Orange Bytes (newsletter of the North Orange County Computer Club)

Exploiting Software: How to Break Code, reviewed by Dave Keays, Orange Bytes; April 2005

This book by Greg Hoglund and Gary McGraw, reads like a sequence to "Hacking Exposed" and will be just as popular in the worlds of programming, security, and quality assurance. (Actually, we programmers are in a different universe than network administrators and everybody else.) It explains why software flaws exist, how to test for them, and why we need to worry about them. Real world examples are used to show how others have used these bugs maliciously.

A programmer will learn how to better sanitize a user provided input.

A network administrator will walk away with knowing how to set-up policies to prevent some of the more esoteric attacks. Someone in quality management will know better how to audit code for exploitable flaws.

Just like "Hacking Exposed", some people will worry that some of the information can be misused by a "Hacker." But the book isn't really any help to a script kiddie. If someone just wants a copy of an exploit that they can use without understanding it, they will be disappointed. They will find themselves too overwhelmed with all the details. This book is just too heavy for someone with that kind of thinking. It was written by a partnership of both a gray-hat hacker and a white-hat from the academic world. This makes for a good mixture of theory and hands-on experience. While the book is talking about a software flaw, they mention how one of the coauthors used that kind of flaw to his advantage.

They not only explain the basics involved in finding and using problems like buffer-overflows or code injection to cause a problem with a program, but how it can compromise a program that gets on the network. It also explains how white-box and black-box testing can be used to figure out what the program is doing (not what it is supposed to do; you can read the marketing literature for that).

Most of the hacking books out there today focus on a specific side of security (network based, social engineering, etc). This book is all over the place and involves some very diverse audiences. Anyone who is involved with either programming, network security, or Quality Assurance needs to read this book and see what not to do and how to do things well.

It starts off in the first chapter with a small introduction into some software mistakes that have touched us all (do you remember the Mars Rover?). Then it spends several chapters on code that trusts their users too much or gives them too many privileges. Then it goes on to reverse engineering which will help you create a program's source code. The next two chapters cover programs that use the Internet, both on the server and the client side. Now it goes into what kind of user input can cause a problem. Finally, it spends three chapters on specific kinds of flaws, many different buffer-overflows and rootkits.

It won't be long before this book will be used as a college text book (if it isn't already) while it's on some best-seller lists. Publisher: Addison-Wesley (Pearson education), http://www.awprofessional.com; ISBN: 0-201-78695-8. MSRP: $49.99 USD. Other sources include Walmart: $32.49, Borders: $33.99 new & $25.39 used.

Original Review