Exploiting Software : How to Break Code

That being said, I was led to believe that this book would actually teach me how to "exploit software" --- that is the title, isn't it? The first two chapters are kind of overview, talking about historical flaws in things like embedded processors, and then a lengthy tutorial on somewhat obscure topics, such as writing plugins for the popular belgian disassembler, IDA Pro. While this is all fine and dandy, at this point in the book you will start to read faster and think "when do I get to learn how to "exploit software", and write some friggen exploits?"

Well, I was hoping to find that content later in the book (obviously contributed by mr. hoglund), but all I found was some terse overviews on how these exploits are possible. NOT how to actually write them, or use them in practice. This is where I was letdown, and may I even say, misled by the marketing material for the book.

I do have to say, the final section on writing a windows xp rootkit does have some concrete examples, and is highly interesting and informative. But, it remains the only truly hands on and practical portion of the book. This book should have been titled, AND marketed as "The Theory of Software Exploitation + A Good Chapter On Rootkits".

Rating:
Summary: A true wake-up call for software producers
Review: I recently read a Wall Street Journal article that claimed a spate of recent viruses were a "wake-up call for the software industry." If viruses are a wake-up call, this book should be considered a 5-alarm fire! McGraw and Hoglund provide a focused, appropriately detailed and informative look at the side of security most software professionals have not ventured. As often is the case, however, people must first experience the negative before they put credence into the positive. This book is a valuable tool to help software developers better understand the techniques used by adversaries who threaten to misuse their work.

McGraw and Hoglund are clearly experts in their field. While they could have jumped right into the meat of their topic, I found the first chapters useful overviews that helped frame the material in the rest of the book. The follow-on chapters deliver as advertised, providing details on exploits that make use of vulnerabilities in the software. Most developers will recognize the creativity and dogged persistence these exploits take...and admit that the vulnerabilities exploited are not uncommon.

As other reviewers have written, I believe this is a must for every developer's bookshelf. Twenty years ago, it was inconceivable that business software could be attacked. Today, it is inconceivable that it won't be attacked. Software must be written to be inherently strong and able to withstand the onslaught. This book shows what that software is up against.

Rating:
Summary: Lots of how to break, not a lot of how to fix
Review: I suppose any book about how to hack software is going to be controversial, but think about it, unless you know what the holes in software are how are you supposed to fix them. Using the right framework isn't enough because every framework is going to have security issues. You actually need to understand what is going on and this is the true value of the book.

The coverage is not just at the bits and bytes level. The authors cover the theory of each exploit and then dig down into what happens at the processor and virtual machine level to complete the exploit. The problem that I find with the book is that it doesn't complete the cycle by bringing the reader back through the process to identify a robust fix for the hole.

I'm still giving the book four stars though because it does present the vulnerabilities in a qualified way, which makes for interesting read and for cool thought puzzles in how to fix the security problem, or to extend the attack method to other vulnerable areas.

For anyone tasked with securing a complex application, especially one that is connected to, or serving on, the Internet, you should read this book. Both to understand the scope of the security problems and to see how you can fix the vulnerabilities in your own code.

Rating:
Summary: Half of the story
Review: I'm an IT auditor (my main interest area is systems software). The premise of the book, that application security is now the key risk area for exploits is spot on. Exploits of applications can be devestating. This book describes basic attacks on application software; unfortunately the level of detail varies from example to example making it a little difficult to follow. It does provide valuable examples for those developing software of potentail problem areas and common faults. It is is also of potential value in planning penetration tests. There is no real coverage of secure coding practices and how to integrate security into the development process though. The book is worth getting but provides far from exhaustive coverage of code expoitation.

Rating:
Summary: super!!!
Review: If every developer read this book, and everyone @ MSFT, the software world would be a better place.

Rating:
Summary: If you want to understand how attackers attack - read this
Review: Let me first say that I generally tend to be suspicious of a book that starts out with several pages of testimonials before it gets to the title page. But this book deserves it. It's written in a style that's as riveting as any suspense novel, while the material is as horrifying as Stephen King, and as useful as a roll of duct tape. This is a book for knowledgeable IT people who may still be arrogant enough to believe that "it can't happen to me." While many books work from the premise that hackers use back doors and other ways to enter into your system to do their damage, this book explains how it's your software, itself, that is really the weakest link in your security. It takes you through a brief history of some spectacular software failures. Then, it explains how hackers find the bad code that exists, with black, grey and white box techniques and then exploit the vulnerabilities they find.

We all know, there is plenty of bad code out there, for a variety of reasons that are explained quite well in this book. Given market pressures and other factors, there is every reason to believe that the situation isn't going to improve significantly any time soon. This book shows you real examples, albeit sometime code fragments of examples, of how to find and get into those "holes" in your software to do all kinds of damage. Some people will ask, "But why would we want to have a text book out there to teach people how to do this stuff?" The "bad-guys" know all this stuff, already. If you don't, how can you possibly expect to avoid falling victim to them? This is the information you need to fix what's wrong in software you are already using, and a glimpse into ways to help avoid problems in code that you write. This is a good book, I think we will see better, more complete and pragmatic books in the future that take you through shell code exploits and repairing the heap step by step, but until then what a fun read!

