Customer Reviews

Exploiting Software: How to Break Code

5 star:		(12)
4 star:		(4)
3 star:		(1)
2 star:		(2)
1 star:		(0)

 

 

To be useful, software must respond to events in a predictable manner. The results can then be used as a window to the interior workings of the code, revealing some of the mechanisms of operations, which may be used to find ways to make it fail in a dangerous way. To some, the window is as clear as a six inch thick pane of lead, but to those with a high level of understanding it can be clear, or at the very least serve as a keyhole. This is an allusion to the old detective stories where someone looks through the keyhole to see what is behind the door. For these reasons, no software that interacts with humans can ever be considered completely secure, and human error in the development of the software can leave the equivalent of keyholes throughout the code.
This book is an explanation of many of the most frequently used attack strategies used by malicious entities to find security flaws in code and exploit them. Chapter two is a list of the most common patterns used in attacking code, and all types of programs, from applications to compilers to network software are examined. In chapter three, the fundamental steps of reverse engineering source code starting with the executable are described in detail. I have had students who work in industry who have argued vehemently that it is not possible to obtain source code from executable. I knew it was possible, but until I read this chapter, I had no idea it was so easy. If you are releasing your programs as executables created directly from the source code, the examples here will very quickly make you reconsider. Without a doubt, you will be convinced that you should perform some form of obfuscation of the source before compiling or perform some type of encryption.
Chapters four and five are how to exploit server and client software respectively. From the perspective of the server, every input should be considered suspect, and you cannot assume that any scripting code embedded in the file was run at the client. In many cases, assumptions like this can create problems. People embed hidden fields or Javascript in HTML files and assume that the inputs are then clean, forgetting that all such code is visible to a potential attacker. This is actually worse than nothing, because an attacker can look at the features and get a good idea about what it is you are afraid of receiving. Each chapter has a list of specific strategies that are used in attacks.
In chapter six, you get a very brutal lesson in the wisdom of filtering input and never forgetting that characters come in more than one form. Characters such as the slash and backslash are used in representing directory structures. Some code will filter them out, but fail to catch instances where they are sent in their numeric ASCII or Unicode form. One of the classic attempts to beat the filtering is to try the sequence "\/", in the hopes that the first will be considered an escape character, so that the slash can be embedded in a string. If that happens, then the slash could be used in a pathname. Many other possibilities exist to send code that is clearly malicious, but only if it is interpreted the proper way.
Chapter six is a complete tour of the most common security weakness found in software, the buffer overflow. It is the simplest problem to understand and one of the most difficult to remove. Every C programmer has had to find and repair a bug due to an off-by-one error, or some other overflow. And yet, despite all this experience, buffer overflows still are prevalent in commercial code. Most of the obvious ones have been removed, so only the very subtle ones remain. Some of these are very hard and very, very subtle. I was amazed in reading the section on format string vulnerabilities. While this bug has largely been repaired, the fact that something as apparently trivial as a format field specifier can be a security problem was a real eye opener.
The last chapter was an explanation of rootkits, the software that controls every aspect of the machine. It was also without question the scariest of all the chapters, because in this case, the malicious code could reside in the BIOS, and be largely immune to virus scanning tools. For the first time, we are talking about hardware viruses that can be spread from machine to machine. Some of the attacks are also very simple. Since flash memory can only be rewritten a certain number of times, a virus that simply rewrites it many times can render it worthless.
It has been some time since I have written commercial code, most of what I have written recently has been for training purposes. After reading this book, I have begun a crash program of writing code that demonstrates security flaws and have used it in my courses. If I ever go back to managing a coding team, no one will write a line of code before we cover this book in the finest possible detail. Without question it will be on my list of the best books of the year 2004.

Published in the online Journal of Object Technology, reprinted with permission.

Like all other books on "how to hack," this one starts out with a history of computing back to the beginning of time, then jumps into advanced techniques requiring some pretty advanced knowledge of assembly code and network protocols. Why do all these books do this? They implicitly assume that their readers understand computer systems in later chapters, but still feel the need to go over basic material in early chapters.

Anyway, the content of this book is pretty good. How could you not like a book that includes the line "think of a server as a public restroom?"

'Exploiting Software' is a quite disappointing book. It is not well organized and repeats itself very often, there's no thread and the authors always lose themselves in trivial things. Whenever it started to get interesting the book stopped short of going into details. The only slightly sophisticated chapters are the ones at the end, about buffer overflows and the XP rootkit.

I found that often code fragments are insufficiently described or not explained at all. This is a no-no in writing software, and it is all the more when writing a book about software (I can easily download some code and then wade through the code myself, what's the added value of the book?). On the other hand, simple tasks like appending a line to a Unix text file are explained exhaustively. Or, the book contains several pages about a code to display sampled data graphically. Why would I want to read this in a book about software exploits?

Overall, the book fails in the most important aspect: to bear the reader in mind. It seems that the authors just wanted to write a book, a thick book. Among the target audience mentioned in the book, i.e., programmers, consultants, managers etc. only programmers with absolutely no background in security may appreciate the book.

