(ভিত্তি: roadmap.sh/cyber-security থেকে অনুপ্রাণিত — কিন্তু C-ফোকাসড, defensive + offensive ভারসাম্য। GitHub-ready Markdown.)
এই রোডম্যাথটি C প্রোগ্রামিং থেকে শুরু করে একজন Security Engineer হিসেবে A→Z দক্ষতা অর্জনের জন্য ডিজাইন করা। ফোকাস: defensive security (secure coding, hardening, auditing) এবং offensive security (vuln analysis, exploit research)। প্রতিটি ধাপ practical: কোড লেখা, ডিবাগ, অডিট এবং lab experiments।
- প্রগ্রেশন: Beginner → Intermediate → Advanced → Expert
- প্রতি স্টেপে: প্রজেক্ট/রিসোর্স, টূলস, অভ্যাস, measurable milestone (portfolio-ready)
- স্ট্র্যাটেজি: Read real codebases, reproduce পুরনো CVE, debug (gdb/valgrind/ASan), Harden (ASLR/DEP/seccomp)
- Ethics: lab-only (VM/Docker) এবং responsible disclosure মানো।
- Suggested flow: ধাপে ধাপে এগো, তবে CTF এবং fuzzing parallel রেখে চর্চা চালাও।
Description:
C syntax, pointers, memory model, undefined behavior (UB), unsafe APIs (gets, strcpy) এবং তাদের safe বিকল্প; buffer overflow, pointer misuse, memory leaks বোঝা ও প্রতিরোধ।
Purpose: C-এর core vulnerabilities বোঝা — input validation ও basic mitigation-এর উপর ভিত্তি তৈরি।
Focus projects / resources:
- stb single-file libs
- OWASP Benchmark (C test cases, CWE-121/122)
- GNU coreutils (relevant parts)
Tools:
gcc/clang- AddressSanitizer (ASan)
- UBSan
valgrindclang-tidymake/cmake
Practice:
- ছোট C প্রোগ্রাম লিখে ASan/UBSan দিয়ে পরীক্ষা করো।
- ৫টি common vuln-বিনারি reproduce করো।
Milestone:
- ১০টি unsafe function-এর safe wrappers + tests (GitHub repo)
Description: বড় কোডবেস নেভিগেট, Make/CMake mastery, debugger (gdb / lldb) ব্যবহার; unit tests যোগ করে রিফ্যাক্টর।
Purpose: Real-world debugging → vulnerabilities reproduce ও fix করার দক্ষতা অর্জন।
Focus projects / resources:
- simplified GNU coreutils tools
- OWASP C cases
Tools:
gdblldbstraceltracecscope/ctagsclangd/ccls- libcheck / Criterion (unit test frameworks)
Practice:
- breakpoints ও step-through দিয়ে runtime analysis করো।
- একটি CLI-tool রিফ্যাক্টর করে unit tests যোগ করো।
Milestone:
- documented debugging walkthrough (reproduce → fix) with gdb logs & patch
Description:
malloc/free internals, heap layout, double free, use-after-free, race conditions; নিজের allocator তৈরি করে বোঝা।
Purpose: Heap corruption শনাক্ত ও mitigations প্রয়োগে পারদর্শী হওয়া।
Focus projects / resources:
- musl / glibc allocator parts
- Redis allocator behavior
Tools:
valgrind(memcheck)- Electric Fence
- GDB heap helpers
- ThreadSanitizer (TSan)
Practice:
- bump/free-list allocator লিখে bugs inject ও detect করো।
Milestone:
- custom allocator repo + heap-corruption demo/report (lab-only)
Description: sockets, HTTP parsing, TLS basics, malformed input handling; fuzzing malformed requests।
Purpose: Network-facing code harden করা—protocol parsing, DoS, injection ধরনের vulnerabilities কমানো।
Focus projects / resources:
- curl
- nginx modules
- simple HTTP server
Tools:
- Wireshark
tcpdumpsocat- OpenSSL CLI
- honggfuzz / afl-lite
Practice:
- একটি simple HTTP server লিখে fuzz করো; crashes থেকে report তৈরি করো।
Milestone:
- fuzzing report + input validation fixes (PR-style docs)
Description: Static tools দিয়ে vulnerabilities hunt; risky patterns শনাক্ত করা।
Purpose: কোড-রিভিউ ও proactive vulnerability detection করে deploy-এর আগে ফিক্স করা।
Focus projects / resources:
- curl / redis / nginx / libgit2 audit parts
Tools:
- clang static analyzer
- semgrep
- cppcheck
- radare2 (r2) for binaries
Practice:
- ১০টি risky pattern খুঁজে report করো (code snippet + impact)
Milestone:
- ২০ findings-এর formal audit report (risk classification)
Description: DEP/NX, ASLR, stack canaries, PIE, seccomp, capabilities; mitigations চালু/বন্ধ করে পরীক্ষা করা।
Purpose: Defense-in-depth বোঝা এবং attack surface কমানো।
Focus projects / resources:
- compiler/linker flags
- musl/glibc behavior
Tools:
readelf/objdump- ASLR experiment scripts
- seccomp examples
Practice:
- vulnerable app বানিয়ে mitigations apply করে compare করো।
Milestone:
- mitigation matrix + hardening checklist doc
Description:
printf/scanf internals, format string vulnerabilities, string parsing pitfalls; safe routines audit।
Purpose: Format string ও string-related vulnerabilities ধরতে ও রিমিডিয়েট করতে পারা।
Focus projects / resources:
- glibc / musl string impls
- libgit2 string audit
Tools:
- GDB
- ASan
- format-detection tools / static analyzers
Practice:
- format string vulnerability examples তৈরি করে exploit ও patch দেখাও।
Milestone:
- detection + remediation report for format bugs
