Trusted SF Member
Joined: 26 Aug 2003
Location: Warwickshire, England, UK
|Posted: Sat Oct 01, 2005 3:02 am Post subject: Book Review - Exploiting Software - How To Break Code
Exploiting Software - How To Break Code
Author(s): Greg Hoglund, Gary McGraw
Publisher: Addison-Wesley http://www.awprofessional.com
Date Published: August 2004
Book Specifications: Softcover, 471 pages
Publisher's Suggested User Level: Not Rated
Reviewer's Recommended User Level: Intermediate/Advanced
Suggested Publisher Price: $49.99 US / $71.99 CDN
Blurb from back cover:
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Software is loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out. This must-have book may shock you - and it will certainly educate you.
Some may think that this book contributes more to the problem than to the solution; that it educates people in how to break software systems, and more people will do that than use the knowledge to create better, more secure systems. Of course, there is that risk with books such as this one, but there is also the necessity to educate those of us on the right side of the lines. We need to learn how attackers think when breaking software, in order to write our own software which protects against those attacks.
Exploiting Software attempts to educate the good guys in the hope that they will be able to create better software as a result.
Chapter Synopsis & Review Comments
Chapter 1 of this book illustrates the abundance of poorly written software. Many examples are provided, showing how even critical systems are affected by bugs which can lead to malfunction or attack.
Leading on from the tour of badly written software, chapter 2 looks at attack patterns; the mechanisms by which attackers exploit software bugs.
In chapter 3, reverse engineering is introduced. This is a legal grey-area, and little discussion of the rights and wrongs of reverse engineering is provided here, allowing for a more complete and comprehensive technical discussion of the topic. As I comment about later in a more general sense, the book contains large code listings inline with the text. This chapter is a particular hotpoint for such listings, which serve to distract the user from the topic of discussion; by the time they have read and comprehended the listing they forget why they were looking at it in the first place. More comments on this are given later in the review.
Chapter 4 looks at exploiting server software, while chapter 5 covers client software. These chapters present attack patterns in real-world software and look at the generic methods for finding and exploiting bugs in such software.
Chapter 6 covers the art of crafting malicious input. The authors look at bypassing intrusion detection and input filtering, tracing code, making equivalent requests using metacharacters, Unicode, UTF-8 and URL Encoding, and audit poisoning.
In chapter 7, the reader is thrown in at the deep end of the pool, with coverage of buffer overflows, the most used exploit in software security. This is a long chapter which covers buffer overflows in detail, looking at several systems and programming languages, as well as illustrating payloads which work on multiple platforms.
Chapter 8 ends the book with a discussion of rootkits, and the techniques used by them. This chapter is also fairly lengthy and informative, though is mostly Windows based (see my comment in the Style and Detail section).
Style and Detail
With this book, there are three things which, after reading, came to my attention. I shall treat them in the order in which I realised this.
First and foremost, there are large code listings in the chapters, inline with the text. This is not, in itself, a bad thing, but it does disrupt the flow of the chapter. By the time you have read the code listings and understood them, you're not entirely sure what the link between the paragraphs of text either side of the listing actually was. Many books move long code listings into an appendix, or at the end of a chapter. This allows the discussion of the code to continue uninterrupted, whilst still allowing the reader to refer to the code should they wish to.
Secondly, the book is decidedly Windows oriented. There is some discussion of UNIX and Linux systems, and of non-x86 architectures, though this is limited, and often it feels like the authors have added it as an afterthought or stuck it in a corner "out of the way". This book is written primarily for Windows users, although the general principles presented work equally well for users of any platform, and as such the book is still a useful introduction to the concepts of exploiting software.
Finally, the third thing I noticed about this book is the authors tendency to overuse certain words. I found myself thinking repeatedly of the word 'esoteric', after reading this book. Upon looking back, I found that this word is used in almost every chapter, and even twice on one page! Whilst this is a minor issue, it was repeated often enough that the word stuck at the front of my mind and became integrated into my normal vocabulary for several days! Perhaps some variation when using the less common words of the English language would help here!
In terms of technical content, this book is infallible; provided you are a Windows user. The lack of discussion of Linux and other systems is a barrier to this book receiving a high rating, but the content is still valid in a generic, templated sense. The rating for this book has therefore been chosen accordingly.
This book receives an honored SFDC Rating of 7/10.
Keywords: exploit, software, buffer, overflow, rootkit
This review is copyright 2005 by the author, Andrew J. Bennieston, and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.