Go check the book carefully if you think about buying it. I give it two out of five stars just because of the final two chapters.

I admit it, I was expecting a lot of this book. I've seen one of the co-authors, hoglund, speak at various security conferences in the past, and he is one of the top minds in the industry. I was therefore very excited to find he was writing a book on "exploiting software".

That being said, I was led to believe that this book would actually teach me how to "exploit software" --- that is the title, isn't it? The first two chapters are kind of overview, talking about historical flaws in things like embedded processors, and then a lengthy tutorial on somewhat obscure topics, such as writing plugins for the popular belgian disassembler, IDA Pro. While this is all fine and dandy, at this point in the book you will start to read faster and think "when do I get to learn how to "exploit software", and write some friggen exploits?"

Well, I was hoping to find that content later in the book (obviously contributed by mr. hoglund), but all I found was some terse overviews on how these exploits are possible. NOT how to actually write them, or use them in practice. This is where I was letdown, and may I even say, misled by the marketing material for the book.

I do have to say, the final section on writing a windows xp rootkit does have some concrete examples, and is highly interesting and informative. But, it remains the only truly hands on and practical portion of the book. This book should have been titled, AND marketed as "The Theory of Software Exploitation + A Good Chapter On Rootkits".

"Exploiting Software" purports to be a book aimed at helping software
professionals understand the security risks they face; it uses the
pedagogical device of teaching how software can be attacked to
achieve the goal of explaining how secure software should be
built. Unfortunately, I think it fails both as a guide to building
secure software and as a guide to being a black hat hacker.

Most of "Exploiting Software" reads more like a book proposal than a
completed work: too detailed in places (do we really need a dozen
pages on writing plugins for the IDA Pro Disassembler?), not detailed
enough in others, and generally not well organized. Far too often, the
reader is simply told that an exploit exists, and is then directed to
the original source for details. Worse, the original sources are often
white papers, personal web sites, and conference proceedings -- things
that are either hard to obtain, unlikely to be available for long, or
both. As a result, the reader learns nothing.

The preface to "Exploiting Software" explains that this is a companion
volume to "Building Secure Software," written by the same Gary McGraw
with another co-author, and this helps to explain the main failings of
this book. I must admit that the last two chapters, "Buffer overflow"
and "Rootkits", are better than the rest; they provide plenty of
concrete details. But two chapters aren't enough to vindicate this
fairly shallow work. For my money, I expect a book that can stand on its
own.

Chapter 1 - Software - The Root of the Problem
Software is indeed the root of the problem and this chapter makes that case and point. This chapter is a good introduction to software vulnerabilities (which make up all CERT advisories) and why this book is relevant.

Chapter 2 - Attack Patterns
This chapter provides and overview of types of attacks. It includes history of vulnerability types and predictions of future vulnerabilities.

Chapter 3 - Reverse Engineering and Program Understanding
This chapter begins with a good introduction to reverse engineering tools and techniquies. It then zooms into writing plugins for the IDA disassembler along with batch analysis with IDA disassembler. It also discusses writing your own cracking tools.

Chapter 4 - Exploiting Server Software
This chapter provides and over view of techniques for exploiting any server software. It is filled with real examples and loads of fun. Many attack patterns are covered in various levels of detail. Numerous tools are highlighted for finding injection points.

Chapter 5 - Exploiting Client Software
The logic of exploiting client software is different than exploiting server software, so there's and extra chapter. Again the focus is on techniques to look for exploitable bugs.

Chapter 6 - Crafting (Malicious) Input
This chapter discusses many different methods for crafing input to locate bugs. Many tools and professional techniques are highlighted. I didn't know a lot of this stuff was out there.

Chapter 7 - Buffer Overflows
It starts with a high level overview of traditional buffer overflows, then some non tradiditional buffer overflows are discussed. This chapter also covers format strings. One of the longer chapters in the book, it highlighes a lot of problem areas.

Chapter 8 - Rootkits
Alas, one of the authors is the creator of the first rootkit for windows, and he details some of his techniques here. Not only does he discuss root kit techniques, but he also discusses techniques that apply to malware in general.

In summary, I rate this book 4 stars. It's certainly enjoyable and pretty easy to read despite it's technical nature. The authors sprinkle There's a lot of useful information in here to shed some light on how vulnerability researches do what they do. Chapters 4-6 were very, very good.

This book has a pretty useful index. I've used it for reference a couple of times since I finished reading it which is always a measure of a worthwhile book. There's not a lot written about some of the contents of this book, and this work is definitely needed and relevant.

On the downside, I have some minor complaints. Some of the tools mentioned in the book were no where to be found. Some were named without references, and Google searches revealed little about them or how to find them. Another tool was supposed to be available at one of the authors website, but I couldn't find it. The authors seem cover some things at a very high level, and really get into the depth on some others. There's not always an apparent reason for this, and I don't think their approach was as consistent could have been. Chapter 3 started out great, but I lost during the heavy focus on IDA pro.