Description: ROP concepts, stack control, gadget discovery; controlled vulnerable binaries-এ exploit লেখা (lab-only)।
Purpose: Offensive ধারণা থেকে defense improve করার জন্য বুঝে নেওয়া।
Focus projects / resources:
- ROP Emporium
- pwntools challenges
- vulnerable C binaries collections
Tools:
- pwntools
- ROPgadget
- radare2 / Ghidra
- QEMU
Practice:
- lab binary-এ gadget hunt করে controlled ROP chain বানাও।
Milestone:
- ROP writeup + demo scripts for detection/hardening
Description: OpenSSL internals, constant-time coding, common crypto mistakes; timing/side-channel পরীক্ষা।
Purpose: Confidentiality/integrity বজায় রাখতে secure crypto impl করা।
Focus projects / resources:
- OpenSSL case studies (Heartbleed)
- small TLS client/server projects
Tools:
- OpenSSL CLI
- valgrind
- ASan
- timing measurement tools
Practice:
- crypto routine লিখে timing tests করো; constant-time verification করো।
Milestone:
- crypto audit checklist + timing risk demo & fixes
Description: user↔kernel boundary, syscall reduction, seccomp profiles, kernel surface theory (drivers, syscalls)।
Purpose: OS-level protections দিয়ে privilege escalation ও kernel exploits কমানো।
Focus projects / resources:
- Linux kernel small subsystems (syscalls, drivers)
Tools:
- kernel source tree
straceperf- kcov
- QEMU usermode
Practice:
- seccomp sandbox তৈরি করে userland program harden করো।
Milestone:
- seccomp profile + reduced syscall report
Description: vulnerability lifecycle (discovery → patch → disclosure), binary diffing, CI/CD security integration।
Purpose: vulnerabilities দ্রুত patch করা, coordinated disclosure করা এবং supply-chain resilience নিশ্চিত করা।
Focus projects / resources:
- CVE patch workflows
- Metasploit module structure analysis (for learning)
Tools:
- git / patch workflows
- bindiff / radiff2
- CI systems (GitHub Actions, GitLab CI)
Practice:
- vuln patch তৈরি → test → mock PR → CI run করো
Milestone:
- full pipeline doc (vuln → patch → deploy)
Description: A→Z synthesis করে portfolio-ready বড় প্রজেক্ট।
Purpose: Job-ready proof of skills (audit reports + reproducible labs)।
Capstone ideas:
- Secure HTTP proxy (TLS, seccomp, fuzzed)
- Mini C vuln analyzer (semgrep rules + tests)
- Hardened allocator (benchmarks + mitigations)
Tools:
- gcc / clang
- fuzzers (honggfuzz, AFL, libFuzzer)
- CI / Docker labs
Practice:
- daily code + README + video demo + audit writeup
Milestone:
- polished repo + project summary for CV
A — ASLR / ASan / Auditing
B — Buffer overflow / Binary diffing
C — Crypto / Constant-time / Code review
D — Debugging / Dependency scanning / Disclosure
E — Exploit development / Electric Fence / E2E testing
F — Fuzzing / Format checks / File integrity monitoring (FIM)
G — GDB / Gadget hunt / Git patching
H — Heap analysis / Hardening / HSTS
I — Injection prevention / IDS / Input validation
J — JSON / XML parsing security / JIT considerations
K — Kernel surface / Kcov / KASLR
L — Logging / Least privilege / Libc audits
M — Mitigations matrix / Memory Tagging (MTE where available)
N — Network monitoring / Nmap / NSS / OpenSSL
O — OSINT / OWASP cases / OSS security lists
P — Privilege separation / PIE / Patching
Q — QEMU / Queryable telemetry / QoS limits
R — ROP / Radare2 / Runtime integrity checks
S — Seccomp / Sandboxing / Static analysis
T — Threat modeling / TSan / Timing attacks
U — Use-after-free detection / Unit tests / UX for security
V — Vulnerability scanning / Vulnerability disclosure platforms
W — Web request smuggling / Wireshark / WAF
X — eXploit chaining / eXecutable hardening
Y — Yield (race conditions) / YAML / serialization checks
Z — Zero-day study / ZAP (OWASP) / zlib edge cases
- Compile with recommended flags:
-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE - Enable ASLR on test hosts.
- Run ASan/UBSan in CI for debug builds.
- Add seccomp profile for networked binaries.
- Use safe libc wrappers / explicit bounds checks.
- Add unit + fuzz tests for parsers (JSON/HTTP/CLI).
- Audit third-party C libs with static analysis + fuzzing.
- CTF / Labs: TryHackMe, HackTheBox, pwnable.kr, ROP Emporium.
- Books: Hacking: The Art of Exploitation, The Shellcoder's Handbook.
- Tools to master:
gdb, radare2/Ghidra, pwntools,valgrind, ASan/TSan, honggfuzz/libFuzzer, Wireshark. - Communities: oss-security, r/netsec, local meetups, GitHub security repos.
- A→Z security দক্ষতা: auditing, exploits, hardening।
- Portfolio: 12+ repos, capstone project, documented lab reports।
- পরবর্তী ধাপ: job apply, conference talks, responsible disclosures।