Exploiting Software : How to Break Code

Exploiting Software is essential reading for anyone responsible for placing software in a hostile environment-that is, everyone who writes or installs programs that run on the Internet.

Rating:
Summary: Worth a look.
Review: "In some sense, a knowledgeable hardware hacker is one of the most powerful people in the world today." (p9)

This quote may be either alarming or inspiring, depending on your viewpoint. This ambiguity pervades the book, which also suffers from its uncertainty of purpose. As a review of the most common software exploits it succeeds, and is streets ahead of those cubical 'computer security' tomes. But the reader with some background in software engineering will be left hungry for greater detail. (This goes some way to explain the mixed reviews it has received.)

Publishers often insist that an author of a technical work cut it back severely to fit the format that their marketing people believe will sell. This may have happened here and would explain the often disjointed nature of the narrative.

A book of this nature will, or course, provide some skills upgrading for the systems cracker as well as informing the system administrator, but that is unavoidable. "Security by obscurity" works quite well in some fields (military security, for example) but not on the Internet.

With all these shortcomings, it is still worth reading for the breadth of ideas you will be introduced to. The potential scale of software vulnerability will be revealed, and you will get a quick view of the most common exploits, with some in-depth reviews of buffer overflows and rootkits. Along the way you will review server and client vulnerabilities, how targets may be assessed and penetrated, and how reverse engineering is carried out.

Topics include:
attack patterns
tour of an exploit
how attacks are implimented
reverse engineering
fault injection
finding vulnerabilities
writng plugins for IDA and other cracking tools
exploiting server software
input path tracing
exploiting trust in systems
exploiting client software
in-band signals
cross-site scripting
crafting malicious input
audit poisoning
buffer overflows (in detail)
rootkits (in detail)

The book is not an in-depth training guide to these areas but provides some much needed background. Well worth the read.

Rating:
Summary: Less than meets the eye
Review: "Exploiting Software" purports to be a book aimed at helping software
professionals understand the security risks they face; it uses the
pedagogical device of teaching how software can be attacked to
achieve the goal of explaining how secure software should be
built. Unfortunately, I think it fails both as a guide to building
secure software and as a guide to being a black hat hacker.

Most of "Exploiting Software" reads more like a book proposal than a
completed work: too detailed in places (do we really need a dozen
pages on writing plugins for the IDA Pro Disassembler?), not detailed
enough in others, and generally not well organized. Far too often, the
reader is simply told that an exploit exists, and is then directed to
the original source for details. Worse, the original sources are often
white papers, personal web sites, and conference proceedings -- things
that are either hard to obtain, unlikely to be available for long, or
both. As a result, the reader learns nothing.

The preface to "Exploiting Software" explains that this is a companion
volume to "Building Secure Software," written by the same Gary McGraw
with another co-author, and this helps to explain the main failings of
this book. I must admit that the last two chapters, "Buffer overflow"
and "Rootkits", are better than the rest; they provide plenty of
concrete details. But two chapters aren't enough to vindicate this
fairly shallow work. For my money, I expect a book that can stand on its
own.

Rating:
Summary: Quite disappointing
Review: 'Exploiting Software' is a quite disappointing book. It is not well organized and repeats itself very often, there's no thread and the authors always lose themselves in trivial things. Whenever it started to get interesting the book stopped short of going into details. The only slightly sophisticated chapters are the ones at the end, about buffer overflows and the XP rootkit.

I found that often code fragments are insufficiently described or not explained at all. This is a no-no in writing software, and it is all the more when writing a book about software (I can easily download some code and then wade through the code myself, what's the added value of the book?). On the other hand, simple tasks like appending a line to a Unix text file are explained exhaustively. Or, the book contains several pages about a code to display sampled data graphically. Why would I want to read this in a book about software exploits?

Overall, the book fails in the most important aspect: to bear the reader in mind. It seems that the authors just wanted to write a book, a thick book. Among the target audience mentioned in the book, i.e., programmers, consultants, managers etc. only programmers with absolutely no background in security may appreciate the book.

Go check the book carefully if you think about buying it. I give it two out of five stars just because of the final two chapters.

Rating:
Summary: A Disturbing, Subversive Book
Review: A disturbing, subversive book. And I mean this in a positive sense. Hogland and McGraw explain the major ways in which software can be attacked.