I can see no reason that one interested in this subject matter wouldn't pick up this book. The price is right and it covers material in a provoking way that many of us may not be exposed to otherwise. I also suggest the sister book "Building Secure Software"; the one with the white hat on the cover. The two books compliment each other well introducing both sides of the coin in some detail.

Over the last couple years, I have read nearly every book on the subject of secure programming. In my opinion, this book clearly stands out from the rest as best in class. This book systematically and thoroughly covers the topic from the attacker's perspective, which is where any serious study of the subject should begin. Given the increasing integration and open access to systems, any serious software system from an operating system utility to a complex business application will experience many of these attacks in deployment - there is no hiding from these types of attacks behind a firewall. This book represents a great step in the right direction since one must understand an attacker's perspective and techniques before you can form an appropriate defense. This is definitely a pre-requisite to other books in the domain that focus on defensive coding techniques. This subject matter is crucial knowledge for anyone involved with software today and an interesting read for those who depend on and use information systems.

I concur with earlier reviews that this book makes an interesting cover-to-cover read due to the intriguing subject matter of hacking, cracking, and otherwise attacking information systems. Unlike Mitnick's 300+ page treatise describing how to get a password from a user (yawn), this book is a tour-de-force of attacks aimed directly at software itself. While the descriptions of each attack are straightforward and easy to comprehend, the reader gets an insight into the brilliance required to devise many of these attacks.

I have found it most useful as a reference guide for red-team testing and security review at design and coding time. If you are a development manager or a computer science instructor definitely give this a read. Then do a survey of your developers and students and see how many attack patterns they can identify - you will probably want to give a copy to each of them after you do! Enjoy.

Roger Thornton
CTO, Fortify Software Inc

Let me first say that I generally tend to be suspicious of a book that starts out with several pages of testimonials before it gets to the title page. But this book deserves it. It's written in a style that's as riveting as any suspense novel, while the material is as horrifying as Stephen King, and as useful as a roll of duct tape. This is a book for knowledgeable IT people who may still be arrogant enough to believe that "it can't happen to me." While many books work from the premise that hackers use back doors and other ways to enter into your system to do their damage, this book explains how it's your software, itself, that is really the weakest link in your security. It takes you through a brief history of some spectacular software failures. Then, it explains how hackers find the bad code that exists, with black, grey and white box techniques and then exploit the vulnerabilities they find.

We all know, there is plenty of bad code out there, for a variety of reasons that are explained quite well in this book. Given market pressures and other factors, there is every reason to believe that the situation isn't going to improve significantly any time soon. This book shows you real examples, albeit sometime code fragments of examples, of how to find and get into those "holes" in your software to do all kinds of damage. Some people will ask, "But why would we want to have a text book out there to teach people how to do this stuff?" The "bad-guys" know all this stuff, already. If you don't, how can you possibly expect to avoid falling victim to them? This is the information you need to fix what's wrong in software you are already using, and a glimpse into ways to help avoid problems in code that you write. This is a good book, I think we will see better, more complete and pragmatic books in the future that take you through shell code exploits and repairing the heap step by step, but until then what a fun read!

Yes, this is it! The book will rock the world of infosec! It is exclusive in so many different ways. Authors did write a bible of exploitation, conceptual, practical and very novel.

The book has great coverage of exploitation topics from basics onwards. Overall, it's an awesome book, perception changing and extremely enlightening (even if you are not into writing exploits for a living!). It is well written and easy to read (pretty much reads thru non-stop). Some items in the book might cause some controversy, which is undoubtfully good for marketing.

This is a very exciting book. Just about everything is unique: content, presentation, code, etc. Its not just up-to-date, its bleeding-edge, never-seen-in-public material. The book has nice organization and complex matters are presented well. I managed to enjoy even parts where I knew less than was needed to fully comprehend it. I especially liked the coverage of Windows rootkits and BIOS malware.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major security information management company. He is the author of the book "Security Warrior" (O'Reilly, 2004). His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org

I suppose any book about how to hack software is going to be controversial, but think about it, unless you know what the holes in software are how are you supposed to fix them. Using the right framework isn't enough because every framework is going to have security issues. You actually need to understand what is going on and this is the true value of the book.

The coverage is not just at the bits and bytes level. The authors cover the theory of each exploit and then dig down into what happens at the processor and virtual machine level to complete the exploit. The problem that I find with the book is that it doesn't complete the cycle by bringing the reader back through the process to identify a robust fix for the hole.

I'm still giving the book four stars though because it does present the vulnerabilities in a qualified way, which makes for interesting read and for cool thought puzzles in how to fix the security problem, or to extend the attack method to other vulnerable areas.

For anyone tasked with securing a complex application, especially one that is connected to, or serving on, the Internet, you should read this book. Both to understand the scope of the security problems and to see how you can fix the vulnerabilities in your own code.