Exploiting Software — How to Break Code

Exploiting Software Exploiting Software, How to Break Code. ISBN: 0201786958
by Greg Hoglund and Gary McGraw.

I’ve now read through this book, and my impression of it is mixed. The book coverered lots of new stuff for me, but I’m not entirely satisfied with the way it did that.

The book (obviously) tries to cover software exploits, and it tries to do it in great detail, using lots of code listings showing both C and assembly code. The idea of explaining how real world exploits work by referring to C and assembly code it good — I’ve seen too many books which just talks about buffer overflows in theory.

But I doubt the usefulness of many of the code listings. Several of them run over multiple pages, listing entire programs which would have had a better place on a CDROM or just online. There’s no need to include so many pages of code in a book, especially when the code is listed completely bare: typeset in Courier with no bold, italic or any other syntax highlight.

Also, a good deal of the code describes plugins and other things for the IDA Pro Disassembler, which is used throughout the book in the examples. Again, the attempt to go into detail is good, but the book shouldn’t be so focused on this one tool, IMHO.

Another way in which this book is narrow-minded is the small selection of other works referenced. The bibliography in the book is very thin: three pages with just 31 cited works. Through-out the book one finds references to “Securing Java” and “Building Secure Software” — two books by the same authors. The first couple of times one sees a reference to these books it’s okay, but in the end I was wondering if I should have bought one of those books instead, since this books keeps referring to them…

Maybe those books wouldn’t waste so much paper on screenshots? This books has lots of screenshots showing “interesting” snapshots from an attack. Such a snapshot could be a standard Windows command shell, or an xterm showing the output of uname -a and id… And it’s not only the many screenshots that take up space: at one point there’s a dependency list of 161 function names from seven DLLs with one name per line, running over more than four pages. The text then concludes that this list is interesting because it shows what scrrun.dll might be able to do on behalf of a script! One doesn’t have to fill four pages with names to say that scrrun.dll (or whatever DLLs you’re analyzing) is a valuable target.

So all in all I suggest that people take a good look at this book before buying it. I would say that it requires a solid understanding of assembly code to be really useful, and experience with the IDA Pro tool is also a good idea. I have neither, and perhaps that was why I didn’t find this book that good? Please comment if you have read it!

One Comment

  1. Martin Geisler:

    Looking at the ads served by Google I currently see two of them advertising a telnet server… Before you buy one of those, then please be note that telnet is an obsolete protocol where your password is sent in clear text over the wire: it’s trivial to sniff your password then.

    I recommend using something like [SSH][] instead.

Leave a comment