• And fewer than 60,000 bugs
9
DOCUMENTATION (CONTINUED)
// The following function was added to the program June 15, 2005
// per a request from the Marketing Department.
// It appears that reports generated by the sales() function were
// not giving the Marketing folks information about the sales in
// Asia. This new function now uses data from text files from the
// offices in Tokyo and Hong Kong. – Bob C. Twins
10
LEARNING THE C LANGUAGE
• Developed by Dennis Ritchie at Bell Laboratories in 1972
• Powerful and concise language
• UNIX was first written in assembly language and later rewritten in C
• Assembly language
• Uses a combination of hexadecimal numbers and expressions
• C++
• An enhancement of the C language
11
LEARNING THE C LANGUAGE (CONTINUED)
• Compiler
• Converts a text-based program (source code) into executable or binary code
• Some C compilers can also create executable programs in C++
12
ANATOMY OF A C PROGRAM
• The first computer program a C student learns
/* The famous "Hello, world!" C program */
#include <stdio.h>
/* Load the standard IO library. The library contains functions
your C program might need to call to perform various tasks.
*/
main()
{
printf("Hello, world!\n\n");
}
13
ANATOMY OF A C PROGRAM (CONTINUED)
• Use /* and */ to comment large portions of text
• Use // for one-line comments
• #include statement
• Loads libraries that hold the commands and functions used in your program
• Parentheses in C mean you are dealing with functions
• main() function
• Every C program requires a main() function
14
ANATOMY OF A C PROGRAM (CONTINUED)
• Braces shows where a function begins and ends
• Functions can call other functions
• Parameters or arguments are optional
• \n represents a line feed
15
DECLARING VARIABLES
• A variable represents a numeric or string value
• You can declare variables at the beginning of a program
• You must declare a variable before using it
• C supports several variable types
• Conversion specifiers tells the compiler how to convert the values in a function
16
DECLARING VARIABLES (CONTINUED)
• Operators
• Compare values
• Perform mathematical calculations
• Types
• Mathematical operators
• Logical operators
17
BRANCHING, LOOPING, AND TESTING IN C• Branchingmain()
{prompt(); //Call function to prompt user with a question
display(); //Call function to display graphics on screen
calculate(); //Call function to do complicated math
cleanup(); //Call function to make all variables equal to
//zero
prompt()
{
[code for prompt() function goes here]
}
display()
{
[code for display() function goes here]
}
[etc.]
}
18
BRANCHING, LOOPING, AND TESTING IN C (CONTINUED)
• While loopmain()
{int counter = 1; //Initialize counter variablewhile (counter <= 10) //Do what's in the brackets until false{
printf("Counter is equal to %d\n", counter);++counter; //Increment counter by 1;
}
}
19
BRANCHING, LOOPING, AND TESTING IN C (CONTINUED)
• Do loopmain()
{int counter = 1; //Initialize counter variabledo{
printf("Counter is equal to %d\n", counter);++counter; //Increment counter by 1
} while (counter <= 10); //Do what's in the brackets until//false
}
• For loop
20
UNDERSTANDING HTML BASICS
• HTML is a language used to create Web pages
• HTML files are text files
• Security professionals often need to examine Web pages
• Be able to recognize when something looks suspicious
21
CREATING A WEB PAGE USING HTML• Create HTML Web page in Notepad
• View HTML Web page in a Web browser
• HTML does not use branching, looping, or testing
• HTML is a static formatting language
• Rather than a programming language
• < and > symbols denote HTML tags
• Each tag has a matching closing tag
• <HTML> and </HTML>
22
UNDERSTANDING PRACTICAL EXTRACTION AND REPORT LANGUAGE (PERL)
• PERL
• Powerful scripting language
• Used to write scripts and programs for security professionals
23
BACKGROUND ON PERL
• Developed by Larry Wall in 1987
• Can run on almost any platform
• *NIX-base OSs already have Perl installed
• Perl syntax is similar to C
• Hackers use Perl to write malware
• Security professionals use Perl to perform repetitive tasks and conduct security monitoring
24
UNDERSTANDING THE BASICS OF PERL
• perl –h command
• Gives you a list of parameters used with perl
• perldoc
• Displays the description of a perl scripting command
25
UNDERSTANDING THE BLT OF PERL
• Some syntax rules
• Keyword “sub” is used in front of function names
• Variables begin with the $ character
• Comment lines begin with the # character
• The & character indicates a function
26
BRANCHING IN PERL
# Perl program illustrating the branching function
# Documentation is important
# Initialize variables
$first_name = "Jimi";
$last_name = "Hendrix";
&name_best_guitarist;
sub name_best_guitarist
{
printf "%s %s %s", $first_name, $last_name, "was the best guitarist!";
}
27
LOOPING IN PERL
• For loop
for ($a = 1; $a <= 10; $a++)
{
print "Hello security testers!\n"
}
• While loop
$a = 1;
while ($a <=10)
{
print "Hello security testers!\n";
$a++
}
28
TESTING CONDITIONS IN PERL
if (($age > 12) && ($age < 20))
{
print "You must be a know-it-all!";
}
elsif ($age > 39)
{
print "You must lie about your age!";
}
else
{
print "To be young...";
}
29
TESTING CONDITIONS IN PERL (CONTINUED)
unless ($age == 100)
{
print "Still enough time to get a bachelor's degree.";
}
30
UNDERSTANDING OBJECT-ORIENTED PROGRAMMING CONCEPTS
• New programming paradigm
• There are several languages that support object-oriented programming
• C++
• C#
• Java
• Perl 6.0
• Object Cobol
31
COMPONENTS OF OBJECT-ORIENTED PROGRAMMING
• Classes
• Structures that hold pieces of data and functions
• The :: symbol
• Used to separate the name of a class from a member function
• Example:
• Employee::GetEmp()
32
COMPONENTS OF OBJECT-ORIENTED PROGRAMMING (CONTINUED)
// This is a class called Employee created in C++
class Employee
{
public:
char firstname[25];
char lastname[25];
char PlaceOfBirth[30];
[code continues]
};
void GetEmp()
{
// Perform tasks to get employee info
[program code goes here]
}
33
SUMMARY• Writing an algorithm and using pseudocode
• Good habits to adopt when writing computer programs
• Clear documentation of program code is essential
• C is one of the most popular programming languages
• BLT
• Branching
• Looping
• Testing
• Many C compilers available
• GNU GCC is an open-source compiler for Linux
34
SUMMARY (CONTINUED)• HTML
• Primary language used to create Web pages
• Perl and C programming languages
• Used to create most security tools and scripts
• Object-oriented programming
• Based on classes
• Structures containing both data and functions
• Win32 API
• Interface to the Windows operating system