IEEE Cipher

Reviewed by Robert Bruen; January 13, 2004

Exploiting Software: How to Break Code
by Greg Hoglund and Gary McGraw

Addison-Wesley 2004.
ISBN 0201786958. 448 pages. Index, references, appendix. $39.99

Sooner or later, it was bound to happen. Much has been published on how to defend your network, your web site, and so on. Some has been published on how to write secure code - although not enough or else not enough has been read, because the poorly written code still dominates the landscape. Now a book has been published that truly analyzes how exploit code is designed and written. We all a debt of gratitude to Aleph1 for "Smashing the Stack for Fun and Profit" (1996) for the detailed, step by step instructions. It pushed one more step beyond by explaining the why, not just the how of writing exploit code. There is a subtle, yet critical difference between instructions that are followed and an analysis that leads to the all important understanding. If one understands, then one can do another time without help. If one does not get it, one continues to simply follow what others produce.

Exploiting Software dives head first into the why. The explanations are a serious analysis of why software is vulnerable. This book has been rightfully called the mirror image of "Building Secure Software," another important book. It is not enough to be able to use other people's code to crack systems. The future belongs to those who understand how it works at the deeper levels and can use that understanding to write secure code or to write code that exploit insecure code.

Hoglund and McGraw are leading the way to the next phase of software. It is pretty clear that vendors, such as Microsoft, do not get it. They are no the only guilty parties, but their failures cause much of the suffering experienced over the past few years. The future lies at the level of code, not marketing. While profits are running high, the seeds of destruction are being sown. The destruction will be unleashed by those who understand the deepest level of code creation. We must think about the rapid expansion of a software infrastructure, which is based on quicksand. Sooner or later, the foundations will give way.

We have books that explain hacking. We have books that give us the theoretical aspects of software and security. We have books that tell us how to write software in a secure manner. Now we have a book that analyzes the methods of exploitation of what we build everyday. Software is what makes everything work. It is the creative side of technology fulfilling our imagination to brings dreams and nightmares into reality. It is an unfortunate truth that human nature is both good and evil. Software is no different. The only way to see that our technical future will be full of sunshine is to use our brains to learn about it.

This book is highly recommended. It is one of the important books of this year. If you are trying to decide whether software vendors are telling you the truth about their approach to security, you can find an approach that will help you. If you want to know how those pesky crackers keep breaking in, the answers are here. If you would like to see the underlying mechanisms for writing exploit code, look no further. Exploiting Software delivers where others have only promised.

The topics are covered in a meaningful way. Some of those are classics like the buffer overflow, other are reverse engineering, cross-site scripting and malicious input. The real kicker is that the book is cheap at $40 bucks. The content is worth much, much more. In my opinion books that move the discipline forward are important. This one is just that.

Original Review