They describe how reverse engineering can be done, even if all you have is binary code to work on. Given a disassembler and a decompiler, and these exist for all the major platforms, you can systematically apply white box, black box and grey box analysis to deconstruct a program.

They show how attacks can be done against servers, because nowadays on the net, servers are often tempting, fat targets. But from your standpoint, if you wish to defend against these attacks, you really need to be aware of the issues they raises. "Know the enemy". Plus, they also show how a server could attack, or be used to attack, unsuspecting clients that connect to it.

Of course, buffer overflows are the most commonly known source of attacks. Thus an entire chapter is devoted to this.

PHP users may not be thrilled to hear that it is fundamentally insecure. Its ease of learning and coding comes with this heavy price. Still, it is all the more reason that PHP users and sysadmins running web servers that use PHP, should be aware of the dangers in it.

The book is not a trivial read. The authors give detailed examples at the level of the x86 assembler. A strong background in this and in C/C++ will give you the greatest benefit when studying the book.

Rating:
Summary: "Hacking Exposed" For Developers
Review: After doing some homework to find IP addresses and TCP ports that might be open to attack and locating a target system, it is often a vulnerable application running on the target system which provides the door for an attacker to compromise a system.

Hacking Exposed and the whole genre of hacker technique and defense books provides a window for network and security administrators to peer into the world of the malicious hacker and understand how an attacker would go about finding weaknesses in their networks to exploit and attack. Using this information the network administrator can develop defenses to protect their environments from this sort of exploitation.

Exploiting Software is for software developers what Hacking Exposed is for network administrators. Greg Hoglund and Gary McGraw have written a book which explains in detail how a cracker might go about finding holes or breaking into software. They cover the tools and techniques commonly used and describe ways that a software developer can write better code to prevent these sorts of attacks.

I am not a software developer- just a dabbler in programming- but I still found the book engaging and educational. Should I ever delve deeper into software programming it is books like this one which will give me the knowledge to write code that is more secure from the get go.

Software developers should be required to read this book to fully understand their "enemy" and how to program to prevent their product from being exploited.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

Rating:
Summary: The Root of All Vulnerabilties
Review: Chapter 1 - Software - The Root of the Problem
Software is indeed the root of the problem and this chapter makes that case and point. This chapter is a good introduction to software vulnerabilities (which make up all CERT advisories) and why this book is relevant.

Chapter 2 - Attack Patterns
This chapter provides and overview of types of attacks. It includes history of vulnerability types and predictions of future vulnerabilities.

Chapter 3 - Reverse Engineering and Program Understanding
This chapter begins with a good introduction to reverse engineering tools and techniquies. It then zooms into writing plugins for the IDA disassembler along with batch analysis with IDA disassembler. It also discusses writing your own cracking tools.

Chapter 4 - Exploiting Server Software
This chapter provides and over view of techniques for exploiting any server software. It is filled with real examples and loads of fun. Many attack patterns are covered in various levels of detail. Numerous tools are highlighted for finding injection points.

Chapter 5 - Exploiting Client Software
The logic of exploiting client software is different than exploiting server software, so there's and extra chapter. Again the focus is on techniques to look for exploitable bugs.

Chapter 6 - Crafting (Malicious) Input
This chapter discusses many different methods for crafing input to locate bugs. Many tools and professional techniques are highlighted. I didn't know a lot of this stuff was out there.

Chapter 7 - Buffer Overflows
It starts with a high level overview of traditional buffer overflows, then some non tradiditional buffer overflows are discussed. This chapter also covers format strings. One of the longer chapters in the book, it highlighes a lot of problem areas.

Chapter 8 - Rootkits
One of the authors is the creator of the first rootkit for windows, and he details some of his techniques here. Not only does he discuss root kit techniques, but he also discusses techniques that apply to malware in general.

On the positive side: The writing is enjoyable, and the technical concepts are explained clearly. This is a good book for anyone interested in vulnerability research. I found chapters 4-6 to be the best. This book has a decent index. I've used it for reference a couple of times since I finished reading it which is always a measure of a worthwhile book.

On the downside, I have a few minor complaints: Some of the tools mentioned in the book were no where to be found. Many were named without references, and Google searches revealed little about them or how to find them. Another tool was supposed to be available at one of the authors website, but I couldn't find it. The authors cover some material at a high level while other material is covered in depth without any apparent reason for the disparity.

