Exploiting Software: How to Break Code: Amazon.ca: Greg Hoglund, Gary McGraw: Books

Product Description

Review

Praise for Exploiting Software "Exploiting Software highlights the most critical part of the software quality problem. As it turns out, software quality problems are a major contributing factor to computer security problems. Increasingly, companies large and small depend on software to run their businesses every day. The current approach to software quality and security taken by software companies, system integrators, and internal development organizations is like driving a car on a rainy day with worn-out tires and no air bags. In both cases, the odds are that something bad is going to happen, and there is no protection for the occupant/owner. This book will help the reader understand how to make software quality part of the design - a key change from where we are today!" - Tony Scott Chief Technology Officer, IS&S General Motors Corporation ~"It's about time someone wrote a book to teach the good guys what the bad guys already know. As the computer security industry matures, books like Exploiting Software have a critical role to play." - Bruce Schneier Chief Technology Officer Counterpane Author of Beyond Fear and Secrets and Lies ~"Exploiting Software cuts to the heart of the computer security problem, showing why broken software presents a clear and present danger. Getting past the 'worm of the day' phenomenon requires that someone other than the bad guys understands how software is attacked. This book is a wake-up call for computer security." - Elinor Mills Abreu Reuters' correspondent ~"Police investigators study how criminals think and act. Military strategists learn about the enemy's tactics, as well as their weapons and personnel capabilities. Similarly, information security professionals need to study their criminals and enemies, so we can tell the difference between popguns and weapons of mass destruction. This book is a significant advance in helping the 'white hats' understand how the 'black hats' operate. Through extensive examples and 'attack patterns,' this book helps the reader understand how attackers analyze software and use the results of the analysis to attack systems. Hoglund and McGraw explain not only how hackers attack servers, but also how malicious server operators can attack clients (and how each can protect themselves from the other). An excellent book for practicing security engineers, and an ideal book for an undergraduate class in software security." - Jeremy Epstein Director, Product Security & Performance webMethods, Inc. ~"A provocative and revealing book from two leading security experts and world class software exploiters, Exploiting Software enters the mind of the cleverest and wickedest crackers and shows you how they think. It illustrates general principles for breaking software, and provides you a whirlwind tour of techniques for finding and exploiting software vulnerabilities, along with detailed examples from real software exploits. Exploiting Software is essential reading for anyone responsible for placing software in a hostile environment - that is, everyone who writes or installs programs that run on the Internet." - Dave Evans, Ph.D. Associate Professor of Computer Science University of Virginia ~"The root cause for most of today's Internet hacker exploits and malicious software outbreaks are buggy software and faulty security software deployment. In Exploiting Software, Greg Hoglund and Gary McGraw help us in an interesting and provocative way to better defend ourselves against malicious hacker attacks on those software loopholes. The information in this book is an essential reference that needs to be understood, digested, and aggressively addressed by IT and information security professionals everywhere." - Ken Cutler, CISSP, CISA Vice President, Curriculum Development & Professional Services, MIS Training Institute ~"This book describes the threats to software in concrete, understandable, and frightening detail. It also discusses how to find these problems before the bad folks do. A valuable addition to every programmer's and security person's library!" - Matt Bishop, Ph.D. Professor of Computer Science University of California at Davis Author of Computer Security: Art and Science

Book Description

Praise for Exploiting Software

“Exploiting Software highlights the most critical part of the software quality problem. As it turns out, software quality problems are a major contributing factor to computer security problems. Increasingly, companies large and small depend on software to run their businesses every day. The current approach to software quality and security taken by software companies, system integrators, and internal development organizations is like driving a car on a rainy day with worn-out tires and no air bags. In both cases, the odds are that something bad is going to happen, and there is no protection for the occupant/owner. This book will help the reader understand how to make software quality part of the design—a key change from where we are today!”

         —Tony Scott
             Chief Technology Officer, IS&S
             General Motors Corporation

“It’s about time someone wrote a book to teach the good guys what the bad guys already know. As the computer security industry matures, books like Exploiting Software have a critical role to play.”