Rating:
Summary: pretty good introduction to attack techniques
Review: Like all other books on "how to hack," this one starts out with a history of computing back to the beginning of time, then jumps into advanced techniques requiring some pretty advanced knowledge of assembly code and network protocols. Why do all these books do this? They implicitly assume that their readers understand computer systems in later chapters, but still feel the need to go over basic material in early chapters.

Anyway, the content of this book is pretty good. How could you not like a book that includes the line "think of a server as a public restroom?"

Rating:
Summary: Essential reading for developers and test/QA professionals
Review: Many readers and reviewers view this book as a security text, which it is. However, the main value in my opinion is to the software testing/QA community and to developers working in environments using either agile methods or Extreme Programming.

For the software testing and QA community the book is a ready-made manual for developing test cases, and also raises interesting thoughts about testing tools. For example, Chapter 8 (Rootkits) gives a list of techniques and tools that can be effectively used as testing tools as well as hacking tools. What better way to test software than to use the very methods and tools that the bad guys use?

Developers will find a plethora of common exposures and vulnerabilities that will need to be addressed in the software they develop. Moreover, much of the information in this book will provide guidance about what should be checked during unit and integration testing. As an aside, I also recommend that developers in any development environment read "Building Secure Software" (ISBN 020172152X), which nicely augments this book.

Of course, the security community's concerns are also address, especially in the first three chapters. In fact, if this book proves anything it's that security, development and QA need to work in concert in order to have a defensive, in-depth security posture.

If you are a developer or testing professional I highly recommend this book, and also recommend that you augment the information provided with two other books - "How to Break Software: A Practical Guide to Testing" (ISBN 0201796198), and "How to Break Software Security" (ISBN 0321194330).

Rating:
Summary: A must-have attack dictionary
Review: On today's security bookshelves, guides on securing applications through use of security features and pithy advice far outweigh books aiding readers in understanding how their software is actually attacked. This leaves software development and security professionals to wonder: How can attackers really exploit my software? How easy is it for them to do so? And how is it really done? Exploiting Software goes a long way towards leveling that playing field by addressing those questions.

As a security consultant, I see this book as being an essential purchase for both those developing software and those auditing or otherwise trying to secure it. Exploiting software presents a solid baseline coverage of the problems developers inadvertently introduce and explains how those problems become patterns of attack for attackers and security professionals like myself. The book presents each pattern with enough detailed explanation and aid for using unix/windows tools that the curious reader can explore the pattern of attack on their own systems from a destructive perspective. In doing so, readers are convinced of each pattern's viability and are free to explore its impact in their environment.

Exploiting software is a must-have attack dictionary for security professionals, especially those in organizations unaware of the threat attackers pose to their software--despite network and host controls. It provides a go-to resource to familiarize both security and development staff with the constituency of the attacker's toolkit.

While this book is a tremendous start on enumerating attack patterns, readers expecting a full treatment of attacks against Java's application servers and code targeting the .NET platform may be disappointed. Still, while these systems (and attacks against them) are becoming more popular, Exploiting Software is still relevant to these frameworks' virtual machines and their underlying OSes. Exploiting Software correctly left attacking these systems directly to subsequent work, but enables the skilled attacker to pull the table cloth out from under this middleware.

Like "Building Secure Software" and "Writing Secure Code" this book is an excellent foothold into reusable knowledge the reader's organization should be cataloging. And if your organization isn't using and expanding a catalogue of attacks to which its software is vulnerable--it's behind the 8 ball in developing and deploying secure software.

Rating:
Summary: A **must read** for any serious software engineer.
Review: Over the last couple years, I have read nearly every book on the subject of secure programming. In my opinion, this book clearly stands out from the rest as best in class. This book systematically and thoroughly covers the topic from the attacker's perspective, which is where any serious study of the subject should begin. Given the increasing integration and open access to systems, any serious software system from an operating system utility to a complex business application will experience many of these attacks in deployment - there is no hiding from these types of attacks behind a firewall. This book represents a great step in the right direction since one must understand an attacker's perspective and techniques before you can form an appropriate defense. This is definitely a pre-requisite to other books in the domain that focus on defensive coding techniques. This subject matter is crucial knowledge for anyone involved with software today and an interesting read for those who depend on and use information systems.

I concur with earlier reviews that this book makes an interesting cover-to-cover read due to the intriguing subject matter of hacking, cracking, and otherwise attacking information systems. Unlike Mitnick's 300+ page treatise describing how to get a password from a user (yawn), this book is a tour-de-force of attacks aimed directly at software itself. While the descriptions of each attack are straightforward and easy to comprehend, the reader gets an insight into the brilliance required to devise many of these attacks.

I have found it most useful as a reference guide for red-team testing and security review at design and coding time. If you are a development manager or a computer science instructor definitely give this a read. Then do a survey of your developers and students and see how many attack patterns they can identify - you will probably want to give a copy to each of them after you do! Enjoy.

Roger Thornton
CTO, Fortify Software Inc