A good book for those interested in vulnerabiltiy research and software security. I also suggest the sister book "Building Secure Software" to compliment this one.

Rating:
Summary: Black hat - good book.
Review: Chapter 1 - Software - The Root of the Problem
Software is indeed the root of the problem and this chapter makes that case and point. This chapter is a good introduction to software vulnerabilities (which make up all CERT advisories) and why this book is relevant.

Chapter 2 - Attack Patterns
This chapter provides and overview of types of attacks. It includes history of vulnerability types and predictions of future vulnerabilities.

Chapter 3 - Reverse Engineering and Program Understanding
This chapter begins with a good introduction to reverse engineering tools and techniquies. It then zooms into writing plugins for the IDA disassembler along with batch analysis with IDA disassembler. It also discusses writing your own cracking tools.

Chapter 4 - Exploiting Server Software
This chapter provides and over view of techniques for exploiting any server software. It is filled with real examples and loads of fun. Many attack patterns are covered in various levels of detail. Numerous tools are highlighted for finding injection points.

Chapter 5 - Exploiting Client Software
The logic of exploiting client software is different than exploiting server software, so there's and extra chapter. Again the focus is on techniques to look for exploitable bugs.

Chapter 6 - Crafting (Malicious) Input
This chapter discusses many different methods for crafing input to locate bugs. Many tools and professional techniques are highlighted. I didn't know a lot of this stuff was out there.

Chapter 7 - Buffer Overflows
It starts with a high level overview of traditional buffer overflows, then some non tradiditional buffer overflows are discussed. This chapter also covers format strings. One of the longer chapters in the book, it highlighes a lot of problem areas.

Chapter 8 - Rootkits
Alas, one of the authors is the creator of the first rootkit for windows, and he details some of his techniques here. Not only does he discuss root kit techniques, but he also discusses techniques that apply to malware in general.

In summary, I rate this book 4 stars. It's certainly enjoyable and pretty easy to read despite it's technical nature. The authors sprinkle There's a lot of useful information in here to shed some light on how vulnerability researches do what they do. Chapters 4-6 were very, very good.

This book has a pretty useful index. I've used it for reference a couple of times since I finished reading it which is always a measure of a worthwhile book. There's not a lot written about some of the contents of this book, and this work is definitely needed and relevant.

On the downside, I have some minor complaints. Some of the tools mentioned in the book were no where to be found. Some were named without references, and Google searches revealed little about them or how to find them. Another tool was supposed to be available at one of the authors website, but I couldn't find it. The authors seem cover some things at a very high level, and really get into the depth on some others. There's not always an apparent reason for this, and I don't think their approach was as consistent could have been. Chapter 3 started out great, but I lost during the heavy focus on IDA pro.

I can see no reason that one interested in this subject matter wouldn't pick up this book. The price is right and it covers material in a provoking way that many of us may not be exposed to otherwise. I also suggest the sister book "Building Secure Software"; the one with the white hat on the cover. The two books compliment each other well introducing both sides of the coin in some detail.

Rating:
Summary: Learn how the bad guys think
Review: For many years the "white hats" (good guys) have tried to guess how the black hats think, and how they find problems with software. That's as true with software as it is with other disciplines, where police study criminals, and military strategists learn about their enemy's tactics. Those of us in the information security field need to study our criminals and enemies, so we can tell the difference between pop guns and weapons of mass destruction.

I enjoyed this book because it helped me understand how the bad guys think, and how they find the flaws that we constantly read about (and suffer from).

The authors explain not only how hackers attack servers, but also how malicious server operators can attack clients (and how each can protect themselves from the other). I'd highly recommend it as a companion to Ross Anderson's "Security Engineering": Anderson's book provides the broad view of security, and this book provides the deep analysis of software security.

An excellent book for practicing security engineers, and an ideal textbook for an undergraduate class in software security.

Rating:
Summary: Read It and Weep
Review: Hoglund and McGraw is an amazing book. It's well written, comprehensive and full of detailed, up-to-date methodologies for messing with all kinds of code.

It's a shame the black hats can buy this book. However, since they can, every white hat should make a point of reading it to understand how subtle attacks can be and what kinds of tools are out there to help develop exploits.

Reading it will make you weep about the current state of operational code vulnerability!!!