         —Bruce Schneier
             Chief Technology Officer
             Counterpane
             Author of Beyond Fear and Secrets and Lies

“Exploiting Software cuts to the heart of the computer security problem, showing why broken software presents a clear and present danger. Getting past the ‘worm of the day’ phenomenon requires that someone other than the bad guys understands how software is attacked. This book is a wake-up call for computer security.”

—Elinor Mills Abreu
Reuters’ correspondent

“Police investigators study how criminals think and act. Military strategists learn about the enemy’s tactics, as well as their weapons and personnel capabilities. Similarly, information security professionals need to study their criminals and enemies, so we can tell the difference between popguns and weapons of mass destruction. This book is a significant advance in helping the ‘white hats’ understand how the ‘black hats’ operate. Through extensive examples and ‘attack patterns,’ this book helps the reader understand how attackers analyze software and use the results of the analysis to attack systems. Hoglund and McGraw explain not only how hackers attack servers, but also how malicious server operators can attack clients (and how each can protect themselves from the other). An excellent book for practicing security engineers, and an ideal book for an undergraduate class in software security.”

         —Jeremy Epstein
             Director, Product Security & Performance
             webMethods, Inc.

“A provocative and revealing book from two leading security experts and world class software exploiters, Exploiting Software enters the mind of the cleverest and wickedest crackers and shows you how they think. It illustrates general principles for breaking software, and provides you a whirlwind tour of techniques for finding and exploiting software vulnerabilities, along with detailed examples from real software exploits. Exploiting Software is essential reading for anyone responsible for placing software in a hostile environment—that is, everyone who writes or installs programs that run on the Internet.”

         —Dave Evans, Ph.D.
             Associate Professor of Computer Science
             University of Virginia

“The root cause for most of today’s Internet hacker exploits and malicious software outbreaks are buggy software and faulty security software deployment. In Exploiting Software, Greg Hoglund and Gary McGraw help us in an interesting and provocative way to better defend ourselves against malicious hacker attacks on those software loopholes. The information in this book is an essential reference that needs to be understood, digested, and aggressively addressed by IT and information security professionals everywhere.”

         —Ken Cutler, CISSP, CISA
             Vice President, Curriculum Development & Professional Services,
             MIS Training Institute

“This book describes the threats to software in concrete, understandable, and frightening detail. It also discusses how to find these problems before the bad folks do. A valuable addition to every programmer’s and security person’s library!”

         —Matt Bishop, Ph.D.
             Professor of Computer Science
             University of California at Davis
             Author of Computer Security: Art and Science

“Whether we slept through software engineering classes or paid attention, those of us who build things remain responsible for achieving meaningful and measurable vulnerability reductions. If you can’t afford to stop all software manufacturing to teach your engineers how to build secure software from the ground up, you should at least increase awareness in your organization by demanding that they read Exploiting Software. This book clearly demonstrates what happens to broken software in the wild.”

         —Ron Moritz, CISSP
             Senior Vice President, Chief Security Strategist
             Computer Associates

“Exploiting Software is the most up-to-date technical treatment of software security I have seen. If you worry about software and application vulnerability, Exploiting Software is a must-read. This book gets at all the timely and important issues surrounding software security in a technical, but still highly readable and engaging, way. Hoglund and McGraw have done an excellent job of picking out the major ideas in software exploit and nicely organizing them to make sense of the software security jungle.”

         —George Cybenko, Ph.D.
             Dorothy and Walter Gramm Professor of Engineering, Dartmouth
             Founding Editor-in-Chief, IEEE Security and Privacy

“This is a seductive book. It starts with a simple story, telling about hacks and cracks. It draws you in with anecdotes, but builds from there. In a few chapters you find yourself deep in the intimate details of software security. It is the rare technical book that is a readable and enjoyable primer but has the substance to remain on your shelf as a reference. Wonderful stuff.”

