Byzantine Reality

Searching for Byzantine failures in the world around us

Exploiting Software

Now that finals are over I can FINALLY return to writing like I promised you all a billion times. With that in mind, let’s look at a book I picked up for my security class, Exploiting Software: How to Break Code. But does the book hold up to the badass name behind it?

Yes. Yes it does. To sum it up, this book is a very broad overview of a number of common security vulnerabilities and how to exploit them. They summarize each technique they use into an “Attack Pattern”, named after the classic Design Patterns book. Since they’re a lot shorter than Design Patterns, they really end up being more like the examples in the also-classic Refactoring book: if you see this code, exploit it like this. It’s short and sweet and gets straight to the point. It’s done really well and consistently throughout the entire book so if you get bored for a section then just read the patterns until you get drawn back in again.

With a high level technical book there’s another important question we should ask: is it better thanWikipedia? Definitely! I’ve been interested in knowing how format string attacks work but found Wikipedia strangely vague on the topic. In contrast, this book pulls through and gives a great explanation on it and how it’s pulled off. This is just one example of many where the book shines where Wikipedia has yet to (although in time I’m sure it will as well).

The first half of the book is pretty introductory; it covers the motivation for the book as well as the main tools used. A lot of the book’s examples use the Interactive Disassembler (IDA-Pro), which is certainly the best tool on the market today at what it does (although it’s sadly pretty expensive). There’s tons of attack patterns and many real-world examples of why they’re relevant. The authors are pretty OS-agnostic, and everybody gets their fair share of security flaws.

The second half of the book is where it starts to get interesting. Now that you’ve got the basics underway, they talk about local exploits and work they’ve done in the past. The local exploits are well defined, but I think that The Shellcoder’s Handbook does a far superior job of describing them since they get to devote a chapter for each type of exploit (e.g., one chapter for stack overflows, one for heap overflows, one for shellcode, etc.). Whereas the Shellcoding book gives you examples to do at home, this book shows you how they’re done and some examples and moves on, which is fine, but doesn’t give you the same end result.

I’d say the end of the book is the best though. There’s an extensive discussion about how one of the authors engineered an exploit to overwrite two bytes of memory in a program and how it resulted in disabling all of Windows NT’s security features. Pretty awesome. They show you the vulnerable code, how they pull it off, and it’s a fun read. They also show you how to bypass common anti-black-hat tricks in a simple fashion and drive home a good point:

Automated protection won’t save a poorly written program from being exploited.

They also end up tempting you with their other books with the last chapter: Rootkits. I’ve known about them for a while but never really how they worked, and the book really shines here. There’s tons of code and they go into a good amount of detail on what rootkits can do and how they do them. They presumably save the good stuff for their book of the same name (Rootkits: Subverting the Windows Kernel), and this chapter really whets your appetite for it (at least it did for me).

So it’s a great high level overview of the security world. If you need to end up doing stack overflows or other exploits, The Shellcoder’s Handbook may be a better choice, but I think this is still a great read. They’re very complementary books and they do a great job of covering the gaps each other misses, and while The Shellcoder’s Handbook really only covers local exploits, Exploiting Software covers remote exploits as well. Check it out if you’ve got some downtime and let me know if you enjoyed it as much as I did!

Also, since classes are up, I’ll take a little break from the million book reviews and ramble on about other stuff for a short while like we used to do. Enjoy!