         —Craig Miller, Ph.D.
             Chief Technology Officer for North America
             Dimension Data

“It’s hard to protect yourself if you don’t know what you’re up against. This book has the details you need to know about how attackers find software holes and exploit them—details that will help you secure your own systems.”

         —Ed Felten, Ph.D.
             Professor of Computer Science
             Princeton University

“If you worry about software and application vulnerability, Exploiting Software is a must-read. This book gets at all the timely and important issues surrounding software security in a technical, but still highly readable and engaging way.”
         —George Cybenko, Ph.D.
             Dorothy and Walter Gramm Professor of Engineering, Dartmouth
             Founding Editor-in-Chief, IEEE Security and Privacy Magazine

“Exploiting Software is the best treatment of any kind that I have seen on the topic of software vulnerabilities.”
—From the Foreword by Aviel D. Rubin
...

See all Product Description

Tag this product

(What's this?)

Think of a tag as a keyword or label you consider is strongly related to this product.
Tags will help all customers organize and find favorite items.

Customer Reviews

19 Reviews

5 star:		(12)
4 star:		(4)
3 star:		(1)
2 star:		(2)
1 star:		(0)

Average Customer Review

4.4 out of 5 stars (19 customer reviews)

Share your thoughts with other customers:

Create your own review

Most helpful customer reviews

5.0 out of 5 stars A book that all developers must read, Jun 7 2004

By

Charles Ashbacher (Marion, Iowa United States) - See all my reviews
(TOP 1000 REVIEWER)

This review is from: Exploiting Software: How to Break Code (Paperback)

To be useful, software must respond to events in a predictable manner. The results can then be used as a window to the interior workings of the code, revealing some of the mechanisms of operations, which may be used to find ways to make it fail in a dangerous way. To some, the window is as clear as a six inch thick pane of lead, but to those with a high level of understanding it can be clear, or at the very least serve as a keyhole. This is an allusion to the old detective stories where someone looks through the keyhole to see what is behind the door. For these reasons, no software that interacts with humans can ever be considered completely secure, and human error in the development of the software can leave the equivalent of keyholes throughout the code.
This book is an explanation of many of the most frequently used attack strategies used by malicious entities to find security flaws in code and exploit them. Chapter two is a list of the most common patterns used in attacking code, and all types of programs, from applications to compilers to network software are examined. In chapter three, the fundamental steps of reverse engineering source code starting with the executable are described in detail. I have had students who work in industry who have argued vehemently that it is not possible to obtain source code from executable. I knew it was possible, but until I read this chapter, I had no idea it was so easy. If you are releasing your programs as executables created directly from the source code, the examples here will very quickly make you reconsider. Without a doubt, you will be convinced that you should perform some form of obfuscation of the source before compiling or perform some type of encryption.
Chapters four and five are how to exploit server and client software respectively. From the perspective of the server, every input should be considered suspect, and you cannot assume that any scripting code embedded in the file was run at the client. In many cases, assumptions like this can create problems. People embed hidden fields or Javascript in HTML files and assume that the inputs are then clean, forgetting that all such code is visible to a potential attacker. This is actually worse than nothing, because an attacker can look at the features and get a good idea about what it is you are afraid of receiving. Each chapter has a list of specific strategies that are used in attacks.
In chapter six, you get a very brutal lesson in the wisdom of filtering input and never forgetting that characters come in more than one form. Characters such as the slash and backslash are used in representing directory structures. Some code will filter them out, but fail to catch instances where they are sent in their numeric ASCII or Unicode form. One of the classic attempts to beat the filtering is to try the sequence "\/", in the hopes that the first will be considered an escape character, so that the slash can be embedded in a string. If that happens, then the slash could be used in a pathname. Many other possibilities exist to send code that is clearly malicious, but only if it is interpreted the proper way.
Chapter six is a complete tour of the most common security weakness found in software, the buffer overflow. It is the simplest problem to understand and one of the most difficult to remove. Every C programmer has had to find and repair a bug due to an off-by-one error, or some other overflow. And yet, despite all this experience, buffer overflows still are prevalent in commercial code. Most of the obvious ones have been removed, so only the very subtle ones remain. Some of these are very hard and very, very subtle. I was amazed in reading the section on format string vulnerabilities. While this bug has largely been repaired, the fact that something as apparently trivial as a format field specifier can be a security problem was a real eye opener.
The last chapter was an explanation of rootkits, the software that controls every aspect of the machine. It was also without question the scariest of all the chapters, because in this case, the malicious code could reside in the BIOS, and be largely immune to virus scanning tools. For the first time, we are talking about hardware viruses that can be spread from machine to machine. Some of the attacks are also very simple. Since flash memory can only be rewritten a certain number of times, a virus that simply rewrites it many times can render it worthless.
It has been some time since I have written commercial code, most of what I have written recently has been for training purposes. After reading this book, I have begun a crash program of writing code that demonstrates security flaws and have used it in my courses. If I ever go back to managing a coding team, no one will write a line of code before we cover this book in the finest possible detail. Without question it will be on my list of the best books of the year 2004.

Published in the online Journal of Object Technology, reprinted with permission.

Help other customers find the most helpful reviews

Was this review helpful to you? Yes No

Report abuse

4.0 out of 5 stars pretty good introduction to attack techniques, May 18 2004

By

Joseph Adler (Mountain View, CA) - See all my reviews
(REAL NAME)

This review is from: Exploiting Software: How to Break Code (Paperback)

Like all other books on "how to hack," this one starts out with a history of computing back to the beginning of time, then jumps into advanced techniques requiring some pretty advanced knowledge of assembly code and network protocols. Why do all these books do this? They implicitly assume that their readers understand computer systems in later chapters, but still feel the need to go over basic material in early chapters.

Anyway, the content of this book is pretty good. How could you not like a book that includes the line "think of a server as a public restroom?"

Help other customers find the most helpful reviews

Was this review helpful to you? Yes No

Report abuse

2.0 out of 5 stars Quite disappointing, May 3 2004

By A Customer

This review is from: Exploiting Software: How to Break Code (Paperback)

'Exploiting Software' is a quite disappointing book. It is not well organized and repeats itself very often, there's no thread and the authors always lose themselves in trivial things. Whenever it started to get interesting the book stopped short of going into details. The only slightly sophisticated chapters are the ones at the end, about buffer overflows and the XP rootkit.

I found that often code fragments are insufficiently described or not explained at all. This is a no-no in writing software, and it is all the more when writing a book about software (I can easily download some code and then wade through the code myself, what's the added value of the book?). On the other hand, simple tasks like appending a line to a Unix text file are explained exhaustively. Or, the book contains several pages about a code to display sampled data graphically. Why would I want to read this in a book about software exploits?

Overall, the book fails in the most important aspect: to bear the reader in mind. It seems that the authors just wanted to write a book, a thick book. Among the target audience mentioned in the book, i.e., programmers, consultants, managers etc. only programmers with absolutely no background in security may appreciate the book.

Go check the book carefully if you think about buying it. I give it two out of five stars just because of the final two chapters.

Help other customers find the most helpful reviews

Was this review helpful to you? Yes No

Report abuse

Share your thoughts with other customers: Create your own review

› See all 19 customer reviews on Amazon.ca

Want to see more reviews on this item?

› Go to Amazon.com to see all 30 reviews 4.3 out of 5 stars

Most recent customer reviews

2.0 out of 5 stars Im disappointed
I admit it, I was expecting a lot of this book. I've seen one of the co-authors, hoglund, speak at various security conferences in the past, and he is one of the top minds in the... Read more

Published on April 22 2004 by Joshua Santos

3.0 out of 5 stars Less than meets the eye
"Exploiting Software" purports to be a book aimed at helping software
professionals understand the security risks they face; it uses the
pedagogical device of... Read more